Cisco ASA 5505 is connected to GB1000 which has multiple subnets.
Everything works fine when we access B from C. If we access A from C, GB1000 drops the tunnel C-B and establish a tunnel A-C. Looks like we can have only one active tunnel at a time. (Licensing is not an issue here)
I spoke to GB1000 guys and they say that GB1000 will create one IKE and one IPSec SA even when multiple subnets are involved. On the contrary Cisco ASA creates IPSec SA for every subnet at the remote end. I think this is the root cause of the issue.
We are thinking of aggregating of all remote subnets into one so we would have only one ACL entry on ASA but this would require to redesign company's subnetting.
Is it possible to make GB1000 act in a Cisco fashion i.e. to create separate SA per subnet? Or make the ASA to create just one IPSec SA for remote networks?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...