Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Traversing traffic across multiple VPN tunnels

I have a customer that has the following networks:

Office 1

-------

192.168.200.0/24

192.168.90.0/24

192.168.10.0/24

Office 2

--------

192.168.201.0/24

192.168.91.0/24

192.168.11.0/24

172.16.20.0/24

Office 1 also has four address pools for its dial-in VPN clients:

192.168.80.0/24

192.168.82.0/24

192.168.83.0/24

192.168.84.0/24

The customer wants to be able to dial in from their remote location and communicate all the way across to Office 2's networks. Traffic originating from the dial-in networks is not causing the tunnels to be spun up, however.

The firewall config is attached.

Everyone's tags (3)
4 REPLIES
Super Bronze

Re: Traversing traffic across multiple VPN tunnels

Hi,

You seem to have added lines to the L2L VPNs ACL that dont really make sense. I mean you have source networks on the ACL that are not located on your site at all

So the following (which you already have in the ACL) should be the only thing in the crypto ACL and the rest should be removed

OFFICE1 TO OFFICE2

access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.90.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.90.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.90.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.90.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 172.16.20.0 255.255.255.0

OFFICE1 VPN POOLS TO OFFICE2

access-list outside_1_cryptomap extended permit ip 192.168.80.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.80.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.80.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.80.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.82.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.82.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.82.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.82.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.83.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.83.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.83.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.83.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.84.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.84.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.84.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.84.0 255.255.255.0 172.16.20.0 255.255.255.0

You will also have to make sure that the Office 2 device has the corresponding crypto ACLs and NAT0 configurations to allow the traffic between the VPN Pool networks and its local office networks.

You also seem to be using Split Tunnel VPN and using the "vpn_splittunnel" ACL to define the network to which VPN users should be able to forward traffic through the VPN connections. This ACL does not yet contain every Office 2 network in it.

So assuming you want the Split Tunnel VPN to reach all Office 1 and Office 2 networks then the ACL should look something like this

access-list vpn_splittunnel standard permit 192.168.200.0 255.255.255.0

access-list vpn_splittunnel standard permit 192.168.201.0 255.255.255.0

access-list vpn_splittunnel standard permit 192.168.90.0 255.255.255.0

access-list vpn_splittunnel standard permit 192.168.91.0 255.255.255.0

access-list vpn_splittunnel standard permit 192.168.10.0 255.255.255.0

access-list vpn_splittunnel standard permit 192.168.11.0 255.255.255.0

access-list vpn_splittunnel standard permit 172.16.20.0 255.255.255.0

You seem to lack a NAT0 configuration on the "outside" interface of the ASA. As the VPN Client connections are coming to the "outside" interface and they are also leaving through the "outside" interface back to the L2L VPN connections, you will need to have a NAT0 configuration on the "outside" interface also.

So you need to add

access-list OUTSIDE-NAT0 extended permit ip 192.168.80.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.80.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.80.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.80.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.82.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.82.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.82.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.82.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.83.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.83.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.83.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.83.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.84.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.84.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.84.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.84.0 255.255.255.0 172.16.20.0 255.255.255.0

nat (outside) 0 access-list OUTSIDE-NAT0

I would also highly suggest that you go through your local interface NAT0 configurations and use separate ACL for each interfaces NAT0 so that they dont each contain a lot of source networks which arent located behind those interfaces. This might in the worst cause cause problems to the ASAs NAT operation.

- Jouni

New Member

Traversing traffic across multiple VPN tunnels

These changes have not resolved the issue.

"The change did not resolve the issue. The P2 was staying alive due to packets incoming from this side (192.168.201.1). The tunnel is still not coming up when traffic is originating from the 192.168.80.0 network. Can you check for any other adjustments that need to be made?"

Super Bronze

Traversing traffic across multiple VPN tunnels

Hi,

Actually seem that for some reason your actual L2L VPN crypto map IS NOT attached to any interface at the moment?

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer 65.61.105.34

Instead if seems you have some dynamic map configured (usually for VPN Client use) and that is attached to the "outside" interface.

crypto map vpn_map interface outside

If you want to use both L2L VPN and IPsec VPN Client connections then the configurations are usually in the same crypto map.

- Jouni

New Member

Traversing traffic across multiple VPN tunnels

Some background - the VPN Client configuration was already in place before I was given the project to add L2L VPN tunnels to the device. You're saying that configuration should be part of the crypto map vpn_map configuration and not in its own config? Can you give me an example?

Thank you,

James

452
Views
0
Helpful
4
Replies
CreatePlease to create content