Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA requires to accept 2 VPN's from different devices behind the same public IP

Hi

I use a cisco asa 5520 to terminate multiple site to site VPNs. Due to the configuration of a parteners network, i have had to install 2 routers into this parteners network, i have been supplied static private IP addresses for each router each router has a unidue LAN subnet which is the VPN's protected network.

The partener use's PAT with only one public facing IP address.

The VPNs are initiated from the parteners network using an IP sla ping.

Upon installing my first VPN router in the partenrs network, once NAT-T was enabled on the local ASA the VPN started working fine. After installing the second VPN router i tried installing the new config on to the ASA but via CSM, the ASA complains that it can not have 2 VPN's with the same peer address configured.

Are there any suggestions as to how i can get this working?

Thanks,

Simon        

3 REPLIES
Cisco Employee

ASA requires to accept 2 VPN's from different devices behind the

Yes, you can't configure 2 VPN tunnel to the same peer address.

You would need to PAT the second router to a different public IP.

New Member

ASA requires to accept 2 VPN's from different devices behind the

Jenifer, i understand how this concept will not work, but i question the reasoning, each vpn is associated with a different port number, i can see the packets from both vpn routers entering my local network, so surely the port numbers are sufficient to identifiy the 2 different sources of data.

Further to this i tried to configure a dynamic VPN instance on my ASA using the peer address of 0.0.0.0 try as i might i could not get this to work alongside the multiple site to site vpns with defined peers.

Any further advice would be appreciated.

Thanks,

Simon

Cisco Employee

ASA requires to accept 2 VPN's from different devices behind the

VPN Peer on the ASA does not understand port number. All it knows is just an IP Address, and the ASA won't even take the command if you have the same peer address. It won't be able to build an SA with the same peer.

528
Views
0
Helpful
3
Replies
CreatePlease to create content