Showing results for 
Search instead for 
Did you mean: 

How to pass multiple subnets through VPN?? SA520


Untitled 1.jpg

The dynamic VPN between Cisco SA520 and Juniper SRX is working fine. My problem is Cisco SA520, I cannot pass my three subnets (i.e., and through the SA520's IPSEC VPN policies. In the Remote Traffic selection area of VPN policy there are four options ANY, SINGLE, RANGE and SUBNET. Choosing ANY option i can reach to my three  subnets (, and but this doesn't fulfill my requirement. I want to split the traffic and pass only, and through VPN and Internet traffic through the ADSL. Please help.



Hi sudan, can you post the configs of the asa and srx?

Hello, I am not using ASA  its SA520 Small Business Security Appliaces.

Hi Sudan,

On the SA 500 series, there is a way to do this by associating  in your case 3 VPN Policies to the one IKE Policy created with the VPN Wizard.

After creating an initial IKE Policy and VPN Policy (choose remote subnet to when running VPN Wizard, you need to create 2 more policies to reach the other two subnets (10.10.254.x, 192.168.92.x) .  On the VPN ->VPN Policies page, click Add to add a VPN Policy.  Make sure to select Auto Policy for Policy Type;  on the Auto Policy Parameters make sure these values match your configuration and MOST IMPORTANT, on the Select IKE Policy make sure to select the name of the IKE Policy as created in VPN Wizard.  Do this for both extra LANs you need to associate with the IKE Policy.  You should then be able to only pass traffic to those three subnets.

Let me know if this works out for you, or if you need extra help.

Best regards,

Julio Martinez

I have a similar problem.  I have an SA540 and another firewall doing a site-to-site vpn no problem.  However, I want to be able to pass traffic on the LAN subnets of the UC540's.  So the SA540's are in front of the UC's, and the UC's WAN port is just doing routing and connected to the LAN port of the SA.  When I setup the vpn, I can ping both WAN ports on the UC's, but I can't ping the UC's data LAN subnet.

SA1 WAN - Public

SA2 WAN - Public

UC540-1 WAN - LAN of SA1 (

UC540-2 WAN - LAN of SA2 (

I can ping these in both directions.

UC540-1 DATA LAN -

UC540-2 DATA LAN - 192.168.10/0/24

I can't ping these at all in either direction.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: