Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Vendor L2L VPN access to others

Our ASA is a 5580 version 8.1(2) and is the L2L VPN peer for a handful of remote offices including a L2L VPN with a vendor who will provide a service for these remote offices. I have two questions/issues:

  • We will need to provide this vendor access to the remote office network(s) only on port 9100 (printing to specific printers at these offices). I know there is an issue with L2L VPNs ability to see each other but if there is a global command allowing all to see each other that would be bad as we have others and don’t want all to see each other.
  • The remote offices are using CIDR 172.20.0.0/16 so each one is assigned for example 172.20.3 the next office is 172.20.4 and so on.  For the crypto map access list for this vendor can we use 172.20.0.0/16 or do we need to specify each individual network?

Thanks for any help.

Jeff

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Vendor L2L VPN access to others

OK, my understanding of your topology:

ASA5580 is the HUB and you have multiple SPOKES (remote offices and vendor).

Requirement:

- Remote offices to print to vendor network via ASA5580 HUB

If the above is correct, then to answer your second question:

YES, the crypto ACL needs to be exact because it needs to mirror image, and you would need to add the crypto ACL at all 3 sites, ie: HUB, remote office, and vendor.

Example:

Remote office:

- access-list permit ip host

- access-list nonat permit ip host

Vendor:

- access-list permit ip host

- access-list nonat permit ip host

HUB:

- access-list permit ip host

- access-list permit ip host

- same-security-traffic permit intra-interface

Hope that answers your question.

3 REPLIES
Cisco Employee

Vendor L2L VPN access to others

OK, my understanding of your topology:

ASA5580 is the HUB and you have multiple SPOKES (remote offices and vendor).

Requirement:

- Remote offices to print to vendor network via ASA5580 HUB

If the above is correct, then to answer your second question:

YES, the crypto ACL needs to be exact because it needs to mirror image, and you would need to add the crypto ACL at all 3 sites, ie: HUB, remote office, and vendor.

Example:

Remote office:

- access-list permit ip host

- access-list nonat permit ip host

Vendor:

- access-list permit ip host

- access-list nonat permit ip host

HUB:

- access-list permit ip host

- access-list permit ip host

- same-security-traffic permit intra-interface

Hope that answers your question.

New Member

Vendor L2L VPN access to others

Jennifer thanks for the reply.

Is there something I need to do on the ASA 5580 to allow a L2L VPN to see the others? If it's just access lists that's great.

The vendor will send print jobs to the remote office printers on the 172.25.x networks, not the other way around.

Thanks for the reply.

Jeff

Cisco Employee

Vendor L2L VPN access to others

Config advised earlier under HUB is the one needed on the ASA5580

467
Views
0
Helpful
3
Replies
CreatePlease login to create content