10-31-2018 10:09 AM - edited 10-31-2018 10:10 AM
Hello,
I am using a Cisco ASA 5545, ASDM 7.6, I have a site to site VPN tunnel created and now I would like to route additional traffic over that VPN tunnel. Can you please advise how I would do this via ASDM or CLI.
So the current remote network is 10.210.0.0/16, I would like to route the following remote ranges over the same VPN tunnel.
Address space (10.208.0.0/13):
10.210.0.0/16
10.211.0.0/16
10.212.0.0/16
10.213.0.0/16
10.214.0.0/16
Solved! Go to Solution.
11-05-2018 09:47 AM
HI Richard,
I have asked the other end to engage Azure to see why we cant get multiple subs across the one tunnel. I will keep all posted on the outcome.. tks for your input mate.
Cheers.
11-06-2018 07:05 AM
Here is what the packet trace shows.. for some reason only one subnet is being allowed across, 10.211.0.0/16 is being dropped and 10.214.0.0/16 is being allowed across the VPN tunnel any ideas why?
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f2965cdcc60, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0x7f295e83dde0, reverse, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.211.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
11-05-2018 09:45 AM
Hi Azam.
Thanks for your info, I have engaged the other side to get them to check with Azure as well to troubleshoot why we cant get multiple subs over the one tunnel. Can I ask were you able to get multiple subs over a single tunnel?
Tks mate.
11-05-2018 10:14 AM
Hi,
I'm not sure I understand the question.
As per standard VPN config, the local & remote subnets (or Proxy IDs) are defined in an access-list that is referenced in your crypto map.
Regards
Azam
11-05-2018 10:18 AM
I added the subnets (IE: 10.210.0.0/16 , 10.211.0.0/16, 10.212.0.0/16) to the crypto map ACL list, but everytime only one subnet would show up in the monitoring, IE: 10.210.0.0/16 etc.. so I believe the reason is something is not correct on the Azure side.
11-05-2018 10:49 AM
you can verify different subnets with packet tracer also from asa CLI:
packet tracer input inside icmp source-ip 12345 dest-ip dest-port det
like i said earlier, you can open a ticket with azure & have someone from their end on the phone will testing - if you think the fault lies with them.
regards
azam
11-05-2018 11:25 AM
11-06-2018 07:04 AM
Here is what the packet trace shows.. for some reason only one subnet is being allowed across, 10.211.0.0/16 is being dropped and 10.214.0.0/16 is being allowed across the VPN tunnel any ideas why?
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f2965cdcc60, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0x7f295e83dde0, reverse, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.211.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f295ceccb00, priority=70, domain=encrypt, deny=false
hits=476, user_data=0x176f2e4, cs_id=0x7f295e83dde0, reverse, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.214.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
11-06-2018 07:05 AM
Here is what the packet trace shows.. for some reason only one subnet is being allowed across, 10.211.0.0/16 is being dropped and 10.214.0.0/16 is being allowed across the VPN tunnel, any ideas why?
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f2965cdcc60, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0x7f295e83dde0, reverse, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.211.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
11-06-2018 07:45 AM
ensure you have all remote subnets in your crypto acl
also ensure routing is correct for that subnet
other than that, you'd have to post the config
regards, mk
11-06-2018 08:05 AM - edited 11-06-2018 08:11 AM
Ok, So here is my Crypto Map:
static: 1 1 10.1.1.0/24
10.210.0.0/16
10.211.0.0/16
10.212.0.0/16
10.213.0.0/16
10.214.0.0/16 ip Protect ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 Azure-Ipsec-Tunnel-onpremise-x.x.x.x [Ljava.lang.String;@e715a0 False False bidirectional 01:00:00 or 4608000 KB main []
and the attached image is my ACL manager Subnets.
the nat rule is:
20 | inside | outside | OnPremisesNetworks_10_1_1_0 | AzureNetworks_10_211_0_0 | any | -- Original -- | -- Original -- | -- Original -- | No Proxy ARP,Route Lookup |
All the subs are in the group-object AzureNetworks... what I cant figure out is why only 10.214.0.0/16 is showing in monitoring and none of the other subs??? Any when I do a packet trace the only one that successfully gets through is 10.214.0.0/16.. all others are failing at VPN.
11-06-2018 12:11 PM
I believe that it is critical that we get some confirmation whether the remote side/Azure has made changes corresponding to your changes.
It would be helpful if we could see the output of the command show crypto ipsec sa. And also helpful if we could see updated copy of the config.
HTH
Rick
11-20-2018 06:46 AM
11-20-2018 06:54 AM
like I suggested in the earlier posting :)
thanks for the update!
regards, mk
please rate if helpful or solved :)
11-20-2018 01:52 PM
Thanks for updating to tell us that it is confirmed that Azure was not correctly configured. I am glad that your problem is solved. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. One of the good things about these communities is having multiple people contributing to solving the issue. Several people made suggestions pointing in the right direction. These communities are excellent places to ask questions and to learn about networking. I hope to see you continue to be active in the community.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide