05-19-2008 07:22 AM
I've successfully set up l2l VPN between our main site and 2 branch offices. Now I would like to allow additional networks from the main site to access the branch sites. The Cisco doc here (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fad90.shtml) shows a method for doing this by adding an additional interface. Is it possible to do this without adding an interface?
Here's the relevant config from the main site ASA (8.0) and one of the remote PIXs (7.0):
=========================
ASA (Main site)
access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.255.0 172.16.29.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 172.16.1.0 255.255.255.0 172.16.29.0 255.255.255.0
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 24.97.x.x
crypto map outside_map 1 set transform-set ESP-3DES-MD5
=========================
PIX (Remote site)
access-list outside_cryptomap_20_2 extended permit ip 172.16.29.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list outside_cryptomap_20_2 extended permit ip 172.16.29.0 255.255.255.0 172.16.1.0 255.255.255.0
crypto map outside_map 20 match address outside_cryptomap_20_2
crypto map outside_map 20 set peer 204.14.x.x
crypto map outside_map 20 set transform-set ESP-3DES-MD5
Solved! Go to Solution.
05-19-2008 07:34 AM
Just add the interesting traffic to your access lists. New network = 172.16.2.0/24
ASA (Main site)
access-list outside_1_cryptomap extended permit ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0
PIX (Remote site)
access-list outside_cryptomap_20_2 extended permit ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0
Don't forget about your nat exemption acl as well. For instance....
ASA (Main site)
access-list
PIX (Remote site)
access-list
05-19-2008 07:34 AM
Just add the interesting traffic to your access lists. New network = 172.16.2.0/24
ASA (Main site)
access-list outside_1_cryptomap extended permit ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0
PIX (Remote site)
access-list outside_cryptomap_20_2 extended permit ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0
Don't forget about your nat exemption acl as well. For instance....
ASA (Main site)
access-list
PIX (Remote site)
access-list
05-19-2008 07:41 AM
Thanks for the reply. I figured out just after posting that I was missing the nat exemption on one end. BTW, for anyone else trying to set this up via ASDM, I found that ASDM tries to use a different cryptomap for the second network. I could only get it to work by setting up the VPN with ASDM, then adding the 2nd network via CLI.
05-19-2008 07:50 AM
To do this in ASDM, instead of selecting "add" select "Insert after/before". Then it won't create another acl, it will add the line to the existing acl.
05-19-2008 08:35 AM
Thanks for the suggestion, I'll give that a try next time. ASDM is handy when it works, especially the wizards...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide