ASA5510 Is L2L VPN to same peer possible

Question: Is it possible to create two tunnels from an ASA to a Juniper ssg5 box using one internet connection.

Scenario : I have a site to site vpn already created but have 2 networks that need to traverse the VPN network using one internet connection. I created 2 tunnels on the ssg5 box but can I add another one to the ASA using the same remote peer address (ssg5).
cisco20Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

muffCommented:
You don't need a second VPN defined (normally).

You should be able have multiple networks defined in the "interesting traffic" ACL for both ends.  They aren't limited to only a single network<->network.

If the ssg box requires a separate vpn definition per network, then you should be able to use as single definition still at the ASA end, with the two networks defined in the match-address acl.  You have probably noticed that you can only define a single peer per IP address, so make sure the pre-shared key is the same for both networks at the ssg end.
0
cisco20Author Commented:
"You should be able have multiple networks defined in the "interesting traffic" ACL for both ends"

One tunnel can have 2 networks traverse VPN? I have never seen it done therefore not sure what the config should look like. I would much rather use only one tunnel from an admin standpoint but didn't know it can be sone. Is some type of natting required ?
0
muffCommented:
What would need to be natted?

Could you give more detail about the networks nat need to go across the VPN?  You don't have to give the real IP addresses, just detail what is on either side of each peer.

It seems like I am missing something if you are thinking nat would be required.

Cheers.
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

cisco20Author Commented:
Let me know if this helps, thanks for your input.

1. Network connection ( 1 ) L2L VPN over internet

2. HQ - ASA 5510
10.4.1.0 /24   (server segment)    
 
3. Remote Office - SSG5
10.20.9.0/24 (network currently routing over L2L vpn)
10.30.5.0/24 ( a couple devices need to access the HQ server segment using only L2L connection to HQ)
0
Texas_BillyCommented:
To answer your question, yes, you can create a 2nd tunnel on your ASA for this traffic.  

That said, you can just add the 2nd subnet, 10.30.5.0/24 to the two access-lists.  You have one access-list bound to the crypto map for the existing tunnel and specifying interesting traffic, you'd need to add this argument to that.  You also have an access-list that is in your nat (0) statement disabling NAT for these packets, you'll need to define this argument in that access-list as well.  

But if all you want to accomplish is for both of the subnets at the Juniper side of this to be able to communicate with the hosts behind the ASA, just update the access-lists, you won't need to create a 2nd tunnel.  --TX
0
cisco20Author Commented:
Ok I'm sure I can figure that part out since it can be done.

Not to make things more confusing what if the 10.30.5.0/24 was used at all the sites ( wasn't my design )  I will be configuring to communicate with servers, what type of natting and where would be needed if even possible.
0
Texas_BillyCommented:
Whatever you need, it can be done with ASA, at least for the most part.  But what do you mean by "at all sites"?  To clarify, you have a hub-and-spoke vpn setup, is that it?  Meaning, you have site A, with your ASA.  Then you have sites B, C,D (however many, it doesn't matter), and at each of those sites, you have the subnet 10.30.5.0/24, and you want the ASA at site A to be able to communicate with that same subnet behind each of the remote peers, is that accurate?  If so, answer this:

Do you need any hairpinning?  I.e., does subnet 10.30.5.0/24 at site B need to be able to hit the ASA at site A, bounce off of site A and go through it's vpn tunnel to communicate with 10.30.5.0/24 at site C?

Sounds to me like you need to enable a groovy thing called Policy NAT. https://supportforums.cisco.com/docs/DOC-1692;jsessionid=75741D71D87FBA284B956C535E38998E.node0

--TX
0
cisco20Author Commented:
Yes you are correct except for the part that it needs to bounce off of site A and then route to site C,D or others. What I meant by all sites is that every site ( B,C and D) is using the same exact ip address for that device and they all need to hit the same server behind the ASA. Do you see what I mean ?  

- All sites B,C and D need to do is hit the ASA and talk to the server behind the ASA. Is the solution still policy NAT ?
0
Texas_BillyCommented:
Yep, policy nat is the way to go.  Cisco has a great tutorial on configuring it, it's a .pdf doc.  Here is a link to it, provided you're on ASA 8.2 code.  If you're not, I recommend you upgrade to this version first, it is a really stable version, perfect for this.  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html

Do not try to set this up on any ASA version prior to 8.x, 7.x version(s) of ASA code are not good for this.  

I'd tell you the config, but if you read the "policy nat" section of this doc, you'll see there's different ways you can do this, you'll need to decide for yourself what is the best way.  It's actually quite simple, I think you'll have good results for it.  The diagram appears to be your exact problem, and then config examples are how to solve it.  Best, TX  
0
Texas_BillyCommented:
Here's another good link specifying overlapping subnets with policy nat:  https://supportforums.cisco.com/thread/227731.pdf;jsessionid=1B8B5F440AA2440C38838B9A7751D555.node0

The help at the bottom is quite good, very specific.  --TX
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cisco20Author Commented:
Thanks Tex - Definitely good links and at least now I know im headin in the right direction.

Thanks again.
0
muffCommented:
Of course it doesn't need to be pointed out that you should re-address each site to have its own IP range.

NAT will solve your problem for now, but you can guarantee that things will get more complicated down the line and having the overlaps will become more and more troublesome.  

If I were you I would keep quiet about policy NAT and insist it cannot be done until the address ranges are rationalised.  The earlier it is done the better.

Oh, thanks for the assist points :)  TB snuck in while I was sleeping I see.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.