cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
754
Views
0
Helpful
3
Replies

Vendor L2L VPN access to others

jeff6strings
Level 1
Level 1

Our ASA is a 5580 version 8.1(2) and is the L2L VPN peer for a handful of remote offices including a L2L VPN with a vendor who will provide a service for these remote offices. I have two questions/issues:

  • We will need to provide this vendor access to the remote office network(s) only on port 9100 (printing to specific printers at these offices). I know there is an issue with L2L VPNs ability to see each other but if there is a global command allowing all to see each other that would be bad as we have others and don’t want all to see each other.
  • The remote offices are using CIDR 172.20.0.0/16 so each one is assigned for example 172.20.3 the next office is 172.20.4 and so on.  For the crypto map access list for this vendor can we use 172.20.0.0/16 or do we need to specify each individual network?

Thanks for any help.

Jeff

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

OK, my understanding of your topology:

ASA5580 is the HUB and you have multiple SPOKES (remote offices and vendor).

Requirement:

- Remote offices to print to vendor network via ASA5580 HUB

If the above is correct, then to answer your second question:

YES, the crypto ACL needs to be exact because it needs to mirror image, and you would need to add the crypto ACL at all 3 sites, ie: HUB, remote office, and vendor.

Example:

Remote office:

- access-list permit ip host

- access-list nonat permit ip host

Vendor:

- access-list permit ip host

- access-list nonat permit ip host

HUB:

- access-list permit ip host

- access-list permit ip host

- same-security-traffic permit intra-interface

Hope that answers your question.

View solution in original post

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

OK, my understanding of your topology:

ASA5580 is the HUB and you have multiple SPOKES (remote offices and vendor).

Requirement:

- Remote offices to print to vendor network via ASA5580 HUB

If the above is correct, then to answer your second question:

YES, the crypto ACL needs to be exact because it needs to mirror image, and you would need to add the crypto ACL at all 3 sites, ie: HUB, remote office, and vendor.

Example:

Remote office:

- access-list permit ip host

- access-list nonat permit ip host

Vendor:

- access-list permit ip host

- access-list nonat permit ip host

HUB:

- access-list permit ip host

- access-list permit ip host

- same-security-traffic permit intra-interface

Hope that answers your question.

Jennifer thanks for the reply.

Is there something I need to do on the ASA 5580 to allow a L2L VPN to see the others? If it's just access lists that's great.

The vendor will send print jobs to the remote office printers on the 172.25.x networks, not the other way around.

Thanks for the reply.

Jeff

Config advised earlier under HUB is the one needed on the ASA5580

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: