Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1543
Views
5
Helpful
11
Replies

ASA 5512 v8.6 - Need to add a new subnet to existing VPN - help!

adzrobo
Level 1
Level 1

‎01-11-2022 06:55 AM - edited ‎01-17-2022 07:05 AM

Hello everyone, I have just been tasked with adding a new subnet to an existing VPN already set up on the ASA. I have no experience of Cisco firewalls and I've exhausted google with my searches so I'm hoping the community can help. BTW we have no access to ASDM so cli only.

0 Helpful
11 Replies 11

Francesco Molino
VIP Alumni
VIP Alumni

‎01-11-2022 09:09 PM

Hi

Have you restarted the vpn connection?
Can you share the output of show crypto ipsec sa please?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

adzrobo
Level 1
Level 1
In response to Francesco Molino

‎01-12-2022 01:11 AM - edited ‎01-17-2022 07:06 AM

 n/a

0 Helpful

Georg Pauwen
VIP
VIP

‎01-12-2022 12:44 AM

Hello,

 

I am not sure what ASDM does under the hood when you add a new subnet to an existing VPN connection and click 'OK', but try:

 

--> no crypto ikev1 enable OUTSIDE

--> crypto ikev1 enable OUTSIDE

0 Helpful

adzrobo
Level 1
Level 1
In response to Georg Pauwen

‎01-12-2022 01:12 AM

I managed to get ASDM installed last night so I now have access to this. Any articles or advise so I can use this?

0 Helpful

adzrobo
Level 1
Level 1

‎01-12-2022 07:36 AM - edited ‎01-17-2022 07:06 AM

n/a

0 Helpful

adzrobo
Level 1
Level 1

‎01-12-2022 02:28 PM - edited ‎01-17-2022 07:07 AM

After a day of troubeshooting I think I've narrowed down the issue but I dont know how to change this. The only difference between the working vpn tunnel show this on the tracepackets:

 

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:

 

And this on the one that isn't working:

 

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (INSIDE,OUTSIDE) dynamic interface
Additional Information:

 

So it seems that the NAT exemption rule is being overridden by the auto NAT policy - any help would be great.

0 Helpful

Georg Pauwen
VIP
VIP
In response to adzrobo

‎01-12-2022 03:28 PM

Hello,

 

possibly your NAT rules are out of order. Put the dynamic entry in section 2:

 

nat (INSIDE,OUTSIDE) 2 dynamic interface

0 Helpful

adzrobo
Level 1
Level 1
In response to Georg Pauwen

‎01-12-2022 11:21 PM

Unfortunately this is already the case. Like I say I already have one working tunnel but the second one I’ve added just won’t push the packets through the tunnel even though I’ve got the same rules in place for both. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to adzrobo

‎01-12-2022 11:53 PM

Hello.

 

just to be sure: you are trying to add a new subnet to an existing tunnel ?

 

-->  Like I say I already have one working tunnel but the second one

 

Or are you trying to set up a completely new, second tunnel ?

0 Helpful

adzrobo
Level 1
Level 1
In response to Georg Pauwen

‎01-12-2022 11:54 PM

A second tunnel over the same VPN. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to adzrobo

‎01-13-2022 03:01 AM

Hello,

 

try and delete the access list:

 

--> no crypto map SS-BLOXHAM-VPN-MAP 50 match address vpn-ibm-blx-to-spbaas

 

--> no access-list vpn-ibm-blx-to-spbaas extended permit ip 10.20.30.0 255.255.255.0 10.164.255.0 255.255.255.192
--> no access-list vpn-ibm-blx-to-spbaas extended permit ip 10.20.30.0 255.255.255.0 10.164.76.0 255.255.255.240

 

and the add it with line numbers:

 

--> access-list vpn-ibm-blx-to-spbaas extended line 1 permit ip 10.20.30.0 255.255.255.0 10.164.255.0 255.255.255.192
--> access-list vpn-ibm-blx-to-spbaas extended line 2 permit ip 10.20.30.0 255.255.255.0 10.164.76.0 255.255.255.240

 

--> crypto map SS-BLOXHAM-VPN-MAP 50 match address vpn-ibm-blx-to-spbaas

 

 

0 Helpful
Customers Also Viewed These Support Documents