How to add multiple tunnel to an existing L2L

martin.loiselle · ‎12-10-2009

I was able to built tunnel between L2L fallowing this example:"Add a New Tunnel or Remote Access to an Existing L2L VPN"

I've tried to add other tunnel to the NY (HQ) Firewall. Is it possible to add more tunnel ?

My configuration is TN, NY, and CA tunneled between each other. Everyone have access to each other network. We've setup a new tunnel to access TX through NY but only TN and NY can access TX. I can't access TX from CA. Are there any restriction in the number of tunnel on NY.

NY is a Cisco ASA 5510

TN is a Cisco PIX 515

CA is a Cisco ASA 5510

mvsheik123 · ‎12-10-2009

Hi,

5510 with Sec+ license will suppprt upto 250vpn peers. Looks like your issue relates to more of configuration (ex:hairpin ACLs/routes)> please post the sanitized configs.

hth

MS

martin.loiselle · ‎12-10-2009

Let say this is the NY firewall:

ASA Version 8.0(4)

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.10.20.x 255.255.255.0

...

same-security-traffic permit intra-interface

...

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.20.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn_no-nat extended permit ip 192.168.1.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 172.16.100.0 255.255.255.0

.....

access-list vpn_CA extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0

access-list vpn_CA extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0

....

access-list vpn_TN extended permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn_TN extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0

....

access-list vpn_TX extended permit ip 10.10.20.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_TX extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_TX extended permit ip 192.168.1.0 255.255.255.0 10.29.68.0 255.255.255.0

....

ip verify reverse-path interface outside

.....

global (outside) 1 interface

nat (inside) 0 access-list vpn_no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

.....

access-group acl-out in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

....

sysopt connection preserve-vpn-flows

...

crypto map medrium_vpns interface outside

crypto isakmp enable outside

...

split-tunnel-policy tunnelall

===========================================================

mvsheik123 · ‎12-10-2009

ACL statements looks correct on NY end. do you have config for tx end?

Also, here are my 2 cents.. you may not need all those 'nonat' statements for spoke-spoke subnets. The traffic not originated from NY end (inside).

ex: access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0

hth

MS

martin.loiselle · ‎12-10-2009

This is CA firewall: (the one that is not able to talk to TX)

access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_NY extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn_NY extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_TN extended permit ip 10.10.50.0 255.255.255.0 192.168.11.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list vpn_no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group acl-out in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 192.168.2.0 255.255.255.0 10.10.50.1 1

martin.loiselle · ‎12-10-2009

Unfortunately, i can't have TX configuration since i don't manage that one.

mvsheik123 · ‎12-10-2009

Have Tx end tech check the configs. Try debug icmps and see where the replies dropped.

hth

MS