Avi8r
asked on
ASA5505 VPN overlapping traffic selection
Can I overlap VPN traffic selection subnets?
I have a triangle of 3 ASA5505s running version 8.x. A very large amount of subnets, and the internet, are behind the main unit (we'll call it unit 1). Unit 2 and 3 connect into unit 1 fine. The traffic selection for the VPN on units 2 and 3 is "local subnet to ANY".
The problem arises when I set up a VPN between units 2 and 3. Since the "local subnet" for both unit 2 and 3 are included in "ANY" (hitting the traffic selection for unit 1 VPN), the session between units 2 and 3 will not even attempt to come up because it's hitting the "local to ANY" rule.
I tried inserting a "don't protect the other units subnet" statement before the "local subnet to ANY" line on units 2 and 3 hoping it would skip to the second traffic selection rule, but it did not work. (i.e. on unit 3, don't tunnel traffic for bound for unit 2 in the unit 1 tunnel)
Any ideas are appreciated. Thanks. Mike
I have a triangle of 3 ASA5505s running version 8.x. A very large amount of subnets, and the internet, are behind the main unit (we'll call it unit 1). Unit 2 and 3 connect into unit 1 fine. The traffic selection for the VPN on units 2 and 3 is "local subnet to ANY".
The problem arises when I set up a VPN between units 2 and 3. Since the "local subnet" for both unit 2 and 3 are included in "ANY" (hitting the traffic selection for unit 1 VPN), the session between units 2 and 3 will not even attempt to come up because it's hitting the "local to ANY" rule.
I tried inserting a "don't protect the other units subnet" statement before the "local subnet to ANY" line on units 2 and 3 hoping it would skip to the second traffic selection rule, but it did not work. (i.e. on unit 3, don't tunnel traffic for bound for unit 2 in the unit 1 tunnel)
Any ideas are appreciated. Thanks. Mike
ASKER
"As another option, you could just try to make the Site2 to 3 vpn tunnels higher on the list so they execute 1st and move the original tunnel lower on the list."
How do I bump them up? I do everything through ASDM and the "move up" buttons are grayed out.
How do I bump them up? I do everything through ASDM and the "move up" buttons are grayed out.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Mike. Will try this during my next maintenance window.
Good. Let me know how it goes.
ASKER
The crypto maps definately need to be in the right order! The crypto map priority can be changed under "Configuration, Site-to-Site VPN, Advanced, Crypto Maps.
Thanks for the help!
Thanks for the help!
Do you mean you tried adding a deny before the permit? Something like this?
Access-list crypto_1 deny <local subnet> <site 3 subnet>
Access-list crypto_1 permit <local_subnet> any
Remember the crypto maps need to match exactly.
As another option, you could just try to make the Site2 to 3 vpn tunnels higher on the list so they execute 1st and move the original tunnel lower on the list.