cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

270
Views
0
Helpful
15
Replies
Beginner

Site to site VPN

hi,

i have got  two sites configured for site to site VPN on Asa 5505. Site A have expanded and created two more VLANs but Site B can't access those new Subnets. What could I do to make sure both sites subnets/VLANs could talk to each other.

thanks,

15 REPLIES 15
VIP Mentor

Are the new subnets member of

  1. Are the new subnets member of the crypto definition on both VPN-gateways?
  2. Are the new subnets excluded from NAT on both sides?
Beginner

No I am not sure where to

No I am not sure where to start without breaking anything?

new VLANs are working ok and routing fine at site A.

Beginner

Is there a command for Asa

Is there a command for Asa where I could copy all site to site config and change the local ip addresses?

Thanks

Cisco Employee

Hi,

Hi,

Yes you can use this command more:running-config.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Beginner

Hi Aditya,

Hi Aditya,

it would give me whole config. Is there a command where it only shows me site to site VPN stuff. It would make easy for me take that portion and edit it.

thanks

Beginner

Hi Karsten,

Hi Karsten,

There is a nat statment and when I try to add new subnet then I get the following warning.

VIP Mentor

Well, deactivate proxy-arp

Well, deactivate proxy-arp for that identity NAT. As the warning mentions, it's typically not needed.

Beginner

I have done added the new

I have done added the new subnet and saved the config. Still I am unable to ping from the new subnet. Do I need to add it to both ASAs?

VIP Mentor

Yes, both ASAs need to know

Yes, both ASAs need to know that this traffic should not be translated.

Beginner

I have added on both asa

I have added on both asa crypto map for new subnet and nat statement but still unable to ping the remote site from the new subnet.

VIP Mentor

What does packet-tracer tell

What does packet-tracer tell you for that traffic?

Beginner

capture.jpg

Beginner

AOA Mohammed Yusuf..

AOA Mohammed Yusuf.. Hopefully this find you good...

Well bro Karsten Iwen said you have to check TWO things.

1. Add new vlan subnets in crypto acls nevigations via asdm

Configuration > Site-to-Site VPN > Advanced > Crypto Maps

    Select the Traffic Selection tab.

efine the interesting traffic ACL as follows: (You are defining the crypto ACL)
•   Network Type: IPv4
•   Action: Protect
•   Source: 10.10.0.0/16  (Here you can add your new subnets)
•   Destination: 10.20.10.0/24
•   Service: ip
Click OK.
Click Apply.

2. In Twice nat exclude these new subnets from nat process.

Look for twice nat

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/nat_rules.html..

Rate itttt..

Beginner

Hi Ansar,

Hi Ansar,

When I followed your instruction and I would say very good instructions. I clicked on the destination tab and added new subnet in it>click apply . it took about 1 minutes and came up with an error.
ASDM is unable to send the command, resend it. I kind of thought I maybe doing something wrong?

Please advise.

Thanks

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here