Solved: Multiple site-to-site VPNs from same equipments

joaoareias · ‎09-12-2013

Hi,

I have a Cisco ASA 5510 in my central site. I created a VPN to connect a remote site that has a draytek 2830.

Because some particularities we need to include in this vpn other networks.

So from the remote site we need to comunticate with more than one network.

For example:

Network: 192.168.1.0/24, 192.168.2.15/32 and 192.168.3.15/32

The only solution i have found was to create a vpn connection on the draytek for each network. On the Cisco side i created also a connectio for each network.

The vpns function if they initiate in a determined order. If the vpn for the 192.168.1.0 network starts first them there is no traffic...

Can you please help me.

Best regards.

npokhriy · ‎09-12-2013

Hi Joao,

On ASA we can create one crypto map for one peer ip address.

As per my understanding it seems that you are trying to configure different crypto maps for different networks on other side.

On ASA, we have to configure it in following way:-

acccess-list test permit ip 192.168.1.0 255.255.255.0

acccess-list test permit ip host 192.168.2.15

acccess-list test permit ip host 192.168.3.15

crypto map testmap 1 set peer

crypto map testmap 1 match address test

crypto map testmap 1 match transform-set ESP-3DES-SHA.

Let me know if it helps.

If possible, attach the running configuration of your ASA as well.

Regards,

Naresh

View solution in original post

npokhriy · ‎09-12-2013

Hi Joao,

On ASA we can create one crypto map for one peer ip address.

As per my understanding it seems that you are trying to configure different crypto maps for different networks on other side.

On ASA, we have to configure it in following way:-

acccess-list test permit ip 192.168.1.0 255.255.255.0

acccess-list test permit ip host 192.168.2.15

acccess-list test permit ip host 192.168.3.15

crypto map testmap 1 set peer

crypto map testmap 1 match address test

crypto map testmap 1 match transform-set ESP-3DES-SHA.

Let me know if it helps.

If possible, attach the running configuration of your ASA as well.

Regards,

Naresh

joaoareias · ‎09-12-2013

From the cisco side i have tested wth only one connection and added the other networks to the access list.

From the draytek side i have 3 diferent connections.

If the first connection is not the connection with the 192.168.1.0 network, if for some reason the other connections are droped, then we don't have traffic and from the draytek side the vpn is up, but from the cisco that connection is not up.

Sorry for the description.

joaoareias · ‎09-13-2013

Hi,

Sorry the answer is not correct, i pressed accidently in the button and now i do not know how to remove that flag.

JA

Jeet Kumar · ‎09-12-2013

Hi Joao,

see if the issue is that on the other device you cannot define multiple subnet as we do in ASA.

Then yes thats an issue because as naresh said above we cannot configure multiple crypto map on ASA for the same peer.

Thanks

Jeet

joaoareias · ‎09-12-2013

That is the problem i cannot define multiple subnets in the connection profile.

I can add routes to the vpn but it didn't work.

Thanks,

João Areias

Peter Koltl · ‎09-14-2013

Use a supernet:

192.168.0.0 /22

It need not match the actually used subnets exactly.

joaoareias · ‎09-16-2013

Hi,

In this case i could work but i also have situations where i have one subnet class A and 2 hosts that have public ips but have to pass in the vpn tunnel.

Thanks.