Solved

ASA5505 VPN overlapping traffic selection

Posted on 2009-07-14
6
812 Views
Last Modified: 2012-05-07
Can I overlap VPN traffic selection subnets?

I have a triangle of 3 ASA5505s running version 8.x.  A very large amount of subnets, and the internet, are behind the main unit (we'll call it unit 1).  Unit 2 and 3 connect into unit 1 fine.  The traffic selection for the VPN on units 2 and 3 is "local subnet to ANY".  

The problem arises when I set up a VPN between units 2 and 3.  Since the "local subnet" for both unit 2 and 3 are included in "ANY" (hitting the traffic selection for unit 1 VPN), the session between units 2 and 3 will not even attempt to come up because it's hitting the "local to ANY" rule.  

I tried inserting a "don't protect the other units subnet" statement before the "local subnet to ANY" line on units 2 and 3 hoping it would skip to the second traffic selection rule, but it did not work.  (i.e. on unit 3, don't tunnel traffic for bound for unit 2 in the unit 1 tunnel)

Any ideas are appreciated.  Thanks.  Mike
0
Comment
Question by:Avi8r
  • 3
  • 3
6 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24852705
<I tried inserting a "don't protect the other units subnet" statement before the "local subnet to ANY">

Do you mean you tried adding a deny before the permit?  Something like this?

Access-list crypto_1 deny <local subnet> <site 3 subnet>
Access-list crypto_1 permit <local_subnet> any


Remember the crypto maps need to match exactly.  

As another option, you could just try to make the Site2 to 3 vpn tunnels higher on the list so they execute 1st and move the original tunnel lower on the list.


0
 

Author Comment

by:Avi8r
ID: 24852852
"As another option, you could just try to make the Site2 to 3 vpn tunnels higher on the list so they execute 1st and move the original tunnel lower on the list."

How do I bump them up?  I do everything through ASDM and the "move up" buttons are grayed out.  


0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 24853085
Not sure how to move it, but you can recreate it I think.  

In the ASDM, try using CONFIGURATION - SITE to SITE VPN - Advanced - Crypto map        Then click Add in the rules window and create the new IPSEC rule with priority 1 (or something higher than the original Site 1 rule).    You'll need to tweak the VPN to use this instead, but it should match before the Site 1 traffic identifying rule and use that for establishing the tunnel.  

0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:Avi8r
ID: 24911039
Thanks Mike.  Will try this during my next maintenance window.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24919668
Good.   Let me know how it goes.
0
 

Author Closing Comment

by:Avi8r
ID: 31603406
The crypto maps definately need to be in the right order!  The crypto map priority can be changed under "Configuration, Site-to-Site VPN, Advanced, Crypto Maps.  

Thanks for the help!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question