Hello,
I have run into a situation where I have two partners that are using the same LAN address. I need to set up a site to site IPSec VPN for both of them and would like to do most of the heavy lifting on my ASA 5540.
I have one tunnel established already using my normal method of adding the following lines to my router
\\ PARTNER A
\\ AAA = Access list number
\\ LLL.LLL.LLL.LLL = partner's local lan network address
\\ PPP.PPP.PPP.PPP = partner's public IP address.
access-list AAA extended permit ip 10.0.0.0 255.255.255.0 LLL.LLL.LLL.LLL 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 LLL.LLL.LLL.LLL 255.255.255.0
crypto map ACME AAA match address AAA
crypto map ACME AAA set peer PPP.PPP.PPP.PPP
crypto map ACME AAA set transform-set 3sha
crypto map ACME AAA set security-association lifetime seconds 28800
crypto map ACME AAA set security-association lifetime kilobytes 4608000
tunnel-group PPP.PPP.PPP.PPP type ipsec-l2l
tunnel-group PPP.PPP.PPP.PPP ipsec-attributes
pre-shared-key kaker876987JKAS
Partner B is using the same LLL.LLL.LLL.LLL, so how would I go about making sure the traffic is routed to the correct tunnel. Would that occur just by creating an additional crypto map and then matching it to the address in a different access list? Sorry if this is confusing. I'm a little confused myself. Do I need to do any natting on my end to accomplish this goal? I'm not sure if it matters, but traffic will not need to route between the two partners. Thanks for any and all help!
I have run into a situation where I have two partners that are using the same LAN address. I need to set up a site to site IPSec VPN for both of them and would like to do most of the heavy lifting on my ASA 5540.
I have one tunnel established already using my normal method of adding the following lines to my router
\\ PARTNER A
\\ AAA = Access list number
\\ LLL.LLL.LLL.LLL = partner's local lan network address
\\ PPP.PPP.PPP.PPP = partner's public IP address.
access-list AAA extended permit ip 10.0.0.0 255.255.255.0 LLL.LLL.LLL.LLL 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 LLL.LLL.LLL.LLL 255.255.255.0
crypto map ACME AAA match address AAA
crypto map ACME AAA set peer PPP.PPP.PPP.PPP
crypto map ACME AAA set transform-set 3sha
crypto map ACME AAA set security-association lifetime seconds 28800
crypto map ACME AAA set security-association lifetime kilobytes 4608000
tunnel-group PPP.PPP.PPP.PPP type ipsec-l2l
tunnel-group PPP.PPP.PPP.PPP ipsec-attributes
pre-shared-key kaker876987JKAS
Partner B is using the same LLL.LLL.LLL.LLL, so how would I go about making sure the traffic is routed to the correct tunnel. Would that occur just by creating an additional crypto map and then matching it to the address in a different access list? Sorry if this is confusing. I'm a little confused myself. Do I need to do any natting on my end to accomplish this goal? I'm not sure if it matters, but traffic will not need to route between the two partners. Thanks for any and all help!