05-30-2012 02:42 AM - edited 03-11-2019 04:13 PM
Hi all,
I have some doubts about site-to-site IPSec VPN (3 sites):
- Currently Ihave VPN tunnel between two sites and its working fine. If I want to add third site, so it will be a full mesh, can I use same interface that used before OR I have to create a subinterface?
Note: I'm using subinterface for the current configurations between the the two sites
- Can I use private ip address for the tunnel group peer
i.e: tunnel-gruop 192.168.50.50 type ipsec-l2l
Your response is really appreciated,
Thanks
Solved! Go to Solution.
05-30-2012 11:52 PM
How do you route private ip address on the Internet? unless VPNpeer is a private MPLS network?
BTW, you can't have 2 default routes configured on an ASA, so the scenario of having Outside interface and VPNpeer interface will not work if you configure default gateway for both interfaces.
You can however configure specific route for the VPNpeer for the peer and the remote LAN subnet pointing towards the VPNpeer next hop.
05-30-2012 06:13 AM
Yes, you can use the same interface that you use for your other site-to-site for your third site.
Yes, you can use private IP Address, and I assume that you will NAT that address in front of the ASA so it's routable on the Internet?
05-30-2012 10:48 PM
Hi Jennifer,
Thanks for your response.
I'm not sure if I got your second answer right, but what I meant is that I'm using private ip addresses for the peers.
So not sure how to use NAT! could you explain more please.
Kindly have a look at the following config:
interface GigabitEthernet0/0
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/0.100
vlan 100
nameif Outside
security-level 0
ip address
!
interface GigabitEthernet0/0.200
vlan 200
nameif VPNpeer
security-level 0
ip address 192.168.50.50 255.255.255.248 standby 192.168.50.51
!
access-list inside_nat0_outbound extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
global (Outside) 1 interface
global (VPNpeer) 2 interface
nat (Inside) 0 access-list inside_nat0_outbound
nat (Inside) 2 10.10.1.0 255.255.255.0
route VPNpeer 0.0.0.0 0.0.0.0 192.168.50.50 1
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
access-list outside_cryptomap_1 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
crypto map VPNpeer_map 1 match address outside_cryptomap_1
crypto map VPNpeer_map 1 set peer 192.168.50.52
crypto map VPNpeer_map 1 set transform-set ESP-AES-256-SHA
crypto map VPNpeer_map interface VPNpeer
crypto isakmp enable VPNpeer
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
tunnel-group 192.168.50.52 type ipsec-l2l
tunnel-group 192.168.50.52 ipsec-attributes
pre-shared-key *****
!
!
!
05-30-2012 11:52 PM
How do you route private ip address on the Internet? unless VPNpeer is a private MPLS network?
BTW, you can't have 2 default routes configured on an ASA, so the scenario of having Outside interface and VPNpeer interface will not work if you configure default gateway for both interfaces.
You can however configure specific route for the VPNpeer for the peer and the remote LAN subnet pointing towards the VPNpeer next hop.
05-31-2012 12:51 AM
Hi Jennifer,
Thanks for the clarification.
I'm newbie to VPN configuration, so that is why I'm kinda lost.
Yes, it is a private MPLS.
I guess my problem was using 2 default routes for outside and VPNpeer.
Thanks again, and I appreciate it
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: