12-10-2009 07:16 AM - edited 02-21-2020 03:49 AM
I was able to built tunnel between L2L fallowing this example:"Add a New Tunnel or Remote Access to an Existing L2L VPN"
I've tried to add other tunnel to the NY (HQ) Firewall. Is it possible to add more tunnel ?
My configuration is TN, NY, and CA tunneled between each other. Everyone have access to each other network. We've setup a new tunnel to access TX through NY but only TN and NY can access TX. I can't access TX from CA. Are there any restriction in the number of tunnel on NY.
NY is a Cisco ASA 5510
TN is a Cisco PIX 515
CA is a Cisco ASA 5510
12-10-2009 07:34 AM
Hi,
5510 with Sec+ license will suppprt upto 250vpn peers. Looks like your issue relates to more of configuration (ex:hairpin ACLs/routes)> please post the sanitized configs.
hth
MS
12-10-2009 08:26 AM
Let say this is the NY firewall:
ASA Version 8.0(4)
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.20.x 255.255.255.0
...
same-security-traffic permit intra-interface
...
access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 10.29.68.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 192.168.1.0 255.255.255.0 10.29.68.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 172.16.100.0 255.255.255.0
.....
access-list vpn_CA extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list vpn_CA extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0
....
access-list vpn_TN extended permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_TN extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0
....
access-list vpn_TX extended permit ip 10.10.20.0 255.255.255.0 10.29.68.0 255.255.255.0
access-list vpn_TX extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0
access-list vpn_TX extended permit ip 192.168.1.0 255.255.255.0 10.29.68.0 255.255.255.0
....
ip verify reverse-path interface outside
.....
global (outside) 1 interface
nat (inside) 0 access-list vpn_no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
.....
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
....
sysopt connection preserve-vpn-flows
...
crypto map medrium_vpns interface outside
crypto isakmp enable outside
...
split-tunnel-policy tunnelall
===========================================================
12-10-2009 08:56 AM
ACL statements looks correct on NY end. do you have config for tx end?
Also, here are my 2 cents.. you may not need all those 'nonat' statements for spoke-spoke subnets. The traffic not originated from NY end (inside).
ex: access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0
hth
MS
12-10-2009 09:17 AM
This is CA firewall: (the one that is not able to talk to TX)
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0
access-list vpn_NY extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn_NY extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0
access-list vpn_TN extended permit ip 10.10.50.0 255.255.255.0 192.168.11.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list vpn_no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.2.0 255.255.255.0 10.10.50.1 1
12-10-2009 10:14 AM
Unfortunately, i can't have TX configuration since i don't manage that one.
12-10-2009 01:33 PM
Have Tx end tech check the configs. Try debug icmps and see where the replies dropped.
hth
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide