Solved: Re: Adding new subnet in the ASA.

veerapandiyanrengasamy · ‎03-06-2023

Hello Cisco Community,

I have VTI setup from Cisco ASA(on prem) to Azure. Recently in azure side they add this new network 10.3.20.0/22. So now try to add this network on ASA for accessing this resource, but I couldn’t add this network? I got an error saying ip address/mask doesn’t pair. How can I add this network? Do I need to change network details on Azure side?
Help on this would be appreciated .

Veera.

MHM Cisco World · ‎03-06-2023

you add new subnet in Azure
in ASA side
you need static route toward VTI for this new route
you need to include this new route in no-NAT (if there)

that it.

View solution in original post

balaji.bandi · ‎03-06-2023

Can you post the ASA model, ASA code,

Also how are you adding from CLI and GUI ?

can you post the command you used ?

do you have any subnet in the same range ? 10.3.20.0/22

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

veerapandiyanrengasamy · ‎03-06-2023

Hello Balaji,

Thanks for all your reply. Problem found on Azure subnet. Now everything good. Many thanks for your input.

Marvin Rhoads · ‎03-06-2023

VTI or route-based site-to-site VPNs depend on getting routes from the distant end to know what traffic to encrypt.

You don't need to add the remote networks into a crypto map ACL like the old policy-based site-to-site VPN setup.

veerapandiyanrengasamy · ‎03-06-2023

Thanks for your reply i have add this network 10.3.20.0/22(this network in Azure), But i could nt access the resorce on the Azure side. Here is packet-tracer output, Packet is allowing but web link is timeout.

LAUS-ASA-1/pri/act# packet-tracer input inside tcp 192.168.1.100 1234 10.3.20.$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.2.3.4(public ip) using egress ifc azure002-vti

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in_1 in interface inside
access-list inside_access_in_1 extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 880104, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: azure002-vti
output-status: up
output-line-status: up
Action: allow

veerapandiyanrengasamy · ‎03-06-2023

Hello Guys,

Thanks for all your reply. Problem found on Azure subnet. Now everything good. Many thanks for your input.

MHM Cisco World · ‎03-06-2023

you add new subnet in Azure
in ASA side
you need static route toward VTI for this new route
you need to include this new route in no-NAT (if there)

that it.