01-17-2017 04:38 AM
Dear Tech Teams,
We have a Site to Site VPN connectivity between our office and a remote office.Recently we have created a internal network on the remote office with an ip range 192.168.5.X/24.I have added the newly created network to the existing VPN connection,but we can not able to access the newly network from our office.Is there any other thing that i have to do.I am newly to the ASA Platform.Our office is using ASA 5505 and the remote office is using 5510 for the VPN connectivity.Awaiting for your immediate response.
Solved! Go to Solution.
01-18-2017 03:57 AM
All connected interfaces are populated into the ASA routing table.
As I noted it is most likely in the access-list and NAT rule setup at one end or both that your problem exists. Each end has an access-list associated with the site-site VPN that defines what traffic is "interesting" and should be encrypted. All the networks need to be defined at bot the local and remote site access-list. The remote site access list will be the mirror image of the local site. Similarly, each site will have an identity NAT rule to expemt traffic between the tunneled subnets from being NATted.
If you cannot share the configuration then you will need to fall back to paid TAC support to work with you directly.
01-17-2017 05:30 AM
It needs to be a destination network at your end AND a source network at the other end.
Also ensure that your routing for that destination goes via your ASA.
01-17-2017 06:58 AM
Dear Marvin,
Could you please elaborate a little bit more.As i am new to ASA Firewall.
01-17-2017 07:07 AM
A site to site VPN uses access-lists at both ends to identify the subnets that should talk to one another via the VPN. It also exempts the VPN traffic from any NAT rules that may be in place. Those two things must be done at both the local and remote site for a VPN to function.
If you can share your running configuration, we can point out the specific bits in your environment.
01-17-2017 10:24 PM
Dear Marvin,
Really Sorry Marvin i don't have the privilege to share the configuration,thanks for your assistance.
We have created the ACL also,In our scenario the remote end we have 3 internal networks one is configured in the ASA 5510 physical interface and the other two are created under another interface as sub-interfaces which is newly created.Do we need to add route between the interfaces.
01-18-2017 03:57 AM
All connected interfaces are populated into the ASA routing table.
As I noted it is most likely in the access-list and NAT rule setup at one end or both that your problem exists. Each end has an access-list associated with the site-site VPN that defines what traffic is "interesting" and should be encrypted. All the networks need to be defined at bot the local and remote site access-list. The remote site access list will be the mirror image of the local site. Similarly, each site will have an identity NAT rule to expemt traffic between the tunneled subnets from being NATted.
If you cannot share the configuration then you will need to fall back to paid TAC support to work with you directly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide