Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA cannot create multiple tunnels to the same peer address?

We have several remote sites with Linksys WRVS4400N and Smoothwall firewall/vpn devices.  I need these sites to be able to connect to multiple dis-contiguous subnets at our main office.  This was easily done with smoothwall and linksys.  You create a separate tunnel for each subnet and voila, you're done.  However, when I tried this with our newly installed ASA, it will not let me create multiple tunnels to the same remote peer address.  This is a problem since these sites only have a single static public IP address.  Am i missing something or does the ASA not allow connections to/from multiple subnets form a site with a single peer address? 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Cisco ASA cannot create multiple tunnels to the same peer addres

Looks like limitation on the WRVS4400N as Cisco ASA supports multiple subnets per tunnel.

Is there anyway you can configure a larger subnet instead of specific subnets on the ACL?

Eg:

if you have 192.168.0.0/24 and 192.168.1.0/24, instead of having 2 subnets configured, you can combine them into 1 subnet 192.168.0.0/23

13 REPLIES
Cisco Employee

Cisco ASA cannot create multiple tunnels to the same peer addres

You can only have 1 same peer on the ASA, but what you would need to configure is multiple lines of crypto ACL to include the remote LAN that you would want to encrypt. You will also need to have the same mirror image ACL on the remote devices.

New Member

Cisco ASA cannot create multiple tunnels to the same peer addres

Thanks Jennifer, so what I think you're telling me is that unless I have another ASA at the remote site, I'm out of luck?  The other devices only allow a single IP address or single subnet per tunnel.  Surprised that something like this cannot be done between a Cisco ASA and Cisco WRVS4400N > http://www.cisco.com/en/US/products/ps9931/index.html

Cisco Employee

Cisco ASA cannot create multiple tunnels to the same peer addres

Looks like limitation on the WRVS4400N as Cisco ASA supports multiple subnets per tunnel.

Is there anyway you can configure a larger subnet instead of specific subnets on the ACL?

Eg:

if you have 192.168.0.0/24 and 192.168.1.0/24, instead of having 2 subnets configured, you can combine them into 1 subnet 192.168.0.0/23

New Member

Cisco ASA cannot create multiple tunnels to the same peer addres

ah if life would be so simple.   

Nope, my predecessor decided it would make better sense to use completely discontiguous subnets at each site.  For example, I need remote users to be able to connect to 10.10.96.0/24, 10.1.0.0/24 and 10.10.11.0/24 at the main office.  I know, I can hear you laughing from here...  

Cisco Employee

Cisco ASA cannot create multiple tunnels to the same peer addres

Not too bad.. what is the remote subnet?

New Member

Cisco ASA cannot create multiple tunnels to the same peer addres

remote subnet = 10.10.14.0/24

Cisco Employee

Cisco ASA cannot create multiple tunnels to the same peer addres

OK, change the crypto ACl on the ASA to:

access-list permit ip 10.0.0.0 255.240.0.0 10.10.14.0 255.255.255.0

On the WRVS4400N end, change the remote subnet to 10.0.0.0/255.240.0.0

New Member

Cisco ASA cannot create multiple tunnels to the same peer addres

WRV does not seem to like that... I get an error, "Remote Security Group and Local Security Group cannot be in the same network"

Cisco Employee

Cisco ASA cannot create multiple tunnels to the same peer addres

OK, maybe you can do static NAT on the ASA end as follows:

10.10.96.0/24 --> NAT to 192.168.96.0/24

10.1.0.0/24  --> NAT to 192.168.1.0/24

10.10.11.0/24 --> NAT to 192.168.11.0/24

Then crypto ACL say:

access-list permit ip 192.168.0.0 255.255.0.0 10.10.14.0 255.255.255.0

On WRV, remote security group: 192.168.0.0/16

BUT, to access the main office subnets, you would need to use the corresponding NATed subnet, ie: 192.168.x.x

New Member

Re: Cisco ASA cannot create multiple tunnels to the same peer ad

Really appreciate all the help Jennifer, but I think the NAT option would just cause more problems since one of the subnets is for voip and the phones would probably freak out with a different IP scheme.  We'd also need to edit hosts files, etc. for resources at the main office since DNS could not be changed.  Since our company moves a lot of Cisco gear, I'm checking to see if we can get a couple of ASA's to replace the WRV's. 

Out of curiosity,  I'm not 100% clear on how I would create the NAT rules you mention.  Which direction would they be setup on the ASA (v8.4)?  (inside, outside)?  Would the NAT'd address only apply to VPN traffic to/from 10.10.14.0?  There are other sites up where I would not want them NAT'd.  Not a big deal, just curious in case I need to do this in the future.

Thanks again!!   

Cisco Employee

Re: Cisco ASA cannot create multiple tunnels to the same peer ad

As long as you have the inspection engine enabled on the ASA, it shouldn't freak out of the different IP as it will inspect the call signalling and will NAT it accordingly, BUT, for simplicity, I agree with you, it would cause a lot of troubleshooting headache if there is problem as well as reconfiguration of IP on the host ends.

Here is the NAT FYI:

object network obj-10.10.96.0

   subnet 10.10.96.0 255.255.255.0

object network obj-192.168.96.0

   subnet 192.168.96.0 255.255.255.0

object network obj-10.10.14.0

   subnet 10.10.14.0 255.255.255.0

object network obj-10.1.0.0

   subnet 10.1.0.0 255.255.255.0

object network obj-192.168.1.0

   subnet 192.168.1.0 255.255.255.0

object network obj-10.10.11.0

   subnet 10.10.11.0 255.255.255.0

object network obj-192.168.11.0

   subnet 192.168.11.0 255.255.255.0

nat (inside,outside) source static obj-10.10.96.0 obj-192.168.96.0 destination static obj-10.10.14.0 obj-10.10.14.0

nat (inside,outside) source static obj-10.1.0.0 obj-192.168.1.0 destination static obj-10.10.14.0 obj-10.10.14.0

nat (inside,outside) source static obj-10.10.11.0 obj-192.168.11.0 destination static obj-10.10.14.0 obj-10.10.14.0

New Member

Cisco ASA cannot create multiple tunnels to the same peer addres

Picked up an ASA 5505 for the remote side and all is well. 

Cisco Employee

Cisco ASA cannot create multiple tunnels to the same peer addres

Perfecto.. thanks for the update.

3221
Views
0
Helpful
13
Replies
CreatePlease login to create content