ASA5510 Is L2L VPN to same peer possible
Question: Is it possible to create two tunnels from an ASA to a Juniper ssg5 box using one internet connection.
Scenario : I have a site to site vpn already created but have 2 networks that need to traverse the VPN network using one internet connection. I created 2 tunnels on the ssg5 box but can I add another one to the ASA using the same remote peer address (ssg5).
Scenario : I have a site to site vpn already created but have 2 networks that need to traverse the VPN network using one internet connection. I created 2 tunnels on the ssg5 box but can I add another one to the ASA using the same remote peer address (ssg5).
ASKER
"You should be able have multiple networks defined in the "interesting traffic" ACL for both ends"
One tunnel can have 2 networks traverse VPN? I have never seen it done therefore not sure what the config should look like. I would much rather use only one tunnel from an admin standpoint but didn't know it can be sone. Is some type of natting required ?
One tunnel can have 2 networks traverse VPN? I have never seen it done therefore not sure what the config should look like. I would much rather use only one tunnel from an admin standpoint but didn't know it can be sone. Is some type of natting required ?
What would need to be natted?
Could you give more detail about the networks nat need to go across the VPN? You don't have to give the real IP addresses, just detail what is on either side of each peer.
It seems like I am missing something if you are thinking nat would be required.
Cheers.
Could you give more detail about the networks nat need to go across the VPN? You don't have to give the real IP addresses, just detail what is on either side of each peer.
It seems like I am missing something if you are thinking nat would be required.
Cheers.
ASKER
Let me know if this helps, thanks for your input.
1. Network connection ( 1 ) L2L VPN over internet
2. HQ - ASA 5510
10.4.1.0 /24 (server segment)
3. Remote Office - SSG5
10.20.9.0/24 (network currently routing over L2L vpn)
10.30.5.0/24 ( a couple devices need to access the HQ server segment using only L2L connection to HQ)
1. Network connection ( 1 ) L2L VPN over internet
2. HQ - ASA 5510
10.4.1.0 /24 (server segment)
3. Remote Office - SSG5
10.20.9.0/24 (network currently routing over L2L vpn)
10.30.5.0/24 ( a couple devices need to access the HQ server segment using only L2L connection to HQ)
To answer your question, yes, you can create a 2nd tunnel on your ASA for this traffic.
That said, you can just add the 2nd subnet, 10.30.5.0/24 to the two access-lists. You have one access-list bound to the crypto map for the existing tunnel and specifying interesting traffic, you'd need to add this argument to that. You also have an access-list that is in your nat (0) statement disabling NAT for these packets, you'll need to define this argument in that access-list as well.
But if all you want to accomplish is for both of the subnets at the Juniper side of this to be able to communicate with the hosts behind the ASA, just update the access-lists, you won't need to create a 2nd tunnel. --TX
That said, you can just add the 2nd subnet, 10.30.5.0/24 to the two access-lists. You have one access-list bound to the crypto map for the existing tunnel and specifying interesting traffic, you'd need to add this argument to that. You also have an access-list that is in your nat (0) statement disabling NAT for these packets, you'll need to define this argument in that access-list as well.
But if all you want to accomplish is for both of the subnets at the Juniper side of this to be able to communicate with the hosts behind the ASA, just update the access-lists, you won't need to create a 2nd tunnel. --TX
ASKER
Ok I'm sure I can figure that part out since it can be done.
Not to make things more confusing what if the 10.30.5.0/24 was used at all the sites ( wasn't my design ) I will be configuring to communicate with servers, what type of natting and where would be needed if even possible.
Not to make things more confusing what if the 10.30.5.0/24 was used at all the sites ( wasn't my design ) I will be configuring to communicate with servers, what type of natting and where would be needed if even possible.
Whatever you need, it can be done with ASA, at least for the most part. But what do you mean by "at all sites"? To clarify, you have a hub-and-spoke vpn setup, is that it? Meaning, you have site A, with your ASA. Then you have sites B, C,D (however many, it doesn't matter), and at each of those sites, you have the subnet 10.30.5.0/24, and you want the ASA at site A to be able to communicate with that same subnet behind each of the remote peers, is that accurate? If so, answer this:
Do you need any hairpinning? I.e., does subnet 10.30.5.0/24 at site B need to be able to hit the ASA at site A, bounce off of site A and go through it's vpn tunnel to communicate with 10.30.5.0/24 at site C?
Sounds to me like you need to enable a groovy thing called Policy NAT. https://supportforums.cisco.com/docs/DOC-1692;jsessionid=75741D71D87FBA284B956C535E38998E.node0
--TX
Do you need any hairpinning? I.e., does subnet 10.30.5.0/24 at site B need to be able to hit the ASA at site A, bounce off of site A and go through it's vpn tunnel to communicate with 10.30.5.0/24 at site C?
Sounds to me like you need to enable a groovy thing called Policy NAT. https://supportforums.cisco.com/docs/DOC-1692;jsessionid=75741D71D87FBA284B956C535E38998E.node0
--TX
ASKER
Yes you are correct except for the part that it needs to bounce off of site A and then route to site C,D or others. What I meant by all sites is that every site ( B,C and D) is using the same exact ip address for that device and they all need to hit the same server behind the ASA. Do you see what I mean ?
- All sites B,C and D need to do is hit the ASA and talk to the server behind the ASA. Is the solution still policy NAT ?
- All sites B,C and D need to do is hit the ASA and talk to the server behind the ASA. Is the solution still policy NAT ?
Yep, policy nat is the way to go. Cisco has a great tutorial on configuring it, it's a .pdf doc. Here is a link to it, provided you're on ASA 8.2 code. If you're not, I recommend you upgrade to this version first, it is a really stable version, perfect for this. http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html
Do not try to set this up on any ASA version prior to 8.x, 7.x version(s) of ASA code are not good for this.
I'd tell you the config, but if you read the "policy nat" section of this doc, you'll see there's different ways you can do this, you'll need to decide for yourself what is the best way. It's actually quite simple, I think you'll have good results for it. The diagram appears to be your exact problem, and then config examples are how to solve it. Best, TX
Do not try to set this up on any ASA version prior to 8.x, 7.x version(s) of ASA code are not good for this.
I'd tell you the config, but if you read the "policy nat" section of this doc, you'll see there's different ways you can do this, you'll need to decide for yourself what is the best way. It's actually quite simple, I think you'll have good results for it. The diagram appears to be your exact problem, and then config examples are how to solve it. Best, TX
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Tex - Definitely good links and at least now I know im headin in the right direction.
Thanks again.
Thanks again.
Of course it doesn't need to be pointed out that you should re-address each site to have its own IP range.
NAT will solve your problem for now, but you can guarantee that things will get more complicated down the line and having the overlaps will become more and more troublesome.
If I were you I would keep quiet about policy NAT and insist it cannot be done until the address ranges are rationalised. The earlier it is done the better.
Oh, thanks for the assist points :) TB snuck in while I was sleeping I see.
NAT will solve your problem for now, but you can guarantee that things will get more complicated down the line and having the overlaps will become more and more troublesome.
If I were you I would keep quiet about policy NAT and insist it cannot be done until the address ranges are rationalised. The earlier it is done the better.
Oh, thanks for the assist points :) TB snuck in while I was sleeping I see.
You should be able have multiple networks defined in the "interesting traffic" ACL for both ends. They aren't limited to only a single network<->network.
If the ssg box requires a separate vpn definition per network, then you should be able to use as single definition still at the ASA end, with the two networks defined in the match-address acl. You have probably noticed that you can only define a single peer per IP address, so make sure the pre-shared key is the same for both networks at the ssg end.