Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5309
Views
3
Helpful
4
Replies

Multiple Tunnels with the same remote network & destination in crypto maps

Go to solution
BillGlodek
Level 1
Level 1

‎03-02-2010 11:56 AM

This maybe a beginner question, but I only have production systems and really dont have a way to test it our properly. We have an ASA 5520 with multiple site to site tunnels. We have one tunnel already with one of the remote networks being 10.100.90.14. We have this IP address in a subnet configured as the remote network and as the destination address in the crypto map. We also have NAT exempt rules in place for our local network with the 10.100.90.14 address as the destination.

We have another tunnel that needs to be built that will have a different peer address, but is requiring a large number of subnets and at least one will have the same remote network/destination address in the crypto map and another VPN tunnel we already have in place.

Is this possible to do with a site to site tunnel without doing a static or dymanic NAT to another IP address?

I know with the physical networks you cant do this because of the static routes that are in place, but with the ipsec tunnels I am just not sure how this will work and as mentioned I am not able to test it.

Any guidance would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-02-2010 12:13 PM

Bill

The crypto map acl defines the interesting traffic. If you have the same destination IP address ie. 10.100.90.14 then if the source ie. the IP address of the client on your network is the same for both tunnels then no it won't work and you will have to do some sort of NAT for one of the tunnels.

Jon

View solution in original post

4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-02-2010 12:13 PM

Bill

The crypto map acl defines the interesting traffic. If you have the same destination IP address ie. 10.100.90.14 then if the source ie. the IP address of the client on your network is the same for both tunnels then no it won't work and you will have to do some sort of NAT for one of the tunnels.

Jon

Go to solution
BillGlodek
Level 1
Level 1
In response to Jon Marshall

‎03-02-2010 12:16 PM

Thats what I thought and just wanted to verify. Thanks

0 Helpful

Go to solution
BillGlodek
Level 1
Level 1
In response to Jon Marshall

‎03-02-2010 12:24 PM

Just a follow up to your answer. If our local networks are different for the tunnels, so say tunnel A has a local network of 172.21.200.0/24 and tunnel B will connect to our local network 172.21.210.0/24, both have the remote network of 10.100.90.14 then the traffic would be different and that would work? When the tunnel connects and goes through the crypto maps, it will look for an identical match for the source and destination networks so they would be different and should work correct?

With this theory, if tunnel A has the remote network defined as 10.100.90.0/24 but tunnel B has the remote network of host:10.100.90.14 then this would work with different local networks. Would this also work for the same local networks?

Thanks for your help.

0 Helpful

Go to solution
nomair_83
Level 3
Level 3
In response to BillGlodek

‎03-02-2010 12:37 PM

For same it will not work without configuring nat for one remote subnet to X ip...and yes for different remote subnets it will work.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents