12-10-2009 07:16 AM - edited 02-21-2020 03:49 AM
I was able to built tunnel between L2L fallowing this example:"Add a New Tunnel or Remote Access to an Existing L2L VPN"
I've tried to add other tunnel to the NY (HQ) Firewall. Is it possible to add more tunnel ?
My configuration is TN, NY, and CA tunneled between each other. Everyone have access to each other network. We've setup a new tunnel to access TX through NY but only TN and NY can access TX. I can't access TX from CA. Are there any restriction in the number of tunnel on NY.
NY is a Cisco ASA 5510
TN is a Cisco PIX 515
CA is a Cisco ASA 5510
12-10-2009 07:34 AM
Hi,
5510 with Sec+ license will suppprt upto 250vpn peers. Looks like your issue relates to more of configuration (ex:hairpin ACLs/routes)> please post the sanitized configs.
hth
MS
12-10-2009 08:26 AM
Let say this is the NY firewall:
ASA Version 8.0(4)
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.20.x 255.255.255.0
...
same-security-traffic permit intra-interface
...
access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 10.29.68.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 192.168.1.0 255.255.255.0 10.29.68.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 172.16.100.0 255.255.255.0
.....
access-list vpn_CA extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list vpn_CA extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0
....
access-list vpn_TN extended permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_TN extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0
....
access-list vpn_TX extended permit ip 10.10.20.0 255.255.255.0 10.29.68.0 255.255.255.0
access-list vpn_TX extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0
access-list vpn_TX extended permit ip 192.168.1.0 255.255.255.0 10.29.68.0 255.255.255.0
....
ip verify reverse-path interface outside
.....
global (outside) 1 interface
nat (inside) 0 access-list vpn_no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
.....
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
....
sysopt connection preserve-vpn-flows
...
crypto map medrium_vpns interface outside
crypto isakmp enable outside
...
split-tunnel-policy tunnelall
===========================================================
12-10-2009 08:56 AM
ACL statements looks correct on NY end. do you have config for tx end?
Also, here are my 2 cents.. you may not need all those 'nonat' statements for spoke-spoke subnets. The traffic not originated from NY end (inside).
ex: access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0
hth
MS
12-10-2009 09:17 AM
This is CA firewall: (the one that is not able to talk to TX)
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0
access-list vpn_NY extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn_NY extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0
access-list vpn_TN extended permit ip 10.10.50.0 255.255.255.0 192.168.11.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list vpn_no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.2.0 255.255.255.0 10.10.50.1 1
12-10-2009 10:14 AM
Unfortunately, i can't have TX configuration since i don't manage that one.
12-10-2009 01:33 PM
Have Tx end tech check the configs. Try debug icmps and see where the replies dropped.
hth
MS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: