Solved

ASA5505 VPN overlapping traffic selection

Posted on 2009-07-14
6
848 Views
Last Modified: 2012-05-07
Can I overlap VPN traffic selection subnets?

I have a triangle of 3 ASA5505s running version 8.x.  A very large amount of subnets, and the internet, are behind the main unit (we'll call it unit 1).  Unit 2 and 3 connect into unit 1 fine.  The traffic selection for the VPN on units 2 and 3 is "local subnet to ANY".  

The problem arises when I set up a VPN between units 2 and 3.  Since the "local subnet" for both unit 2 and 3 are included in "ANY" (hitting the traffic selection for unit 1 VPN), the session between units 2 and 3 will not even attempt to come up because it's hitting the "local to ANY" rule.  

I tried inserting a "don't protect the other units subnet" statement before the "local subnet to ANY" line on units 2 and 3 hoping it would skip to the second traffic selection rule, but it did not work.  (i.e. on unit 3, don't tunnel traffic for bound for unit 2 in the unit 1 tunnel)

Any ideas are appreciated.  Thanks.  Mike
0
Comment
Question by:Avi8r
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24852705
<I tried inserting a "don't protect the other units subnet" statement before the "local subnet to ANY">

Do you mean you tried adding a deny before the permit?  Something like this?

Access-list crypto_1 deny <local subnet> <site 3 subnet>
Access-list crypto_1 permit <local_subnet> any


Remember the crypto maps need to match exactly.  

As another option, you could just try to make the Site2 to 3 vpn tunnels higher on the list so they execute 1st and move the original tunnel lower on the list.


0
 

Author Comment

by:Avi8r
ID: 24852852
"As another option, you could just try to make the Site2 to 3 vpn tunnels higher on the list so they execute 1st and move the original tunnel lower on the list."

How do I bump them up?  I do everything through ASDM and the "move up" buttons are grayed out.  


0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 24853085
Not sure how to move it, but you can recreate it I think.  

In the ASDM, try using CONFIGURATION - SITE to SITE VPN - Advanced - Crypto map        Then click Add in the rules window and create the new IPSEC rule with priority 1 (or something higher than the original Site 1 rule).    You'll need to tweak the VPN to use this instead, but it should match before the Site 1 traffic identifying rule and use that for establishing the tunnel.  

0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:Avi8r
ID: 24911039
Thanks Mike.  Will try this during my next maintenance window.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24919668
Good.   Let me know how it goes.
0
 

Author Closing Comment

by:Avi8r
ID: 31603406
The crypto maps definately need to be in the right order!  The crypto map priority can be changed under "Configuration, Site-to-Site VPN, Advanced, Crypto Maps.  

Thanks for the help!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question