L2L between ASA: explanation required

Unanswered Question
Oct 6th, 2008
User Badges:

Hi.

I set up a L2L between 2 ASA, with site A needing to reach 2 different LANs on site B.

For this purpose i wrote down these lines in the site B config:


access-list outside_20_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.5.0.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.5.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255.255.0


However, with show ipsec sa i get this


interface: outside

Crypto map tag: outside_map, seq num: 20, local addr: 192.168.168.30


access-list outside_20_cryptomap permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255.255.0

local ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.5.0.0/255.255.255.0/0/0)


How comes i dont see the network 10.0.0.0 mentioned? Can i assume the traffic for/to network 10.0.0.0 be tunneled or not?


Thank anticipately

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 10/06/2008 - 08:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Are you sure you are looking at the entire output of "sh crypto ipsec sa". Each separate line in your access-list is treated as a separate SA pair so you should see another entry for the 10.0.0.0 network.


Jon

Carlo Zaina Tue, 10/07/2008 - 01:35
User Badges:

Yes, this is the whole output.

I assume then there is no interesting traffic to the network 10.0.0.0, so that no SA are created.


If i am correct: although the 2 networks are at the same site, a SA pair is needed to communicate with each one?

Actions

This Discussion