Announcement

Collapse
No announcement yet.

site to site vpn tunnel with multiple subnets at one end.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • site to site vpn tunnel with multiple subnets at one end.

    Hello everyone,

    I have a site to site vpn tunnel estabilshed from siteA to siteB (SiteA with local net as 192.168.0.0/255.255.252.0 and siteB with local net as 172.1.0.0/255.255.0.0) successfully, now we recently added a new subnet 172.10.0.0/16 at the siteB. For this I have added the acl to pass 172.10.0.0/16 traffic thru vpn tunnel and found that only one network is active in the vpn tunnel at time.

    Unable to access the both networks (172.1 and 172.10) at the same time.

    I have pix525 at SiteA and GTAFirewall at SiteB

    Below is the configuration I have, anybody please can suggest how to reslove this problem.

    -----------------------
    PIX Version 6.3(4)


    access-list 103 permit ip 192.168.0.0 255.255.252.0 172.1.0.0 255.255.0.0
    access-list 103 permit ip 192.168.0.0 255.255.0.0 172.10.0.0 255.255.0.0

    access-list pix-gta0 permit ip 192.168.0.0 255.255.252.0 172.1.0.0 255.255.0.0

    access-list pix-gta1 permit ip 192.168.0.0 255.255.252.0 172.10.0.0 255.255.0.0


    nat (inside) 0 access-list 103
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    sysopt connection permit-ipsec


    crypto ipsec transform-set pix-gtaset0 esp-des esp-md5-hmac
    crypto ipsec transform-set pix-gtaset1 esp-des esp-md5-hmac

    crypto map outside_map_1 10 ipsec-isakmp
    crypto map outside_map_1 10 match address pix-gat0
    crypto map outside_map_1 10 set peer "GTA firewall IP x.x.x.x"
    crypto map outside_map_1 10 set transform-set pix-gtaset0

    crypto map outside_map_1 30 ipsec-isakmp
    crypto map outside_map_1 30 match address pix-gat1
    crypto map outside_map_1 30 set peer "GTA firewall IP x.x.x.x"
    crypto map outside_map_1 30 set transform-set pix-gtaset1

    crypto map outside_map_1 interface outside

    isakmp enable outside


    isakmp key ******** address "GTA firewall IP x.x.x.x" netmask 255.255.255.255 no-xauth no-config-mode

    isakmp identity address
    isakmp keepalive 15 5
    isakmp nat-traversal 20

    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400


    -------------------------------------

    For any further info, please let me know.
    Your help is greatly apperciated.

    Thanks
    Srini

  • #2
    Re: site to site vpn tunnel with multiple subnets at one end.

    You seem to have created two separate tunnels rather than just adding to the original?
    Why not delete the second and change

    access-list pix-gta0 permit ip 192.168.0.0 255.255.252.0 172.1.0.0 255.255.0.0
    access-list pix-gta1 permit ip 192.168.0.0 255.255.252.0 172.10.0.0 255.255.0.0

    for

    access-list pix-gta0 permit ip 192.168.0.0 255.255.252.0 172.1.0.0 255.255.0.0
    access-list pix-gta0 permit ip 192.168.0.0 255.255.252.0 172.10.0.0 255.255.0.0

    assuming it all works at the GTA end.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: site to site vpn tunnel with multiple subnets at one end.

      First of all Thankyou so much for the response Guru.

      As suggested, I did that but GTA does not support that.

      GTA support confirmed that while a single tunnel can handle connections from either of these networks – it doesn’t support them simultaneously. One will always have to drop to allow the other to connect.

      Therefore i created another tunnel, and enable NAT-T. So 2 tunnels with the exact same configuration etc, but one with NAT-T enabled. Still no luck.

      Thanks
      Srini

      Comment


      • #4
        Re: site to site vpn tunnel with multiple subnets at one end.

        I don't believe the PIX/ASA supports 2 tunnels from the same source IP.

        Maybe you could just change your subnet mask so it includes both?

        172.1.0.0 255.240.0.0 ?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: site to site vpn tunnel with multiple subnets at one end.

          Yes, you are right.
          I am not creating 2nd tunnel infact i am using an "crytpo map 30" with same isakmp policy which is used by the 1st tunnel. And I wanted to apply nat-traversal to one of the network, as I read some where that enable nat-traversal is solution for the second subnet.

          And coming to your solution to have single subnet as 172.1.0.0/255.240.0.0 is an option, but I just wanted to make sure what we are trying do possible.

          Thanks
          Srini

          Comment


          • #6
            Re: site to site vpn tunnel with multiple subnets at one end.

            I don't honestly know. I've not tried it that way!
            Might be worth waiting to see if anyone else has input.
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment

            Working...
            X