Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to add multiple tunnel to an existing L2L

I was able to built tunnel between L2L fallowing this example:"Add a New Tunnel or Remote Access to an Existing L2L VPN"

I've tried to add other tunnel to the NY (HQ) Firewall. Is it possible to add more tunnel ?

My configuration is TN, NY, and CA tunneled between each other. Everyone have access to each other network. We've setup a new tunnel to access TX through NY but only TN and NY can access TX. I can't access TX from CA. Are there any restriction in the number of tunnel on NY.

NY is a Cisco ASA 5510

TN is a Cisco PIX 515

CA is a Cisco ASA 5510

6 REPLIES

Re: How to add multiple tunnel to an existing L2L

Hi,

5510 with Sec+ license will suppprt upto 250vpn peers. Looks like your issue relates to more of configuration (ex:hairpin ACLs/routes)> please post the sanitized configs.

hth

MS

New Member

Re: How to add multiple tunnel to an existing L2L

Let say this is the NY firewall:

ASA Version 8.0(4)

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.10.20.x 255.255.255.0

...

same-security-traffic permit intra-interface

...

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.20.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn_no-nat extended permit ip 192.168.1.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_no-nat extended permit ip 10.10.20.0 255.255.255.0 172.16.100.0 255.255.255.0

.....

access-list vpn_CA extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0

access-list vpn_CA extended permit ip 10.29.68.0 255.255.255.0  10.10.50.0 255.255.255.0

....

access-list vpn_TN extended permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn_TN extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0

....

access-list vpn_TX extended permit ip 10.10.20.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_TX extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_TX extended permit ip 192.168.1.0 255.255.255.0 10.29.68.0 255.255.255.0

....

ip verify reverse-path interface outside

.....

global (outside) 1 interface

nat (inside) 0 access-list vpn_no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

.....

access-group acl-out in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

....

sysopt connection preserve-vpn-flows

...

crypto map medrium_vpns interface outside

crypto isakmp enable outside

...

split-tunnel-policy tunnelall

===========================================================

Re: How to add multiple tunnel to an existing L2L

ACL statements looks correct on NY end. do you have config for tx end?

Also, here are my 2 cents.. you may not need all those 'nonat' statements for spoke-spoke subnets. The traffic not originated from NY end (inside).

ex: access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 192.168.1.0 255.255.255.0

hth

MS

New Member

Re: How to add multiple tunnel to an existing L2L

This is CA firewall: (the one that is not able to talk to TX)


access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.29.68.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list vpn_no-nat extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_NY extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list vpn_NY extended permit ip 10.10.50.0 255.255.255.0 10.29.68.0 255.255.255.0

access-list vpn_TN extended permit ip 10.10.50.0 255.255.255.0 192.168.11.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list vpn_no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group acl-out in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 192.168.2.0 255.255.255.0 10.10.50.1 1

New Member

Re: How to add multiple tunnel to an existing L2L

Unfortunately, i can't have TX configuration since i don't manage that one.

Re: How to add multiple tunnel to an existing L2L

Have Tx end tech check the configs. Try debug icmps and see where the replies dropped.

hth

MS

821
Views
0
Helpful
6
Replies