Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1143
Views
0
Helpful
6
Replies

How to add multiple tunnel to an existing L2L

martin.loiselle
Level 1
Level 1

‎12-10-2009 07:16 AM - edited ‎02-21-2020 03:49 AM

I was able to built tunnel between L2L fallowing this example:"Add a New Tunnel or Remote Access to an Existing L2L VPN"

I've tried to add other tunnel to the NY (HQ) Firewall. Is it possible to add more tunnel ?

My configuration is TN, NY, and CA tunneled between each other. Everyone have access to each other network. We've setup a new tunnel to access TX through NY but only TN and NY can access TX. I can't access TX from CA. Are there any restriction in the number of tunnel on NY.

NY is a Cisco ASA 5510

TN is a Cisco PIX 515

CA is a Cisco ASA 5510

0 Helpful
6 Replies 6

mvsheik123
Level 7
Level 7

‎12-10-2009 07:34 AM

Hi,

5510 with Sec+ license will suppprt upto 250vpn peers. Looks like your issue relates to more of configuration (ex:hairpin ACLs/routes)> please post the sanitized configs.

hth

MS

0 Helpful

martin.loiselle
Level 1
Level 1
In response to mvsheik123

‎12-10-2009 08:26 AM

Let say this is the NY firewall:

ASA Version 8.0(4)

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.10.20.x 255.255.255.0

...

same-security-traffic permit intra-interface

...

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.20.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn_no-nat extended permit ip 192.168.1.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 172.16.100.0 255.255.255.0

.....

access-list vpn_CA extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0

access-list vpn_CA extended permit ip 10.29.68.0 255.255.255.0  10.10.50.0 255.255.255.0

....

access-list vpn_TN extended permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn_TN extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0

....

access-list vpn_TX extended permit ip 10.10.20.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_TX extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_TX extended permit ip 192.168.1.0 255.255.255.0 10.29.68.0 255.255.255.0

....

ip verify reverse-path interface outside

.....

global (outside) 1 interface

nat (inside) 0 access-list vpn_no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

.....

access-group acl-out in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

....

sysopt connection preserve-vpn-flows

...

crypto map medrium_vpns interface outside

crypto isakmp enable outside

...

split-tunnel-policy tunnelall

===========================================================

0 Helpful

mvsheik123
Level 7
Level 7
In response to martin.loiselle

‎12-10-2009 08:56 AM

ACL statements looks correct on NY end. do you have config for tx end?

Also, here are my 2 cents.. you may not need all those 'nonat' statements for spoke-spoke subnets. The traffic not originated from NY end (inside).

ex: access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0

hth

MS

0 Helpful

martin.loiselle
Level 1
Level 1
In response to mvsheik123

‎12-10-2009 09:17 AM

This is CA firewall: (the one that is not able to talk to TX)


access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_NY extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn_NY extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_TN extended permit ip 10.10.50.0 255.255.255.0 192.168.11.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list vpn_no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group acl-out in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 192.168.2.0 255.255.255.0 10.10.50.1 1

0 Helpful

martin.loiselle
Level 1
Level 1
In response to martin.loiselle

‎12-10-2009 10:14 AM

Unfortunately, i can't have TX configuration since i don't manage that one.

0 Helpful

mvsheik123
Level 7
Level 7
In response to martin.loiselle

‎12-10-2009 01:33 PM

Have Tx end tech check the configs. Try debug icmps and see where the replies dropped.

hth

MS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card