Solved

ASA5505 VPN overlapping traffic selection

Posted on 2009-07-14
6
829 Views
Last Modified: 2012-05-07
Can I overlap VPN traffic selection subnets?

I have a triangle of 3 ASA5505s running version 8.x.  A very large amount of subnets, and the internet, are behind the main unit (we'll call it unit 1).  Unit 2 and 3 connect into unit 1 fine.  The traffic selection for the VPN on units 2 and 3 is "local subnet to ANY".  

The problem arises when I set up a VPN between units 2 and 3.  Since the "local subnet" for both unit 2 and 3 are included in "ANY" (hitting the traffic selection for unit 1 VPN), the session between units 2 and 3 will not even attempt to come up because it's hitting the "local to ANY" rule.  

I tried inserting a "don't protect the other units subnet" statement before the "local subnet to ANY" line on units 2 and 3 hoping it would skip to the second traffic selection rule, but it did not work.  (i.e. on unit 3, don't tunnel traffic for bound for unit 2 in the unit 1 tunnel)

Any ideas are appreciated.  Thanks.  Mike
0
Comment
Question by:Avi8r
  • 3
  • 3
6 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24852705
<I tried inserting a "don't protect the other units subnet" statement before the "local subnet to ANY">

Do you mean you tried adding a deny before the permit?  Something like this?

Access-list crypto_1 deny <local subnet> <site 3 subnet>
Access-list crypto_1 permit <local_subnet> any


Remember the crypto maps need to match exactly.  

As another option, you could just try to make the Site2 to 3 vpn tunnels higher on the list so they execute 1st and move the original tunnel lower on the list.


0
 

Author Comment

by:Avi8r
ID: 24852852
"As another option, you could just try to make the Site2 to 3 vpn tunnels higher on the list so they execute 1st and move the original tunnel lower on the list."

How do I bump them up?  I do everything through ASDM and the "move up" buttons are grayed out.  


0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 24853085
Not sure how to move it, but you can recreate it I think.  

In the ASDM, try using CONFIGURATION - SITE to SITE VPN - Advanced - Crypto map        Then click Add in the rules window and create the new IPSEC rule with priority 1 (or something higher than the original Site 1 rule).    You'll need to tweak the VPN to use this instead, but it should match before the Site 1 traffic identifying rule and use that for establishing the tunnel.  

0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:Avi8r
ID: 24911039
Thanks Mike.  Will try this during my next maintenance window.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24919668
Good.   Let me know how it goes.
0
 

Author Closing Comment

by:Avi8r
ID: 31603406
The crypto maps definately need to be in the right order!  The crypto map priority can be changed under "Configuration, Site-to-Site VPN, Advanced, Crypto Maps.  

Thanks for the help!
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question