Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Site-to-Site VPN : Multiple Remote Networks

The ASA Site-to-Site VPN configuration examples that I have come across has only one network across both the sites.

If the remote network/site has multiple networks for e.g. DMZ1, DMZ2, INSIDE etc how can it be added via Site-to-Site VPN ASDM wizard.

Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Site-to-Site VPN : Multiple Remote Networks

Hi,

I have not seen a specific configuration example with adding multiple networks for IPSEC l2l tunnel via ASDM.

Typically, you would just follow the same process in the below URL but add all the multiple local networks and remote networks that you want to be IPSEC protected.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

http://www.cisco.com/en/US/docs/security/asdm/6_1/user/guide/vpn_wiz.html#wp999348

Regards,

Arul

*Pls rate if it helps*

Hall of Fame Super Blue

Re: Site-to-Site VPN : Multiple Remote Networks

"If I run a ping from both the ends, should the active tunnels be 1 or 2."

The actual tunnels that transfer the data ie. the IPSEC sa's are unidirectional. So for a site-to-site VPN there are for each connection 2 IPSEC sa's, one in each direction.

For each entry in your crypto map access-list there will be 2 sa's formed so if you ping from Site A and ping from Site B if they are using the same line in the access-list (and they are in your configuration) that will be 2 IPSEC sa's - 1 from A -> B and 1 from B -> A. Which is the same as if you only started the ping from one side.

Can you check on host A that there isn't a firewall running that is blocking incoming echo requests.

Jon

23 REPLIES

Re: Site-to-Site VPN : Multiple Remote Networks

Have a look at this example l2l with inside and DMZ, for more interfaces interate the same principle.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806a5cea.shtml

HTH

Jorge

Cisco Employee

Re: Site-to-Site VPN : Multiple Remote Networks

Hi,

I have not seen a specific configuration example with adding multiple networks for IPSEC l2l tunnel via ASDM.

Typically, you would just follow the same process in the below URL but add all the multiple local networks and remote networks that you want to be IPSEC protected.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

http://www.cisco.com/en/US/docs/security/asdm/6_1/user/guide/vpn_wiz.html#wp999348

Regards,

Arul

*Pls rate if it helps*

Community Member

Re: Site-to-Site VPN : Multiple Remote Networks

I have done the configuration for site-to-site VPN. However, I cannot ping the remote network (Site B) from local network (Site A).

I ping restricted via VPN.

Also, if the multiple networks in Site B is not directly connected to the ASA (with VPN configs) how will it be handled.

For e.g. topology

Site A ASA (VPN edge) - Internet - Site B ASA (VPN edge) - Inside Network - Another ASA - Network segment on the DMZ.

So configuration examples only point to directly connected interface on the remote ASA. What additional needs to be done if the destination network is couple of hops/segments away from the Site B ASA VPN Inside segment.

Thanks.

Hall of Fame Super Blue

Re: Site-to-Site VPN : Multiple Remote Networks

"So configuration examples only point to directly connected interface on the remote ASA. What additional needs to be done if the destination network is couple of hops/segments away from the Site B ASA VPN Inside segment."

Nothing special. All you need to make sure is that your crypto map access-lists on both VPN devices include all the networks you want to encrypt traffic for. The networks do not have to be directly connected to the ASA VPN device, they can be as many hops away as you want.

If you can't ping i would suggest looking at the second ASA in Site B if you are sure your VPN is working ?

Jon

Community Member

Re: Site-to-Site VPN : Multiple Remote Networks

Thanks.

One more thing...where does the VPN actually get terminated. Is it on the ASA ? Then why is the destination network on both the ASA is required to enable VPN. Is it to identify interesting traffic or to permit access over VPN.

Hall of Fame Super Blue

Re: Site-to-Site VPN : Multiple Remote Networks

If i understand what you are saying the VPN is runs between the 2 ASA's that you have configured it on. So it is a tunnel between these 2 devices.

You need to tell each ASA which networks you want to send through this tunnel and you do this by including the networks in the crypto map access-lists. If the network is not in the crypto map access-list the traffic will not be sent via the tunnel.

Jon

Community Member

Re: Site-to-Site VPN : Multiple Remote Networks

I am not able to ping the remote network from the local ASA. I can ping the outside interface of the remote ASA though.

Just to let you know, I am running this on local LAN i.e. outside interfaces on the both the ASA are on the same segment.

The failed ping on ASA is giving ?????.

Green

Re: Site-to-Site VPN : Multiple Remote Networks

You won't be able to ping the remote network from the ASA unless this traffic is added to your crypto acls. Something like...

access-list crypto extended permit ip host

and on the other end...

access-list crypto extended permit host

Community Member

Re: Site-to-Site VPN : Multiple Remote Networks

If there are other outside routes in ASA, but they are not defined as one of the destination networks, would the traffic to those routes be restricted or would they be allowed but bypass the tunnel.

Any tips on troubleshooting the site-to-site VPN. Any debug commands etc.

Green

Re: Site-to-Site VPN : Multiple Remote Networks

Any traffic which is not defined in your crypto acl will be routed normally. Only traffic defined in the crypto acl will be tunneled.

Community Member

Re: Site-to-Site VPN : Multiple Remote Networks

If you look at site-to-site VPN example at link

http://www.cisco.com/en/US/docs/security/asa/asa81/quick/guide/sitvpn.html

local and remote network looks strange.

Local Network is 209.165.200.0 255.255.255.255

Remote Netowrk is 209.165.200.255 255.255.255.255

Could you please explain this ?

Thanks.

Hall of Fame Super Blue

Re: Site-to-Site VPN : Multiple Remote Networks

Do you mean Figure 7-1 in the doc.

The local and remote networks are 10.10.10.0/24 (Site A) & 10.20.20.0/24 (Site B). Obviously local & remote are purely dependant on which site you are looking at it from.

The VPN peer addresses are

Site A - 209.165.200.226

Site B - 209.165.200.236

If these sites are separated by the Internet then they will be on different networks.

Jon

Community Member

Re: Site-to-Site VPN : Multiple Remote Networks

No. Please look under 'Specifying Hosts and Networks' against Step 3.

Hall of Fame Super Blue

Re: Site-to-Site VPN : Multiple Remote Networks

Ah okay, sorry about that, i didn't read the full link.

It makes no sense. I don't really use ASDM but what is being filled in for the local and remote networks bears no relation to Figure 7-1.

What may happen is if you NAT the inside addresses 10.10.10.0/24 at Site A to the Site A external IP address on it's ASA and you NAT the inside address of 10.10.20.0/24 at Site B to the Site B external IP address on it's ASA then you would fill in the 2 external IP addresses in the remote and local network.

However, even that doesn't account for what is happening in the document. And NAT exemption has been ticked in the ASDM window.

So unless ASDM is completely different in the way you fill in the VPN information and i can't see how that would be it looks like the document is incorrect.

Jon

Community Member

Re: Site-to-Site VPN : Multiple Remote Networks

Ok. I can now initiate VPN connection between the networks on the inside on two ASA's. However, it is only from Site A to Site B. I cannot ping from site B to Site A even though the configurations on both the ASAs is exactly the same. Also the local host NIC configurations on both the networks is the same.

On Site A ASDM, I can see ICMP teardowns for the incoming icmp requests from Site B.

Please assist.

Thanks.

Hall of Fame Super Blue

Re: Site-to-Site VPN : Multiple Remote Networks

Can you post latest configs for each ASA and also the source & destination IP addresses you are testing ping between.

Jon

Community Member

Re: Site-to-Site VPN : Multiple Remote Networks

Please find below the configs. Through logs on ASA both the sides, I have verified that Phase 1 and Phase 2 SA completes successfully. Local hosts on both ends have ASA inside as the default gateway.

Thanks.

SITE A Config

(Ping from Site A local network to Site B remote network works)

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 85.23.77.115 255.255.255.224

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 40.40.40.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_20_cryptomap extended permit ip 40.40.40.0 255.255.255.0 172.16.161.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 40.40.40.0 255.255.255.0 172.16.161.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 85.23.77.116 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 85.23.77.116

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 85.23.77.116 type ipsec-l2l

tunnel-group 85.23.77.116 ipsec-attributes

pre-shared-key *

!

-------------------------------

SITE B Config

(Ping from Site B local network to Site A remote network does not work)

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 85.23.77.116 255.255.255.224

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.16.161.50 255.255.255.0

!

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_20_cryptomap extended permit ip 172.16.161.0 255.255.255.0

40.40.40.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.161.0 255.255.255.0

40.40.40.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 85.23.77.115 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 85.23.77.115

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 85.23.77.115 type ipsec-l2l

tunnel-group 85.23.77.115 ipsec-attributes

pre-shared-key *

Hall of Fame Super Blue

Re: Site-to-Site VPN : Multiple Remote Networks

Okay they do look the same to me so it's not obvious what is happening.

Are you pinging from a host behind one of the ASA devices to a host behind the other ASA device ?

When you try to initiate from Site B to Site A can you confirm the tunnel is formed correctly.

Are these the full configs ?

Jon

Community Member

Re: Site-to-Site VPN : Multiple Remote Networks

More info...

I ran ethereal on local host of Site A network and initiated ping from remote host of Site B network.

I can see the ping request hitting the local host but there is no reply to the packet.

Is the packet dropping at local host of Site A.

Regards.

Community Member

Re: Site-to-Site VPN : Multiple Remote Networks

Yes, I am pinging from a host behind one of the ASA devices to a host behind the other ASA device.

I can confirm the tunnel formation, as in the ASDM logging I can see the Phase 1 and Phase 2 association getting completed.

Yes, these are the full/related configs.

Query:

If I run a ping from both the ends, should the active tunnels be 1 or 2.

Hall of Fame Super Blue

Re: Site-to-Site VPN : Multiple Remote Networks

"If I run a ping from both the ends, should the active tunnels be 1 or 2."

The actual tunnels that transfer the data ie. the IPSEC sa's are unidirectional. So for a site-to-site VPN there are for each connection 2 IPSEC sa's, one in each direction.

For each entry in your crypto map access-list there will be 2 sa's formed so if you ping from Site A and ping from Site B if they are using the same line in the access-list (and they are in your configuration) that will be 2 IPSEC sa's - 1 from A -> B and 1 from B -> A. Which is the same as if you only started the ping from one side.

Can you check on host A that there isn't a firewall running that is blocking incoming echo requests.

Jon

Community Member

Re: Site-to-Site VPN : Multiple Remote Networks

Great.

Thanks a lot Jon. I had checked Windows firewall setting but wasn't sure that pings were blocked on recently installed Symantec Client firewall.

Community Member

Re: Site-to-Site VPN : Multiple Remote Networks

Hi,

There will be only one active tunnel. Thats for sure.

Were you able to resolve the issue, if so could you please share the configuration since i do have a similar issue

Regards

AP

5289
Views
10
Helpful
23
Replies
CreatePlease to create content