Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
2
Replies

VPN unlikely configuration

Go to solution
drummerrj
Level 1
Level 1

‎04-11-2011 12:01 PM

Hi,

one of our partners, had asked us a strange VPN setup. I'm not an ASA specialist and I would like to make sure that it's really impossible.

We already have a VPN tunnel UP. For example:

Peer1: 1.1.1.1/32 (my company)

Peer2: 2.2.2.2/32 (partner)

EncryptionDomain1: 10.10.10.10/32 (our encryption domain)

EncryptionDomain2: 20.20.20.20/24 (partner's encryption domain)

So, the partner is asking us to setup a second tunnel with exactly the same configuration. (Peer and encryptio domain).

I don't think that it is possible, for the apparently obvious access-list match reason. In this fashion, I think the ASA will get confused about which traffic match which access-list to tunnel the traffic. It's kind an access-list overlaping.

Am I right?

There might be an ASA feature that makes that possible?

Best regards,

Fabiano Martins

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-11-2011 01:19 PM

Hi Fabiano,

As you have rightly pointed out, it would not be possible to create 2 tunnels for the same source and destination, between the same two peers.

Since only one crypto map can be applied on an interface, the various tunnels that terminate on it are configured with line numbers.

When traffic is matched against the crypto map, it does a top down match. And when two tunnels with same crypto access-list are configured, then the first one in the crypto map will always match, and thus the second tunnel will never come up.

The more interesting question here though, would be, as to why your client would like to configure such a setup.

He may be trying to achieve something which can be done without the need for two tunnels.

-Shrikant

P.S.: Please mark the question as answered, if it has been resolved. Do rate helpful posts. Thanks.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-11-2011 01:19 PM

Hi Fabiano,

As you have rightly pointed out, it would not be possible to create 2 tunnels for the same source and destination, between the same two peers.

Since only one crypto map can be applied on an interface, the various tunnels that terminate on it are configured with line numbers.

When traffic is matched against the crypto map, it does a top down match. And when two tunnels with same crypto access-list are configured, then the first one in the crypto map will always match, and thus the second tunnel will never come up.

The more interesting question here though, would be, as to why your client would like to configure such a setup.

He may be trying to achieve something which can be done without the need for two tunnels.

-Shrikant

P.S.: Please mark the question as answered, if it has been resolved. Do rate helpful posts. Thanks.

0 Helpful

Go to solution
drummerrj
Level 1
Level 1
In response to Shrikant Sundaresh

‎04-11-2011 01:41 PM

Hi Shrikant,

thank you for your reply.

The reason that tha partner had asked us for that setup is:

They want to migrate from the actual VPN, that have 3 access-lists for intresting traffic, to a new one with just two access-lists for the intresting traffic.

I already told them that, it will occur a small down time, and it's simple to do the changes on a maintenance window with no bigger problems. It's just run a "clear crypto ipsec sa peer x.x.x.x" and the tunnel will become UP again after the traffic starts.

I really didn't understand the reason for such request from the partner... So...

Thank you!

Best regards,

Fabiano Martins

0 Helpful
Customers Also Viewed These Support Documents