Solved: Site-to-Site VPN : Multiple Remote Networks

new_networker · ‎12-03-2008

The ASA Site-to-Site VPN configuration examples that I have come across has only one network across both the sites.

If the remote network/site has multiple networks for e.g. DMZ1, DMZ2, INSIDE etc how can it be added via Site-to-Site VPN ASDM wizard.

Thanks.

ajagadee · ‎12-03-2008

Hi,

I have not seen a specific configuration example with adding multiple networks for IPSEC l2l tunnel via ASDM.

Typically, you would just follow the same process in the below URL but add all the multiple local networks and remote networks that you want to be IPSEC protected.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

http://www.cisco.com/en/US/docs/security/asdm/6_1/user/guide/vpn_wiz.html#wp999348

Regards,

Arul

*Pls rate if it helps*

View solution in original post

Jon Marshall · ‎12-05-2008

"If I run a ping from both the ends, should the active tunnels be 1 or 2."

The actual tunnels that transfer the data ie. the IPSEC sa's are unidirectional. So for a site-to-site VPN there are for each connection 2 IPSEC sa's, one in each direction.

For each entry in your crypto map access-list there will be 2 sa's formed so if you ping from Site A and ping from Site B if they are using the same line in the access-list (and they are in your configuration) that will be 2 IPSEC sa's - 1 from A -> B and 1 from B -> A. Which is the same as if you only started the ping from one side.

Can you check on host A that there isn't a firewall running that is blocking incoming echo requests.

Jon

View solution in original post

JORGE RODRIGUEZ · ‎12-03-2008

Have a look at this example l2l with inside and DMZ, for more interfaces interate the same principle.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806a5cea.shtml

HTH

Jorge

Jorge Rodriguez

ajagadee · ‎12-03-2008

Hi,

I have not seen a specific configuration example with adding multiple networks for IPSEC l2l tunnel via ASDM.

Typically, you would just follow the same process in the below URL but add all the multiple local networks and remote networks that you want to be IPSEC protected.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

http://www.cisco.com/en/US/docs/security/asdm/6_1/user/guide/vpn_wiz.html#wp999348

Regards,

Arul

*Pls rate if it helps*

new_networker · ‎12-04-2008

I have done the configuration for site-to-site VPN. However, I cannot ping the remote network (Site B) from local network (Site A).

I ping restricted via VPN.

Also, if the multiple networks in Site B is not directly connected to the ASA (with VPN configs) how will it be handled.

For e.g. topology

Site A ASA (VPN edge) - Internet - Site B ASA (VPN edge) - Inside Network - Another ASA - Network segment on the DMZ.

So configuration examples only point to directly connected interface on the remote ASA. What additional needs to be done if the destination network is couple of hops/segments away from the Site B ASA VPN Inside segment.

Thanks.

Jon Marshall · ‎12-04-2008

"So configuration examples only point to directly connected interface on the remote ASA. What additional needs to be done if the destination network is couple of hops/segments away from the Site B ASA VPN Inside segment."

Nothing special. All you need to make sure is that your crypto map access-lists on both VPN devices include all the networks you want to encrypt traffic for. The networks do not have to be directly connected to the ASA VPN device, they can be as many hops away as you want.

If you can't ping i would suggest looking at the second ASA in Site B if you are sure your VPN is working ?

Jon

new_networker · ‎12-04-2008

Thanks.

One more thing...where does the VPN actually get terminated. Is it on the ASA ? Then why is the destination network on both the ASA is required to enable VPN. Is it to identify interesting traffic or to permit access over VPN.

Jon Marshall · ‎12-04-2008

If i understand what you are saying the VPN is runs between the 2 ASA's that you have configured it on. So it is a tunnel between these 2 devices.

You need to tell each ASA which networks you want to send through this tunnel and you do this by including the networks in the crypto map access-lists. If the network is not in the crypto map access-list the traffic will not be sent via the tunnel.

Jon

new_networker · ‎12-04-2008

I am not able to ping the remote network from the local ASA. I can ping the outside interface of the remote ASA though.

Just to let you know, I am running this on local LAN i.e. outside interfaces on the both the ASA are on the same segment.

The failed ping on ASA is giving ?????.

acomiskey · ‎12-04-2008

You won't be able to ping the remote network from the ASA unless this traffic is added to your crypto acls. Something like...

access-list crypto extended permit ip host

and on the other end...

access-list crypto extended permit host

new_networker · ‎12-04-2008

If there are other outside routes in ASA, but they are not defined as one of the destination networks, would the traffic to those routes be restricted or would they be allowed but bypass the tunnel.

Any tips on troubleshooting the site-to-site VPN. Any debug commands etc.

acomiskey · ‎12-04-2008

Any traffic which is not defined in your crypto acl will be routed normally. Only traffic defined in the crypto acl will be tunneled.

new_networker · ‎12-04-2008

If you look at site-to-site VPN example at link

http://www.cisco.com/en/US/docs/security/asa/asa81/quick/guide/sitvpn.html

local and remote network looks strange.

Local Network is 209.165.200.0 255.255.255.255

Remote Netowrk is 209.165.200.255 255.255.255.255

Could you please explain this ?

Thanks.

Jon Marshall · ‎12-04-2008

Do you mean Figure 7-1 in the doc.

The local and remote networks are 10.10.10.0/24 (Site A) & 10.20.20.0/24 (Site B). Obviously local & remote are purely dependant on which site you are looking at it from.

The VPN peer addresses are

Site A - 209.165.200.226

Site B - 209.165.200.236

If these sites are separated by the Internet then they will be on different networks.

Jon

new_networker · ‎12-04-2008

No. Please look under 'Specifying Hosts and Networks' against Step 3.

Jon Marshall · ‎12-04-2008

Ah okay, sorry about that, i didn't read the full link.

It makes no sense. I don't really use ASDM but what is being filled in for the local and remote networks bears no relation to Figure 7-1.

What may happen is if you NAT the inside addresses 10.10.10.0/24 at Site A to the Site A external IP address on it's ASA and you NAT the inside address of 10.10.20.0/24 at Site B to the Site B external IP address on it's ASA then you would fill in the 2 external IP addresses in the remote and local network.

However, even that doesn't account for what is happening in the document. And NAT exemption has been ticked in the ASDM window.

So unless ASDM is completely different in the way you fill in the VPN information and i can't see how that would be it looks like the document is incorrect.

Jon