cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2295
Views
20
Helpful
32
Replies
Highlighted
Beginner

Add new subnets to site to site VPN tunnel are already created.

Hello,

 

I am using a Cisco ASA 5545, ASDM 7.6, I have a site to site VPN tunnel created and now I would like to route additional traffic over that VPN tunnel.  Can you please advise how I would do this via ASDM or CLI.

 

So the current remote network is 10.210.0.0/16, I would like to route the following remote ranges over the same VPN tunnel.

 

Address space (10.208.0.0/13):


10.210.0.0/16
10.211.0.0/16
10.212.0.0/16
10.213.0.0/16
10.214.0.0/16

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Participant

Re: Add new subnets to site to site VPN tunnel are already created.

you can verify different subnets with packet tracer also from asa CLI:

packet tracer input inside icmp source-ip 12345 dest-ip dest-port det

like i said earlier, you can open a ticket with azure & have someone from their end on the phone will testing - if you think the fault lies with them.

regards

azam

View solution in original post

Highlighted
Hall of Fame Master

Re: Add new subnets to site to site VPN tunnel are already created.

I believe that it is critical that we get some confirmation whether the remote side/Azure has made changes corresponding to your changes.

 

It would be helpful if we could see the output of the command show crypto ipsec sa. And also helpful if we could see updated copy of the config.

 

HTH

 

Rick

HTH

Rick

View solution in original post

32 REPLIES 32
Highlighted
Hall of Fame Guru

Re: Add new subnets to site to site VPN tunnel are already created.

Your site-site VPN traffic selection is governed by a crypto map that calls an ACL. Add the additional subnets into that existing ACL and the next time traffic is presented to the ASA to those subnets, it will be encapsulated and sent across the VPN.

 

The remote end will need a mirror image of the configuration to make it work both ways.

 

Finally, the NAT exemption for the VPN needs to have the new subnets added to it (again, at both ends).

Highlighted
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

Hi Marvin,

Ok, Ive added the subnets to the ACL Manager under Site to Site VPN.. can you please explain the NAT exemption part abit more? Where would I need to make those changes?

Highlighted
Hall of Fame Guru

Re: Add new subnets to site to site VPN tunnel are already created.

You should see some NAT entry (or entries) under Configuration > Firewall >NAT. Look for the ones that match the previous source and destination networks.

 

Ideally you would have used network object-groups for the local and remote networks and that way you only have update that one object for the remote nets.

Highlighted
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

I have attached an image of the nat rules I see under firewall nate rules.

Highlighted
Hall of Fame Guru

Re: Add new subnets to site to site VPN tunnel are already created.

That's the one - edit that destination address on the right hand side. Add the new destination subnets to it (or a new object-group that includes the existing and new subnets).

 

ASDM will let you do it either way, but it makes the running-config clutter up with DM_INLINE_OBJECT items. That makes later troubleshooting harder.

Highlighted
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

Im getting close:).. When I try to edit that and look for the 10.211.0.0/16 etc.. it doesnt show up? but when I goto the ACL manager in the VPN manager they are there? I notice a difference in the manager they have a little IP icon beside them.. but in the Nat manager they are little computers.. so does that mean I need to create them again as objects in the NAT manager?

Highlighted
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

nevermind.. I think I see it in the group manager part.. one sec..:)

Highlighted
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

Ok, Ive added that.. and they look like the attached now, do I need to make any changes to the connection profile at all? currently for remote network it just has the 10.210.0.0/16 there... also we goto monitoring.. all I see is the below, shouldnt I see the other subnet there as well..?? IE: 10.210.0.0 and 10.211.0.0?

 

  IPsec 10.1.1.0/255.255.255.0/0/0 10.214.0.0/255.255.0.0/0/0 AES-256 Tunnel ID: 1994.2 Hashing: SHA256 Encapsulation: Tunnel Rekey Time Interval: 3600 Seconds Rekey Left(T): 3102 Seconds Rekey Data Interval: 4608000 K-Bytes Rekey Left(D): 4607960 K-Bytes Idle Time Out: 30 Minutes Idle TO Left: 29 Minutes Packets Tx: 0 Packets Rx: 493 0 40996

 

Highlighted
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

And for some reason now when I do a packet trace from our prem 10.1.1.1 to 10.210.0.1. it seems to fail.  see the attached.. not sure why it is doing that now?

Highlighted
Hall of Fame Guru

Re: Add new subnets to site to site VPN tunnel are already created.

It's hard to troubleshoot with only select snippets of ASDM screens. If you can share a sanitized configuration file it would be lot more productive.

 

If not, you might open a TAC case.

Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

Hi Marvin,

 

Attached is the config.  The one big problem I can't figure out is why I cant have multiple subnets over the one VPN tunnel.  I want to 10.1.210.0.0/16, 10.1.211.0.0/16, 10.1.214.0.0/16, all going over the one tunnel, but what is strange is I can have sub 10.210.0.0 and it works fine, but as soon as I add the others it bumps that one off, and uses the last one I added, its seems for some reason I can only get one sub across the tunnel at a time for some reason? What I am missing? Thanks very much Marvin, youre a HUGE help.

 

  IPsec 10.1.1.0/255.255.255.0/0/0 10.211.0.0/255.255.0.0/0/0 AES-256 Tunnel ID: 2078.2 Hashing: SHA256 Encapsulation: Tunnel Rekey Time Interval: 3600 Seconds Rekey Left(T): 1154 Seconds Rekey Data Interval: 4608000 K-Bytes Rekey Left(D): 4607894 K-Bytes Idle Time Out: 30 Minutes Idle TO Left: 29 Minutes Packets Tx: 1288 Packets Rx: 1329 108192 109504
Highlighted
Hall of Fame Guru

Re: Add new subnets to site to site VPN tunnel are already created.

As far as I can see, that all looks correct from the ASA side.

 

I can only imagine it's some limitation on the Azure end?

Highlighted
Participant

Re: Add new subnets to site to site VPN tunnel are already created.

If it's a S2S VPN to Azure, you should get hold of the config file for the ASA config from Azure Support.

I've had issues with this myself, you can then log a ticket & they can tshoot the VPN with you.

Regards,

Azam

Highlighted
Hall of Fame Master

Re: Add new subnets to site to site VPN tunnel are already created.

We know that the original poster has made the changes to add the subnets. But do we know that the remote peer/Azure has made corresponding changes?

 

HTH

 

Rick

HTH

Rick
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here