topic Add additional host to IPSEC connection on ASA in Network Security

Add additional host to IPSEC connection on ASA

CiscoBrownBelt — Fri, 21 Feb 2020 17:22:00 GMT

So if I have a IPSEC connection allowing let's say local source addresses 10.10.10.10 and 11.11.11.11 to remote end of tunnel 100.1.1.1, and want to add 12.12.12.12 as an addition source host on my local end, do I just make the update under "Local Network" if making the changes in the ASDM? Will that automatically update the crypto map/ACLs?

If I were to update this via CLI, I would just add the new subnet/host to the interesting traffic ACL correct?

Re: Add additional host to IPSEC connection on ASA

GRANT3779 — Fri, 02 Aug 2019 16:44:01 GMT

You would include this like you say within your interesting traffic ACL. You should ensure the remote end has the new host included also as part if their encryption domain back to you.

Re: Add additional host to IPSEC connection on ASA

Mohammed al Baqari — Fri, 02 Aug 2019 17:48:59 GMT

Yes, once you updates from asdm it will update the crypto acl but the
tunnel has to be restarted for the new entry to be included in IPsec sa

Re: Add additional host to IPSEC connection on ASA

CiscoBrownBelt — Tue, 06 Aug 2019 21:40:44 GMT

Ok great! Restarted meaning generate interesting traffic?
Also, currently have manual NAT statements translating the current 2 local source addresses to static original. I would need to add the new host IP to this statement as well correct? Since it is just translating to self/original, is this to make sure the 2 source addresses are not NATTED?