How to add multiple tunnel to an existing L2L

Unanswered Question
Dec 10th, 2009
User Badges:

I was able to built tunnel between L2L fallowing this example:"Add a New Tunnel or Remote Access to an Existing L2L VPN"

I've tried to add other tunnel to the NY (HQ) Firewall. Is it possible to add more tunnel ?

My configuration is TN, NY, and CA tunneled between each other. Everyone have access to each other network. We've setup a new tunnel to access TX through NY but only TN and NY can access TX. I can't access TX from CA. Are there any restriction in the number of tunnel on NY.

NY is a Cisco ASA 5510

TN is a Cisco PIX 515

CA is a Cisco ASA 5510

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mvsheik123 Thu, 12/10/2009 - 07:34
User Badges:
  • Gold, 750 points or more

Hi,


5510 with Sec+ license will suppprt upto 250vpn peers. Looks like your issue relates to more of configuration (ex:hairpin ACLs/routes)> please post the sanitized configs.


hth

MS

martin.loiselle Thu, 12/10/2009 - 08:26
User Badges:

Let say this is the NY firewall:


ASA Version 8.0(4)

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.10.20.x 255.255.255.0

...

same-security-traffic permit intra-interface

...

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.20.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn_no-nat extended permit ip 192.168.1.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 172.16.100.0 255.255.255.0

.....

access-list vpn_CA extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0

access-list vpn_CA extended permit ip 10.29.68.0 255.255.255.0  10.10.50.0 255.255.255.0

....

access-list vpn_TN extended permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn_TN extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0

....

access-list vpn_TX extended permit ip 10.10.20.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_TX extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_TX extended permit ip 192.168.1.0 255.255.255.0 10.29.68.0 255.255.255.0

....

ip verify reverse-path interface outside

.....

global (outside) 1 interface

nat (inside) 0 access-list vpn_no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

.....

access-group acl-out in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

....

sysopt connection preserve-vpn-flows

...

crypto map medrium_vpns interface outside

crypto isakmp enable outside

...

split-tunnel-policy tunnelall

===========================================================

mvsheik123 Thu, 12/10/2009 - 08:56
User Badges:
  • Gold, 750 points or more

ACL statements looks correct on NY end. do you have config for tx end?


Also, here are my 2 cents.. you may not need all those 'nonat' statements for spoke-spoke subnets. The traffic not originated from NY end (inside).


ex: access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0


hth

MS

martin.loiselle Thu, 12/10/2009 - 09:17
User Badges:

This is CA firewall: (the one that is not able to talk to TX)


access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_NY extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn_NY extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_TN extended permit ip 10.10.50.0 255.255.255.0 192.168.11.0 255.255.255.0


global (outside) 1 interface

nat (inside) 0 access-list vpn_no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group acl-out in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 192.168.2.0 255.255.255.0 10.10.50.1 1

martin.loiselle Thu, 12/10/2009 - 10:14
User Badges:

Unfortunately, i can't have TX configuration since i don't manage that one.

mvsheik123 Thu, 12/10/2009 - 13:33
User Badges:
  • Gold, 750 points or more

Have Tx end tech check the configs. Try debug icmps and see where the replies dropped.


hth

MS

Actions

This Discussion