Hello Richard,

Yes the crypto map is applied to the outside interface on my end. (a.a.a.a)

my inside subnet b.b.b.b is able to communicate with their inside subnet e.e.e.e via a tunnel between a.a.a.a and d.d.d.d.

does it help?

Aaron

Aaron

Yes that does help - in fact it helps a lot. The changes now become much more simple. And there are required changes on your end and on the remote end. So you will need some cooperation and coordination with the person who administers the remote end device.

In your configuration there is an access list that identifies traffic that will be processed through the tunnel. It probably looks like permit ip b.b.b.0 255.255.255.0 e.e.e.0 255.255.255.0. You will need to add another line to that access list which will say permit c.c.c.0 255.255.255.0 e.e.e.0 255.255.255.0

On the remote side they have a similar access list which probably says something like permite e.e.e.0 255.255.255.0 b.b.b.0 255.255.255.0. They will need to add a line to their access list to permit ip e.e.e.0 255.255.255.0 c.c.c.0 255.255.255.0

After the changes are made on both sides you should stop and start the tunnel. That should be sufficient for both of your network/subnets to communicate over the tunnel with the network/subnet at their side.

HTH

Rick

Morning Rick,

This is not what I was looking for but thank you for trying to help. I'm looking to route the traffic from subnet c.c.c.c/24 using tunnel with local proxy of b.b.b.b/24 and remote proxy of e.e.e.e/29

everything is configured and natted as tunnel is up and traffic is passing from b.b.b.b to e.e.e.e and back just fine.

Is there any routing command that would send traffic from c.c.c.c to e.e.e.e and back without establishing another tunnel.

or is adding the c.c.c.c subnet to the access list the only way to add the route from c.c.c.c to e.e.e.e?

Aaron

Aaron

Perhaps I did not understand your requirements as well as I thought that I did. So let me try again, starting from a slightly different perspective. If I get off track with my understanding I hope you will supply appropriate corrections.

What I think I understand is that you have an ASA and that network c.c.c.0 is on the inside of that ASA. You want traffic from c.c.c to go to network e.e.e.0 which is behind some ASA/router device which has a VPN site to site tunnel set up to your ASA to provide connectivity for network b.b.b.0.

The first thing to understand is that a second tunnel is really not an option. Your ASA can certainly support multiple VPN tunnels - as long as they each go to different destinations. But two tunnels from the same ASA to the same destination does not work.

So you basically have two options: your ASA can route traffic from c.c.c out through the outside interface and in the clear trying to get to e.e.e. Depending on whether these are public addresses or private addresses it might work or it might not work. But I do not think that this is the option that you want. The other option is to send that traffic through the existing tunnel. And the way to get that traffic through the existing tunnel is to add c.c.c to the access list. (and there might be a few other things like whether or not to translate the traffic).

There is an aspect to this that you might not realize and perhaps this may help you to feel better about this solution. Right now your ASA negotiates an IPSec Security Association with b.b.b.b as local proxy. If you add c.c.c.c into the tunnel then IPSec will negotiate an additional Security Association with the new SA having c.c.c.c as the local proxy.

HTH

Rick