ASA5505 VPN overlapping traffic selection
Posted on 2009-07-14
Can I overlap VPN traffic selection subnets?
I have a triangle of 3 ASA5505s running version 8.x. A very large amount of subnets, and the internet, are behind the main unit (we'll call it unit 1). Unit 2 and 3 connect into unit 1 fine. The traffic selection for the VPN on units 2 and 3 is "local subnet to ANY".
The problem arises when I set up a VPN between units 2 and 3. Since the "local subnet" for both unit 2 and 3 are included in "ANY" (hitting the traffic selection for unit 1 VPN), the session between units 2 and 3 will not even attempt to come up because it's hitting the "local to ANY" rule.
I tried inserting a "don't protect the other units subnet" statement before the "local subnet to ANY" line on units 2 and 3 hoping it would skip to the second traffic selection rule, but it did not work. (i.e. on unit 3, don't tunnel traffic for bound for unit 2 in the unit 1 tunnel)
Any ideas are appreciated. Thanks. Mike