Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
5
Helpful
5
Replies

VPN Connectivity

Go to solution
nikhilaluvila
Level 1
Level 1

‎01-17-2017 04:38 AM

Dear Tech Teams,

We have a Site to Site VPN connectivity between our office and a remote office.Recently we have created a internal network on the remote office with an ip range 192.168.5.X/24.I have added the newly created network to the existing VPN connection,but we can not able to access the newly network from  our office.Is there any other thing that i have to do.I am newly to the ASA Platform.Our office is using ASA 5505 and the remote office is using 5510 for the VPN connectivity.Awaiting for your immediate response.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nikhilaluvila

‎01-18-2017 03:57 AM

All connected interfaces are populated into the ASA routing table.

As I noted it is most likely in the access-list and NAT rule setup at one end or both that your problem exists. Each end has an access-list associated with the site-site VPN that defines what traffic is "interesting" and should be encrypted. All the networks need to be defined at bot the local and remote site access-list. The remote site access list will be the mirror image of the local site. Similarly, each site will have an identity NAT rule to expemt traffic between the tunneled subnets from being NATted.

If you cannot share the configuration then you will need to fall back to paid TAC support to work with you directly.

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-17-2017 05:30 AM

It needs to be a destination network at your end AND a source network at the other end.

Also ensure that your routing for that destination goes via your ASA.

0 Helpful

Go to solution
nikhilaluvila
Level 1
Level 1
In response to Marvin Rhoads

‎01-17-2017 06:58 AM

Dear Marvin,

Could you please elaborate a little bit more.As i am new to ASA Firewall.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nikhilaluvila

‎01-17-2017 07:07 AM

A site to site VPN uses access-lists at both ends to identify the subnets that should talk to one another via the VPN. It also exempts the VPN traffic from any NAT rules that may be in place. Those two things must be done at both the local and remote site for a VPN to function.

If you can share your running configuration, we can point out the specific bits in your environment.

0 Helpful

Go to solution
nikhilaluvila
Level 1
Level 1
In response to Marvin Rhoads

‎01-17-2017 10:24 PM

Dear Marvin,

Really Sorry Marvin i don't have the privilege to share the configuration,thanks for your assistance.

We have created the ACL also,In our scenario the remote end we have 3 internal networks one is configured in the ASA 5510 physical interface and the other two are created under another interface as sub-interfaces which is newly created.Do we need to add route between the interfaces.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nikhilaluvila

‎01-18-2017 03:57 AM

All connected interfaces are populated into the ASA routing table.

As I noted it is most likely in the access-list and NAT rule setup at one end or both that your problem exists. Each end has an access-list associated with the site-site VPN that defines what traffic is "interesting" and should be encrypted. All the networks need to be defined at bot the local and remote site access-list. The remote site access list will be the mirror image of the local site. Similarly, each site will have an identity NAT rule to expemt traffic between the tunneled subnets from being NATted.

If you cannot share the configuration then you will need to fall back to paid TAC support to work with you directly.

Customers Also Viewed These Support Documents