cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2668
Views
10
Helpful
7
Replies

Two Site to Site VPNs to Same ASA Firewall's

matt.smith
Level 1
Level 1

Hi All

I have a scenario whereby I need to add a second VPN tunnel to a Cisco ASA, however its peer address will be on the outside2 interface on the remote firewall. 

we have ASA1-HQ 5505

Inside address - 172.16.20.0

Outside1 - 1.1.1.1

Outside 2 - 2.2.2.1

ASA2-DC 5510

Inside Address- 172.16.30.0

Outside1 - 3.3.3.1

Outside2 - 4.4.4.1

There is currently a VPN tunnel between 1.1.1.1 and 3.3.3.1. I need to add a 2nd VPN tunnel utilising outside2 addresses 2.2.2.1 & 4.4.4.1 respectively.

I have labbed this out, however i cannot get traffic going down to the 2nd VPN tunnel. I have created the following routes on each firewall

ASA1-HQ

Outside1 0.0.0.0 0.0.0.0 1.1.1.2 (metric 1) (Next hop for outside1 interface)

Outside2 4.4.4.1 255.255.255.255 2.2.2.2 (metric 1) Peer address of 2nd vpn tunnel)

ASA2-DC

Outside1 0.0.0.0 0.0.0.0 3.3.3.2 (metric 1) (Next hop for outside1 interface)

Outside2 2.2.2.1 255.255.255.255 4.4.4.2 (metric 1) Peer address of 2nd vpn tunnel)

I have tried adjusting the Crypto map Priority values however this has made no difference.

One theory I have is the local addresses potentially would need to be on a separate network in order for traffic to traverse the 2nd VPN tunnel.

the crypto maps i have created are:

ASA1-HQ

Outside1 (Priority10)  S 172.16.20.0 /24 D 172.16.30.0/24 Protect ESP-3DES-SHA Peer 3.3.3.1 (Nat T Enabled)

Outside2 (Priority 1)  S 172.16.20.50 /32 D 172.16.30.50/32 Protect ESP-3DES-SHA Peer 4.4.4.1 (Nat T Enabled)

ASA2-DC

Outside1 (Priority10) S 172.16.30.0 /24 D 172.16.20.0/24 Protect ESP-3DES-SHA Peer 1.1.1.1 (Nat T Enabled)

Outside2 (Priority1)  S 172.16.30.50 /32 D 172.16.20.50/32 Protect ESP-3DES-SHA Peer 2.2.2.1 (Nat T Enabled)

I ask the forum:

1) Is what I am attempting feasable?

2) If so how can I get this to work Anything to steer me in the right direction would be appreciated!

Hope this makes sense!

Many thanks

7 Replies 7

you have to add a route to the private destination out of the right interface:

HQ:

route outside2 172.16.30.50 255.255.255.255 2.2.2.2

Similar on the DC-ASA

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks for the response, I will try this tomorrow.

Are the crypto maps are correct? I was/am concerned that the same IP address ranges overlap?

Do you have *different* crypto maps, one for outside and one for outside2? Then it is correct.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

thanks, I have set this however i have another issue,

between the firewalls i have put two routers, the interfaces connecting the two are on fa0/1 10.0.0.1 and 10.0.0.2 respectively

for the lab i have 2 pix 515e w/ IOS 8.0.4 

For simplicity i have set a default route to each routers interface, interestingly enough i cannot ping the outside2 interface on either remote router, i can ping the hop before i.e. 2.2.2.2 but unable to reach 2.2.2.1 (pix outside2)

I can ping the outside1 interface from each remote router.

routes added

R1 DC 0.0.0.0 0.0.0.0 1.1.1.1

R2 HQ 0.0.0.0 0.0.0.0 1.1.1.2

I did try static routes instead however the result is the same. perhaps i am missing something here?

many thanks,

Do you have a picture of your setup? I really don't get it what you are trying exactly.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi

I  managed to resolve the issue(s) in the end. I was trying to get 2 simultaneous VPN tunnels up on the same 2 ASA's. Bit weird but there is a valid reason for this!

thanks again,

Matt

Manas Dutta
Level 1
Level 1

Hi All,

I am also trying to simulate a similar kind of setup.

ASA1

Inside: 10.10.20.1/24

Outside1: 81.171.171.26/30

Outside2: 95.45.23.34/30

Intermediate Internet:

F0/0(connected to ASA1 Outside1): 81.171.171.25/30

F0/1(connected to ASA3 Outside): 92.45.23.33/30

F1/0(connected to ASA2 Outside): 91.45.23.33/30

F2/0(connected to ASA1 Outside2): 95.45.23.33/30

ASA2

Inside: 10.10.10.1/24

Outside: 91.45.23.34/30

ASA3

Inside: 10.10.10.1/24

Outside: 92.45.23.34/30

I want to setup to tunnels from ASA1 (one to ASA2 and 2nd to ASA3) with the same interesting traffic. This is sort of a failover. I set a default route of 0.0.0.0 0.0.0.0 81.171.171.25 on Outside1 interface in ASA1. I cannot create a 2nd default route for Outside2 interface in ASA1 again. The tunnel between ASA1 and ASA3 is not up. Can someone help here !!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: