Announcement

Collapse
No announcement yet.

ASA cannot create multiple tunnels to the same peer address?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA cannot create multiple tunnels to the same peer address?

    We have several remote sites with Linksys WRVS4400N and Smoothwall firewall/vpn devices. I need these sites to be able to connect to multiple dis-contiguous internal subnets at our main office. This was easily done between smoothwall and linksys with only a single external IP address on each side. You create a separate tunnel on each end for each subnet pair and voila, you're done. However, when I tried this on our newly installed ASA 5510, it will not let me create multiple tunnels to the same remote peer address. This is a problem since these sites only have a single static public IP address. Am i missing something or does the ASA not allow connections to/from multiple subnets from a site with a single peer address?
    Last edited by dkraut; 25th June 2012, 01:54.

  • #2
    Re: ASA cannot create multiple tunnels to the same peer address?

    Don't think this will work as you cant specify the same peer in 2 different tunnel groups. Also there really isn't a need to setup 2 tunnels. Why not create your proxy ACL to cover all the subnets you need to protect? The only reason to do this is for redundancy but for that you would need 2 ASA's and 2 public ip's for a failover scenario. Its not so much a limitation of the ASA but a design issue. There really isn't a reason to implement this when it can be done over one tunnel.


    I guess if the remote end didn't let you specify multiple subnets to protect than I can see why you would want to do this but that's the remote devices limitation, not the ASA.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: ASA cannot create multiple tunnels to the same peer address?

      yep, roger that. Unfortunately just a different method of site to site vpn implementation between ASA and WRVS440N. The WRV will not let me supply anything other than a single subnet per tunnel so I'm hosed. I tried casting a wider net - 10.0.0.0/12, but the WRV complained that the remote and local security groups cannot be in the same network. I'm checking to see if I can obtain an ASA for the other site.

      Comment


      • #4
        Re: ASA cannot create multiple tunnels to the same peer address?

        Yeah a small 5505 would do the job.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Can anyone finally answer if you cannot specify the same peer ip adress in different crypto map in a Cisco ASA?
          I tried in my Cisco ASA 5508x and I didn't get any error message.
          I really don't know if it would work fine in a real connection (I did not get up the tunnel to try it) because it would get two SAs over the same tunnel.
          Thanks

          Comment

          Working...
          X