cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
608
Views
0
Helpful
1
Replies

GB1000 and ASA VPN with multiple subnets

augnevenok
Level 1
Level 1

Hi,

I have to connect with VPN two sites with multiple subnets at one site.

NetworkA---direct link---NetworkB---GB1000-----VPN-----ASA---NetworkC

Cisco ASA 5505 is connected to GB1000 which has multiple subnets.

Everything works fine when we access B from C. If we access A from C, GB1000 drops the tunnel C-B and establish a tunnel A-C. Looks like we can have only one active tunnel at a time. (Licensing is not an issue here)

I spoke to GB1000 guys and they say that GB1000 will create one IKE and one IPSec SA even when multiple subnets are involved. On the contrary Cisco ASA creates IPSec SA for every subnet at the remote end. I think this is the root cause of the issue.

We are thinking of aggregating of all remote subnets into one so we would have only one ACL entry on ASA but this would require to redesign company's subnetting.

Is it possible to make GB1000 act in a Cisco fashion i.e. to create separate SA per subnet? Or make the ASA to create just one IPSec SA for remote networks?

Any idea will be highly appreciated.

Thank you.

Regards,

Alex

1 Reply 1

ggilbert
Cisco Employee
Cisco Employee

Alex,

Depending on the ACL entry, the ASA will create specific IPSec SA's for the interesting traffic matching that entry.

If GB1000 does not support, then you can summarize the network on the ASA so that it can just create one IPSec.

Rate it, if this helps.

Cheers

Gilbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: