Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
0
Helpful
2
Replies

vpn site to multisite router to two ASA

sohash0011
Beginner
Beginner

‎10-13-2019 11:25 AM

Hello 

I have problem with flaping trunel between Router and tow ASA firewall 

 

 

 

Here is my configuration with Router 
hostname Router
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
ip source-route
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
redundancy
mode none
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2


crypto isakmp key XXXXXX address x.x.x.x
crypto isakmp key XXXXXX address x.x.x.x
!
crypto ipsec security-association idle-time 86400
!
crypto ipsec transform-set mat-mm-set esp-3des esp-md5-hmac
!
crypto map mat-vpn 1 ipsec-isakmp
set peer XXXXXX
set security-association lifetime seconds 86400
set transform-set mat-mm-set
set pfs group2


match address ACL-MHQ


crypto map mat-vpn 2 ipsec-isakmp
set peer x.x.x.x
set transform-set mat-mm-set
match address ACL-MM
!
!
!
!
!
!
!
interface GigabitEthernet0/1/0
ip address XXXXXXXXX
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1/1
XXXXXXXXXXXX
media-type rj45
negotiation auto
crypto map mat-vpn
!
interface Serial0/2/0
no ip address
shutdown
!
interface Serial0/2/1
no ip address
shutdown
!
interface Serial0/2/2
no ip address
shutdown
!
interface Serial0/2/3
no ip address
shutdown
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 XXXXXXXXX
ip route 0.0.0.0 0.0.0.0 5.175.64.1 254
ip route 192.168.0.0 255.255.0.0 192.168.40.1
!
ip access-list extended ACL-MHQ
permit ip 192.168.60.0 0.0.0.255 10.176.32.0 0.0.15.255
permit ip 192.168.60.0 0.0.0.255 10.176.58.0 0.0.1.255
permit ip 192.168.60.0 0.0.0.255 10.176.0.0 0.0.255.255
ip access-list extended ACL-MM
permit ip 192.168.60.0 0.0.0.255 10.176.90.0 0.0.0.255
!
!
!
!
control-plane
!
!

Labels:
0 Helpful
2 Replies 2

balaji.bandi
VIP
VIP

‎10-13-2019 12:39 PM

Trying to understand the problem " flaping trunel between"  ? Can you explain more?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marius Gunnerud
VIP
VIP

‎10-13-2019 12:41 PM

It looks like traffic is being matched on both tunnels so there will be unexpected results. Traffic going to 10.176.90.0/24 in the ACL-MM access-list will also match on 10.176.0.0/16 in ACL-MHQ access-list.  Are you able to be more specific with the ALC-MHQ access-list?

 

ip access-list extended ACL-MHQ
permit ip 192.168.60.0 0.0.0.255 10.176.32.0 0.0.15.255
permit ip 192.168.60.0 0.0.0.255 10.176.58.0 0.0.1.255
permit ip 192.168.60.0 0.0.0.255 10.176.0.0 0.0.255.255
ip access-list extended ACL-MM
permit ip 192.168.60.0 0.0.0.255 10.176.90.0 0.0.0.255

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents