cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1709
Views
0
Helpful
15
Replies

Site to site VPN

Mohammed Yusuf
Level 1
Level 1

hi,

i have got  two sites configured for site to site VPN on Asa 5505. Site A have expanded and created two more VLANs but Site B can't access those new Subnets. What could I do to make sure both sites subnets/VLANs could talk to each other.

thanks,

15 Replies 15

  1. Are the new subnets member of the crypto definition on both VPN-gateways?
  2. Are the new subnets excluded from NAT on both sides?

No I am not sure where to start without breaking anything?

new VLANs are working ok and routing fine at site A.

Is there a command for Asa where I could copy all site to site config and change the local ip addresses?

Thanks

Hi,

Yes you can use this command more:running-config.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Hi Aditya,

it would give me whole config. Is there a command where it only shows me site to site VPN stuff. It would make easy for me take that portion and edit it.

thanks

Hi Karsten,

There is a nat statment and when I try to add new subnet then I get the following warning.

Well, deactivate proxy-arp for that identity NAT. As the warning mentions, it's typically not needed.

I have done added the new subnet and saved the config. Still I am unable to ping from the new subnet. Do I need to add it to both ASAs?

Yes, both ASAs need to know that this traffic should not be translated.

I have added on both asa crypto map for new subnet and nat statement but still unable to ping the remote site from the new subnet.

What does packet-tracer tell you for that traffic?

ansarjavaid54
Level 1
Level 1

AOA Mohammed Yusuf.. Hopefully this find you good...

Well bro Karsten Iwen said you have to check TWO things.

1. Add new vlan subnets in crypto acls nevigations via asdm

Configuration > Site-to-Site VPN > Advanced > Crypto Maps

    Select the Traffic Selection tab.

efine the interesting traffic ACL as follows: (You are defining the crypto ACL)
•   Network Type: IPv4
•   Action: Protect
•   Source: 10.10.0.0/16  (Here you can add your new subnets)
•   Destination: 10.20.10.0/24
•   Service: ip
Click OK.
Click Apply.

2. In Twice nat exclude these new subnets from nat process.

Look for twice nat

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/nat_rules.html..

Rate itttt..

Hi Ansar,

When I followed your instruction and I would say very good instructions. I clicked on the destination tab and added new subnet in it>click apply . it took about 1 minutes and came up with an error.
ASDM is unable to send the command, resend it. I kind of thought I maybe doing something wrong?

Please advise.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: