ASA5505 VPN overlapping traffic selection

Can I overlap VPN traffic selection subnets?

I have a triangle of 3 ASA5505s running version 8.x.  A very large amount of subnets, and the internet, are behind the main unit (we'll call it unit 1).  Unit 2 and 3 connect into unit 1 fine.  The traffic selection for the VPN on units 2 and 3 is "local subnet to ANY".  

The problem arises when I set up a VPN between units 2 and 3.  Since the "local subnet" for both unit 2 and 3 are included in "ANY" (hitting the traffic selection for unit 1 VPN), the session between units 2 and 3 will not even attempt to come up because it's hitting the "local to ANY" rule.  

I tried inserting a "don't protect the other units subnet" statement before the "local subnet to ANY" line on units 2 and 3 hoping it would skip to the second traffic selection rule, but it did not work.  (i.e. on unit 3, don't tunnel traffic for bound for unit 2 in the unit 1 tunnel)

Any ideas are appreciated.  Thanks.  Mike
Avi8rAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
<I tried inserting a "don't protect the other units subnet" statement before the "local subnet to ANY">

Do you mean you tried adding a deny before the permit?  Something like this?

Access-list crypto_1 deny <local subnet> <site 3 subnet>
Access-list crypto_1 permit <local_subnet> any


Remember the crypto maps need to match exactly.  

As another option, you could just try to make the Site2 to 3 vpn tunnels higher on the list so they execute 1st and move the original tunnel lower on the list.


0
Avi8rAuthor Commented:
"As another option, you could just try to make the Site2 to 3 vpn tunnels higher on the list so they execute 1st and move the original tunnel lower on the list."

How do I bump them up?  I do everything through ASDM and the "move up" buttons are grayed out.  


0
MikeKaneCommented:
Not sure how to move it, but you can recreate it I think.  

In the ASDM, try using CONFIGURATION - SITE to SITE VPN - Advanced - Crypto map        Then click Add in the rules window and create the new IPSEC rule with priority 1 (or something higher than the original Site 1 rule).    You'll need to tweak the VPN to use this instead, but it should match before the Site 1 traffic identifying rule and use that for establishing the tunnel.  

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Avi8rAuthor Commented:
Thanks Mike.  Will try this during my next maintenance window.
0
MikeKaneCommented:
Good.   Let me know how it goes.
0
Avi8rAuthor Commented:
The crypto maps definately need to be in the right order!  The crypto map priority can be changed under "Configuration, Site-to-Site VPN, Advanced, Crypto Maps.  

Thanks for the help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.