Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

L2L between ASA: explanation required

Hi.

I set up a L2L between 2 ASA, with site A needing to reach 2 different LANs on site B.

For this purpose i wrote down these lines in the site B config:

access-list outside_20_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.5.0.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.5.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255.255.0

However, with show ipsec sa i get this

interface: outside

Crypto map tag: outside_map, seq num: 20, local addr: 192.168.168.30

access-list outside_20_cryptomap permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255.255.0

local ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.5.0.0/255.255.255.0/0/0)

How comes i dont see the network 10.0.0.0 mentioned? Can i assume the traffic for/to network 10.0.0.0 be tunneled or not?

Thank anticipately

2 REPLIES
Hall of Fame Super Blue

Re: L2L between ASA: explanation required

Are you sure you are looking at the entire output of "sh crypto ipsec sa". Each separate line in your access-list is treated as a separate SA pair so you should see another entry for the 10.0.0.0 network.

Jon

New Member

Re: L2L between ASA: explanation required

Yes, this is the whole output.

I assume then there is no interesting traffic to the network 10.0.0.0, so that no SA are created.

If i am correct: although the 2 networks are at the same site, a SA pair is needed to communicate with each one?

105
Views
0
Helpful
2
Replies