Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site VPN for 3 locations

Hi all,

I have some doubts about site-to-site IPSec VPN (3 sites):

- Currently Ihave VPN tunnel between two sites and its working fine. If I want to add third site, so it will be a full mesh, can I use same interface that used before OR I have to create a subinterface?

Note: I'm using subinterface for the current configurations between the the two sites

             

- Can I use private ip address for the tunnel group peer

     i.e: tunnel-gruop 192.168.50.50 type ipsec-l2l

Your response is really appreciated,

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Site-to-Site VPN for 3 locations

How do you route private ip address on the Internet? unless VPNpeer is a private MPLS network?

BTW, you can't have 2 default routes configured on an ASA, so the scenario of having Outside interface and VPNpeer interface will not work if you configure default gateway for both interfaces.

You can however configure specific route for the VPNpeer for the peer and the remote LAN subnet pointing towards the VPNpeer next hop.

4 REPLIES
Cisco Employee

Site-to-Site VPN for 3 locations

Yes, you can use the same interface that you use for your other site-to-site for your third site.

Yes, you can use private IP Address, and I assume that you will NAT that address in front of the ASA so it's routable on the Internet?

New Member

Site-to-Site VPN for 3 locations

Hi Jennifer,

Thanks for your response.

I'm not sure if I got your second answer right, but what I meant is that I'm using private ip addresses for the peers.

So not sure how to use NAT! could you explain more please.

Kindly have a look at the following config:

interface GigabitEthernet0/0
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/0.100
vlan 100
nameif Outside
security-level 0
ip address standby
!
interface GigabitEthernet0/0.200
vlan 200
nameif VPNpeer
security-level 0
ip address 192.168.50.50 255.255.255.248 standby 192.168.50.51
!


access-list inside_nat0_outbound extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0


global (Outside) 1 interface
global (VPNpeer) 2 interface
nat (Inside) 0 access-list inside_nat0_outbound
nat (Inside) 2 10.10.1.0 255.255.255.0

route VPNpeer 0.0.0.0 0.0.0.0 192.168.50.50 1

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

access-list outside_cryptomap_1 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0


crypto map VPNpeer_map 1 match address outside_cryptomap_1
crypto map VPNpeer_map 1 set peer 192.168.50.52
crypto map VPNpeer_map 1 set transform-set ESP-AES-256-SHA
crypto map VPNpeer_map interface VPNpeer


crypto isakmp enable VPNpeer
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400


tunnel-group 192.168.50.52 type ipsec-l2l
tunnel-group 192.168.50.52 ipsec-attributes
      pre-shared-key *****

!

!
!

Cisco Employee

Site-to-Site VPN for 3 locations

How do you route private ip address on the Internet? unless VPNpeer is a private MPLS network?

BTW, you can't have 2 default routes configured on an ASA, so the scenario of having Outside interface and VPNpeer interface will not work if you configure default gateway for both interfaces.

You can however configure specific route for the VPNpeer for the peer and the remote LAN subnet pointing towards the VPNpeer next hop.

New Member

Site-to-Site VPN for 3 locations

Hi Jennifer,

Thanks for the clarification.

I'm newbie to VPN configuration, so that is why I'm kinda lost.

Yes, it is a private MPLS.

I guess my problem was using 2 default routes for outside and VPNpeer.

Thanks again, and I appreciate it

1756
Views
0
Helpful
4
Replies
CreatePlease login to create content