topic Re:Adding new network to IPsec VPN in Network Security

Adding new network to IPsec VPN

Ven Diesel — Mon, 11 Mar 2019 23:14:49 GMT

We are having a IPsec VPN Tunnel setup with client.

The far site gave access to a new range (a website basically hosting on their site)-10.40.36.173:8085

They allowed traffic across the tunnel from: 10.40.36.173:8085 to 10.20.42.0/23, 10.21.42.0/23, 192.168.42.0/24

From my end we are using 3 IP Ranges when sending traffic to farsite:

10.20.42.0/23

10.21.42.0/23
192.168.42.0/24

To make sure the traffic that is sent between both end points is sent across the tunnel encrypted and not via another channel the I want to write Crypto ACL configured on my side which was already mirrored on far end.

So I just logged on ASA CLI and went to global mode and added the ACL and no nat to access the destination point from all of our IP Ranges as below,

access-list nonat extended permit ip 192.168.42.0 255.255.255.0 host 10.40.36.173

access-list nonat line 11 extended permit ip 10.40.42.0 255.255.254.0 host 10.40.36.173

access-list nonat line 11 extended permit ip 10.41.42.0 255.255.254.0 host 10.40.36.173

access-list xx line 4 extended permit ip 192.168.42.0 255.255.255.0 host 10.40.36.173 (hitcnt=30) 0x30941176

access-list xx line 4 extended permit ip 10.40.42.0 255.255.254.0 host 10.40.36.173 (hitcnt=0) 0x30941176

access-list xx line 4 extended permit ip 10.41.42.0 255.255.254.0 host 10.40.36.173 (hitcnt=0) 0x30941176

I cant access though from any of the range but can access all previous configured tools, basically newbee to firewall any help much appreciated

I hope I have not confused anyone, if anyone has any questions please let me know, I look forward for your valuable response,

Re:Adding new network to IPsec VPN

Javier Portuguez — Sat, 02 Jun 2012 16:26:06 GMT

Hi,

Are you able to ping from your LAN to the remote host? What exactly stopped working?

Thanks.

Sent from Cisco Technical Support Android App

Re:Adding new network to IPsec VPN

Ven Diesel — Sat, 02 Jun 2012 17:49:02 GMT

Thanks for your reply

Well I cant ping from LAN to remote host either telnet as well on the ports requested, as it is a new acl added to crypto tunnel

do I need to do anything like clear crypto ipsec sa or clear crypto iskamp sa to reestablish the tunnel, as we havent got no one on other side at the moment to actually test.

Re:Adding new network to IPsec VPN

Javier Portuguez — Sun, 03 Jun 2012 00:25:19 GMT

Hi,

Please run a packet-tracer:

packet-tracer input inside icmp local_network 8 0 remote_network detail

Please attach the output.

Thanks in advance.

Sent from Cisco Technical Support Android App

Re:Adding new network to IPsec VPN

mikull.kiznozki — Sun, 03 Jun 2012 03:13:29 GMT

have the tunnel negotiations completed successfully after the change? what does ur sh cry ipsec sa output look like? as Jav mentioned, a packet tracer from your specified local network to the remote peer network will basically tell us the exact problem. Oh, the power of ASA's.. gotta love the IOS

Adding new network to IPsec VPN

Ven Diesel — Wed, 20 Jun 2012 20:10:58 GMT

Its a fault with peer ip , assigned crypto map and renegotiated, tunnel up