cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10011
Views
20
Helpful
32
Replies

Add new subnets to site to site VPN tunnel are already created.

virtuali1151
Level 1
Level 1

Hello,

 

I am using a Cisco ASA 5545, ASDM 7.6, I have a site to site VPN tunnel created and now I would like to route additional traffic over that VPN tunnel.  Can you please advise how I would do this via ASDM or CLI.

 

So the current remote network is 10.210.0.0/16, I would like to route the following remote ranges over the same VPN tunnel.

 

Address space (10.208.0.0/13):


10.210.0.0/16
10.211.0.0/16
10.212.0.0/16
10.213.0.0/16
10.214.0.0/16

2 Accepted Solutions

Accepted Solutions

you can verify different subnets with packet tracer also from asa CLI:

packet tracer input inside icmp source-ip 12345 dest-ip dest-port det

like i said earlier, you can open a ticket with azure & have someone from their end on the phone will testing - if you think the fault lies with them.

regards

azam

View solution in original post

I believe that it is critical that we get some confirmation whether the remote side/Azure has made changes corresponding to your changes.

 

It would be helpful if we could see the output of the command show crypto ipsec sa. And also helpful if we could see updated copy of the config.

 

HTH

 

Rick

HTH

Rick

View solution in original post

32 Replies 32

Marvin Rhoads
Hall of Fame
Hall of Fame

Your site-site VPN traffic selection is governed by a crypto map that calls an ACL. Add the additional subnets into that existing ACL and the next time traffic is presented to the ASA to those subnets, it will be encapsulated and sent across the VPN.

 

The remote end will need a mirror image of the configuration to make it work both ways.

 

Finally, the NAT exemption for the VPN needs to have the new subnets added to it (again, at both ends).

Hi Marvin,

Ok, Ive added the subnets to the ACL Manager under Site to Site VPN.. can you please explain the NAT exemption part abit more? Where would I need to make those changes?

You should see some NAT entry (or entries) under Configuration > Firewall >NAT. Look for the ones that match the previous source and destination networks.

 

Ideally you would have used network object-groups for the local and remote networks and that way you only have update that one object for the remote nets.

I have attached an image of the nat rules I see under firewall nate rules.

That's the one - edit that destination address on the right hand side. Add the new destination subnets to it (or a new object-group that includes the existing and new subnets).

 

ASDM will let you do it either way, but it makes the running-config clutter up with DM_INLINE_OBJECT items. That makes later troubleshooting harder.

Im getting close:).. When I try to edit that and look for the 10.211.0.0/16 etc.. it doesnt show up? but when I goto the ACL manager in the VPN manager they are there? I notice a difference in the manager they have a little IP icon beside them.. but in the Nat manager they are little computers.. so does that mean I need to create them again as objects in the NAT manager?

nevermind.. I think I see it in the group manager part.. one sec..:)

Ok, Ive added that.. and they look like the attached now, do I need to make any changes to the connection profile at all? currently for remote network it just has the 10.210.0.0/16 there... also we goto monitoring.. all I see is the below, shouldnt I see the other subnet there as well..?? IE: 10.210.0.0 and 10.211.0.0?

 

  IPsec 10.1.1.0/255.255.255.0/0/0 10.214.0.0/255.255.0.0/0/0 AES-256 Tunnel ID: 1994.2 Hashing: SHA256 Encapsulation: Tunnel Rekey Time Interval: 3600 Seconds Rekey Left(T): 3102 Seconds Rekey Data Interval: 4608000 K-Bytes Rekey Left(D): 4607960 K-Bytes Idle Time Out: 30 Minutes Idle TO Left: 29 Minutes Packets Tx: 0 Packets Rx: 493 0 40996

 

And for some reason now when I do a packet trace from our prem 10.1.1.1 to 10.210.0.1. it seems to fail.  see the attached.. not sure why it is doing that now?

It's hard to troubleshoot with only select snippets of ASDM screens. If you can share a sanitized configuration file it would be lot more productive.

 

If not, you might open a TAC case.

Hi Marvin,

 

Attached is the config.  The one big problem I can't figure out is why I cant have multiple subnets over the one VPN tunnel.  I want to 10.1.210.0.0/16, 10.1.211.0.0/16, 10.1.214.0.0/16, all going over the one tunnel, but what is strange is I can have sub 10.210.0.0 and it works fine, but as soon as I add the others it bumps that one off, and uses the last one I added, its seems for some reason I can only get one sub across the tunnel at a time for some reason? What I am missing? Thanks very much Marvin, youre a HUGE help.

 

  IPsec 10.1.1.0/255.255.255.0/0/0 10.211.0.0/255.255.0.0/0/0 AES-256 Tunnel ID: 2078.2 Hashing: SHA256 Encapsulation: Tunnel Rekey Time Interval: 3600 Seconds Rekey Left(T): 1154 Seconds Rekey Data Interval: 4608000 K-Bytes Rekey Left(D): 4607894 K-Bytes Idle Time Out: 30 Minutes Idle TO Left: 29 Minutes Packets Tx: 1288 Packets Rx: 1329 108192 109504

As far as I can see, that all looks correct from the ASA side.

 

I can only imagine it's some limitation on the Azure end?

If it's a S2S VPN to Azure, you should get hold of the config file for the ASA config from Azure Support.

I've had issues with this myself, you can then log a ticket & they can tshoot the VPN with you.

Regards,

Azam

We know that the original poster has made the changes to add the subnets. But do we know that the remote peer/Azure has made corresponding changes?

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: