[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

ASA5505 VPN overlapping traffic selection

Posted on 2009-07-14
6
Medium Priority
?
919 Views
Last Modified: 2012-05-07
Can I overlap VPN traffic selection subnets?

I have a triangle of 3 ASA5505s running version 8.x.  A very large amount of subnets, and the internet, are behind the main unit (we'll call it unit 1).  Unit 2 and 3 connect into unit 1 fine.  The traffic selection for the VPN on units 2 and 3 is "local subnet to ANY".  

The problem arises when I set up a VPN between units 2 and 3.  Since the "local subnet" for both unit 2 and 3 are included in "ANY" (hitting the traffic selection for unit 1 VPN), the session between units 2 and 3 will not even attempt to come up because it's hitting the "local to ANY" rule.  

I tried inserting a "don't protect the other units subnet" statement before the "local subnet to ANY" line on units 2 and 3 hoping it would skip to the second traffic selection rule, but it did not work.  (i.e. on unit 3, don't tunnel traffic for bound for unit 2 in the unit 1 tunnel)

Any ideas are appreciated.  Thanks.  Mike
0
Comment
Question by:Avi8r
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24852705
<I tried inserting a "don't protect the other units subnet" statement before the "local subnet to ANY">

Do you mean you tried adding a deny before the permit?  Something like this?

Access-list crypto_1 deny <local subnet> <site 3 subnet>
Access-list crypto_1 permit <local_subnet> any


Remember the crypto maps need to match exactly.  

As another option, you could just try to make the Site2 to 3 vpn tunnels higher on the list so they execute 1st and move the original tunnel lower on the list.


0
 

Author Comment

by:Avi8r
ID: 24852852
"As another option, you could just try to make the Site2 to 3 vpn tunnels higher on the list so they execute 1st and move the original tunnel lower on the list."

How do I bump them up?  I do everything through ASDM and the "move up" buttons are grayed out.  


0
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 24853085
Not sure how to move it, but you can recreate it I think.  

In the ASDM, try using CONFIGURATION - SITE to SITE VPN - Advanced - Crypto map        Then click Add in the rules window and create the new IPSEC rule with priority 1 (or something higher than the original Site 1 rule).    You'll need to tweak the VPN to use this instead, but it should match before the Site 1 traffic identifying rule and use that for establishing the tunnel.  

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Avi8r
ID: 24911039
Thanks Mike.  Will try this during my next maintenance window.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24919668
Good.   Let me know how it goes.
0
 

Author Closing Comment

by:Avi8r
ID: 31603406
The crypto maps definately need to be in the right order!  The crypto map priority can be changed under "Configuration, Site-to-Site VPN, Advanced, Crypto Maps.  

Thanks for the help!
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question