cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2403
Views
10
Helpful
7
Replies
matt.smith
Beginner

Two Site to Site VPNs to Same ASA Firewall's

Hi All

I have a scenario whereby I need to add a second VPN tunnel to a Cisco ASA, however its peer address will be on the outside2 interface on the remote firewall. 

we have ASA1-HQ 5505

Inside address - 172.16.20.0

Outside1 - 1.1.1.1

Outside 2 - 2.2.2.1

ASA2-DC 5510

Inside Address- 172.16.30.0

Outside1 - 3.3.3.1

Outside2 - 4.4.4.1

There is currently a VPN tunnel between 1.1.1.1 and 3.3.3.1. I need to add a 2nd VPN tunnel utilising outside2 addresses 2.2.2.1 & 4.4.4.1 respectively.

I have labbed this out, however i cannot get traffic going down to the 2nd VPN tunnel. I have created the following routes on each firewall

ASA1-HQ

Outside1 0.0.0.0 0.0.0.0 1.1.1.2 (metric 1) (Next hop for outside1 interface)

Outside2 4.4.4.1 255.255.255.255 2.2.2.2 (metric 1) Peer address of 2nd vpn tunnel)

ASA2-DC

Outside1 0.0.0.0 0.0.0.0 3.3.3.2 (metric 1) (Next hop for outside1 interface)

Outside2 2.2.2.1 255.255.255.255 4.4.4.2 (metric 1) Peer address of 2nd vpn tunnel)

I have tried adjusting the Crypto map Priority values however this has made no difference.

One theory I have is the local addresses potentially would need to be on a separate network in order for traffic to traverse the 2nd VPN tunnel.

the crypto maps i have created are:

ASA1-HQ

Outside1 (Priority10)  S 172.16.20.0 /24 D 172.16.30.0/24 Protect ESP-3DES-SHA Peer 3.3.3.1 (Nat T Enabled)

Outside2 (Priority 1)  S 172.16.20.50 /32 D 172.16.30.50/32 Protect ESP-3DES-SHA Peer 4.4.4.1 (Nat T Enabled)

ASA2-DC

Outside1 (Priority10) S 172.16.30.0 /24 D 172.16.20.0/24 Protect ESP-3DES-SHA Peer 1.1.1.1 (Nat T Enabled)

Outside2 (Priority1)  S 172.16.30.50 /32 D 172.16.20.50/32 Protect ESP-3DES-SHA Peer 2.2.2.1 (Nat T Enabled)

I ask the forum:

1) Is what I am attempting feasable?

2) If so how can I get this to work Anything to steer me in the right direction would be appreciated!

Hope this makes sense!

Many thanks

7 REPLIES 7
Karsten Iwen
VIP Mentor

you have to add a route to the private destination out of the right interface:

HQ:

route outside2 172.16.30.50 255.255.255.255 2.2.2.2

Similar on the DC-ASA

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks for the response, I will try this tomorrow.

Are the crypto maps are correct? I was/am concerned that the same IP address ranges overlap?

Do you have *different* crypto maps, one for outside and one for outside2? Then it is correct.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

thanks, I have set this however i have another issue,

between the firewalls i have put two routers, the interfaces connecting the two are on fa0/1 10.0.0.1 and 10.0.0.2 respectively

for the lab i have 2 pix 515e w/ IOS 8.0.4 

For simplicity i have set a default route to each routers interface, interestingly enough i cannot ping the outside2 interface on either remote router, i can ping the hop before i.e. 2.2.2.2 but unable to reach 2.2.2.1 (pix outside2)

I can ping the outside1 interface from each remote router.

routes added

R1 DC 0.0.0.0 0.0.0.0 1.1.1.1

R2 HQ 0.0.0.0 0.0.0.0 1.1.1.2

I did try static routes instead however the result is the same. perhaps i am missing something here?

many thanks,

Do you have a picture of your setup? I really don't get it what you are trying exactly.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi

I  managed to resolve the issue(s) in the end. I was trying to get 2 simultaneous VPN tunnels up on the same 2 ASA's. Bit weird but there is a valid reason for this!

thanks again,

Matt

Manas Dutta
Beginner

Hi All,

I am also trying to simulate a similar kind of setup.

ASA1

Inside: 10.10.20.1/24

Outside1: 81.171.171.26/30

Outside2: 95.45.23.34/30

Intermediate Internet:

F0/0(connected to ASA1 Outside1): 81.171.171.25/30

F0/1(connected to ASA3 Outside): 92.45.23.33/30

F1/0(connected to ASA2 Outside): 91.45.23.33/30

F2/0(connected to ASA1 Outside2): 95.45.23.33/30

ASA2

Inside: 10.10.10.1/24

Outside: 91.45.23.34/30

ASA3

Inside: 10.10.10.1/24

Outside: 92.45.23.34/30

I want to setup to tunnels from ASA1 (one to ASA2 and 2nd to ASA3) with the same interesting traffic. This is sort of a failover. I set a default route of 0.0.0.0 0.0.0.0 81.171.171.25 on Outside1 interface in ASA1. I cannot create a 2nd default route for Outside2 interface in ASA1 again. The tunnel between ASA1 and ASA3 is not up. Can someone help here !!!