ASA cannot create multiple tunnels to the same peer address?

Home Forums Networking Cisco Security – PIX/ASA/VPN ASA cannot create multiple tunnels to the same peer address?

This topic contains 4 replies, has 3 voices, and was last updated by Avatar sharkii 2 years, 3 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • Avatar
    dkraut
    Member
    #159120

    We have several remote sites with Linksys WRVS4400N and Smoothwall firewall/vpn devices. I need these sites to be able to connect to multiple dis-contiguous internal subnets at our main office. This was easily done between smoothwall and linksys with only a single external IP address on each side. You create a separate tunnel on each end for each subnet pair and voila, you’re done. However, when I tried this on our newly installed ASA 5510, it will not let me create multiple tunnels to the same remote peer address. This is a problem since these sites only have a single static public IP address. Am i missing something or does the ASA not allow connections to/from multiple subnets from a site with a single peer address? confused.gif

    Avatar
    Anonymous
    #373246

    Re: ASA cannot create multiple tunnels to the same peer address?

    Don’t think this will work as you cant specify the same peer in 2 different tunnel groups. Also there really isn’t a need to setup 2 tunnels. Why not create your proxy ACL to cover all the subnets you need to protect? The only reason to do this is for redundancy but for that you would need 2 ASA’s and 2 public ip’s for a failover scenario. Its not so much a limitation of the ASA but a design issue. There really isn’t a reason to implement this when it can be done over one tunnel.

    I guess if the remote end didn’t let you specify multiple subnets to protect than I can see why you would want to do this but that’s the remote devices limitation, not the ASA.

    Avatar
    dkraut
    Member
    #361420

    Re: ASA cannot create multiple tunnels to the same peer address?

    yep, roger that. Unfortunately just a different method of site to site vpn implementation between ASA and WRVS440N. The WRV will not let me supply anything other than a single subnet per tunnel so I’m hosed. I tried casting a wider net – 10.0.0.0/12, but the WRV complained that the remote and local security groups cannot be in the same network. I’m checking to see if I can obtain an ASA for the other site.

    Avatar
    Anonymous
    #373248

    Re: ASA cannot create multiple tunnels to the same peer address?

    Yeah a small 5505 would do the job.

    Avatar
    sharkii
    Member
    #391832

    Can anyone finally answer if you cannot specify the same peer ip adress in different crypto map in a Cisco ASA?
    I tried in my Cisco ASA 5508x and I didn’t get any error message.
    I really don’t know if it would work fine in a real connection (I did not get up the tunnel to try it) because it would get two SAs over the same tunnel.
    Thanks

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.