Two Site-to-Site Tunnels to Destination Network falls under a different tunnel

latenaite2011 · ‎05-04-2018

Does anyone know how to create two Site-to-Site VPN Tunnels on the Cisco ASA with the same local subnet on the remote end?

For example, I have these:

Tunnel 1 - Built and working already

Site A Site B

10.1.1.0/24 172.2.0.0/16

Tunnel 2 - New and Needs to be Built - Falls within the same subnet as B but a /24

10.1.1.0/24 172.2.2.0/24

Phase 1 works fine but we don't see any packets on Phase 2 because it will go over the first tunnel. I tried moving the crypto map for Tunnel 2 before Tunnel 1 and clearing the session but it gets rebuilt instantaneously because the are some background traffic between the two sites that generates traffic.

Does anyone have any suggestion this?

thank you!

Rahul Govindan · ‎05-04-2018

Since the current Tunnel 2 has a smaller range (/24), this should be placed above the existing tunnel to the /16. What this will do is allow any traffic to 172.2.2.0/24 go through the new tunnel and everything in 172.2.0.0/16 except for the 172.2.2.0/24 go through the existing one. So if you have ip addresses in the 172.2.2.0/24 range for the existing tunnel, this would be a conflict. The only way around that would be to translate the traffic to another non-conflicting subnet.

latenaite2011 · ‎05-04-2018

Hi Rahul,

Thank you for the quick reply.

I have tried creating a source nat for tunnel B that says when site a wants to talk to remote end, translate to IP X.X.X.X and my access-list is X.X.X.X with 172.2.2.0/24. However, this still doesn't work as when I ran a ping test from Site A, I can see the ping test going over Site 1's tunnel.

It seems the test traffic is passing through Tunnel One before NAT gets checked (the reason I changed the crypto map priority to test but that didn't make any difference).

Should this be a destination NAT? How should the NAT look like?

Thank you!

thank you!

Paula

Rahul Govindan · ‎05-04-2018

So there a few ways to do the NAT. If you do source NAT to x.x.x.x, then the ACL would be x.x.x.x to 172.2.2.0/24 (reverse at the other end). You have to remember to place the NAT rule above the NAT exemption rule (no NAT) that you have for Tunnel1.

You could also do destination NAT, but again, your NAT rule should be above the exemption rule.

If you don't have conflicting ip addresses, I do not see why changing the order of the tunnel's wont work. Can you paste a snippet of your NAT and crypto ACL config?

latenaite2011 · ‎05-04-2018

Hi Rahul,

I tried remove the nat exempt rule (nat 0) and re-pasted to see if it will
be put before the static statement that I have for this but nat statements
are entered before the static statements.

See below for relevant snippets:

TUNNEL 1

access-list outside_15_cryptomap line 1 extended permit ip 172.26.1.20
255.255.255.252 172.2.15.0 255.255.255.0

crypto map outside_map 15 match address outside_15_cryptomap
crypto map outside_map 15 set peer X.X.X.X

TUNNEL 2

access-list outside_17_cryptomap line 1 extended permit ip 10.1.0.0.0
255.255.0.0 172.2.0.0 255.255.0.0

crypto map outside_map 70 match address outside_17_cryptomap
crypto map outside_map 70 set peer X.X.X.X

access-list nonat_inside line 2 extended permit ip 10.1.0.0 255.255.0.0
172.2.0.0 255.255.0.0

nat (inside) 0 access-list nonat_inside

access-list nat-l2l-new-vpn line 1 extended permit ip host 10.1.1.x
172.2.2.x 255.255.255.0

static (inside,outside) 172.26.1.21 access-list nat-l2l-new-vpn

I did

no nat (inside) 0 access-list nonat_inside

and re-pasted it in hoping that it would be put after the "static
(inside,outside) vpn access-list nat-l2l-new-vpn" but it the nat
statements are enterered
any static lines.

nat (inside) 0 access-list nonat_inside
nat (inside) 100 access-list nat_inside
static (inside,outside) X.X.X.X X.X.X.X netmask 255.255.255.255
static (inside,outside) X.X.X.X. X.X.X.X netmask 255.255.255.255
static (inside,outside) 172.26.1.21 access-list nat-l2l-new-vpn

Thank you!