cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3674
Views
0
Helpful
4
Replies

Site-to-Site VPN for 3 locations

omer_babiker
Level 1
Level 1

Hi all,

I have some doubts about site-to-site IPSec VPN (3 sites):

- Currently Ihave VPN tunnel between two sites and its working fine. If I want to add third site, so it will be a full mesh, can I use same interface that used before OR I have to create a subinterface?

Note: I'm using subinterface for the current configurations between the the two sites

             

- Can I use private ip address for the tunnel group peer

     i.e: tunnel-gruop 192.168.50.50 type ipsec-l2l

Your response is really appreciated,

Thanks

1 Accepted Solution

Accepted Solutions

How do you route private ip address on the Internet? unless VPNpeer is a private MPLS network?

BTW, you can't have 2 default routes configured on an ASA, so the scenario of having Outside interface and VPNpeer interface will not work if you configure default gateway for both interfaces.

You can however configure specific route for the VPNpeer for the peer and the remote LAN subnet pointing towards the VPNpeer next hop.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, you can use the same interface that you use for your other site-to-site for your third site.

Yes, you can use private IP Address, and I assume that you will NAT that address in front of the ASA so it's routable on the Internet?

Hi Jennifer,

Thanks for your response.

I'm not sure if I got your second answer right, but what I meant is that I'm using private ip addresses for the peers.

So not sure how to use NAT! could you explain more please.

Kindly have a look at the following config:

interface GigabitEthernet0/0
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/0.100
vlan 100
nameif Outside
security-level 0
ip address standby
!
interface GigabitEthernet0/0.200
vlan 200
nameif VPNpeer
security-level 0
ip address 192.168.50.50 255.255.255.248 standby 192.168.50.51
!


access-list inside_nat0_outbound extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0


global (Outside) 1 interface
global (VPNpeer) 2 interface
nat (Inside) 0 access-list inside_nat0_outbound
nat (Inside) 2 10.10.1.0 255.255.255.0

route VPNpeer 0.0.0.0 0.0.0.0 192.168.50.50 1

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

access-list outside_cryptomap_1 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0


crypto map VPNpeer_map 1 match address outside_cryptomap_1
crypto map VPNpeer_map 1 set peer 192.168.50.52
crypto map VPNpeer_map 1 set transform-set ESP-AES-256-SHA
crypto map VPNpeer_map interface VPNpeer


crypto isakmp enable VPNpeer
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400


tunnel-group 192.168.50.52 type ipsec-l2l
tunnel-group 192.168.50.52 ipsec-attributes
      pre-shared-key *****

!

!
!

How do you route private ip address on the Internet? unless VPNpeer is a private MPLS network?

BTW, you can't have 2 default routes configured on an ASA, so the scenario of having Outside interface and VPNpeer interface will not work if you configure default gateway for both interfaces.

You can however configure specific route for the VPNpeer for the peer and the remote LAN subnet pointing towards the VPNpeer next hop.

Hi Jennifer,

Thanks for the clarification.

I'm newbie to VPN configuration, so that is why I'm kinda lost.

Yes, it is a private MPLS.

I guess my problem was using 2 default routes for outside and VPNpeer.

Thanks again, and I appreciate it

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: