10-06-2008 06:43 AM
Hi.
I set up a L2L between 2 ASA, with site A needing to reach 2 different LANs on site B.
For this purpose i wrote down these lines in the site B config:
access-list outside_20_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255.255.0
However, with show ipsec sa i get this
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr: 192.168.168.30
access-list outside_20_cryptomap permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.5.0.0/255.255.255.0/0/0)
How comes i dont see the network 10.0.0.0 mentioned? Can i assume the traffic for/to network 10.0.0.0 be tunneled or not?
Thank anticipately
10-06-2008 08:43 AM
Are you sure you are looking at the entire output of "sh crypto ipsec sa". Each separate line in your access-list is treated as a separate SA pair so you should see another entry for the 10.0.0.0 network.
Jon
10-07-2008 01:35 AM
Yes, this is the whole output.
I assume then there is no interesting traffic to the network 10.0.0.0, so that no SA are created.
If i am correct: although the 2 networks are at the same site, a SA pair is needed to communicate with each one?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide