L2L between ASA: explanation required

Carlo Zaina · ‎10-06-2008

Hi.

I set up a L2L between 2 ASA, with site A needing to reach 2 different LANs on site B.

For this purpose i wrote down these lines in the site B config:

access-list outside_20_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.5.0.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.5.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255.255.0

However, with show ipsec sa i get this

interface: outside

Crypto map tag: outside_map, seq num: 20, local addr: 192.168.168.30

access-list outside_20_cryptomap permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255.255.0

local ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.5.0.0/255.255.255.0/0/0)

How comes i dont see the network 10.0.0.0 mentioned? Can i assume the traffic for/to network 10.0.0.0 be tunneled or not?

Thank anticipately

Jon Marshall · ‎10-06-2008

Are you sure you are looking at the entire output of "sh crypto ipsec sa". Each separate line in your access-list is treated as a separate SA pair so you should see another entry for the 10.0.0.0 network.

Jon

Carlo Zaina · ‎10-07-2008

Yes, this is the whole output.

I assume then there is no interesting traffic to the network 10.0.0.0, so that no SA are created.

If i am correct: although the 2 networks are at the same site, a SA pair is needed to communicate with each one?