10-31-2018 10:09 AM - edited 10-31-2018 10:10 AM
Hello,
I am using a Cisco ASA 5545, ASDM 7.6, I have a site to site VPN tunnel created and now I would like to route additional traffic over that VPN tunnel. Can you please advise how I would do this via ASDM or CLI.
So the current remote network is 10.210.0.0/16, I would like to route the following remote ranges over the same VPN tunnel.
Address space (10.208.0.0/13):
10.210.0.0/16
10.211.0.0/16
10.212.0.0/16
10.213.0.0/16
10.214.0.0/16
Solved! Go to Solution.
11-05-2018 10:49 AM
you can verify different subnets with packet tracer also from asa CLI:
packet tracer input inside icmp source-ip 12345 dest-ip dest-port det
like i said earlier, you can open a ticket with azure & have someone from their end on the phone will testing - if you think the fault lies with them.
regards
azam
11-06-2018 12:11 PM
I believe that it is critical that we get some confirmation whether the remote side/Azure has made changes corresponding to your changes.
It would be helpful if we could see the output of the command show crypto ipsec sa. And also helpful if we could see updated copy of the config.
HTH
Rick
10-31-2018 10:16 AM
Your site-site VPN traffic selection is governed by a crypto map that calls an ACL. Add the additional subnets into that existing ACL and the next time traffic is presented to the ASA to those subnets, it will be encapsulated and sent across the VPN.
The remote end will need a mirror image of the configuration to make it work both ways.
Finally, the NAT exemption for the VPN needs to have the new subnets added to it (again, at both ends).
10-31-2018 10:25 AM
Hi Marvin,
Ok, Ive added the subnets to the ACL Manager under Site to Site VPN.. can you please explain the NAT exemption part abit more? Where would I need to make those changes?
10-31-2018 10:28 AM
You should see some NAT entry (or entries) under Configuration > Firewall >NAT. Look for the ones that match the previous source and destination networks.
Ideally you would have used network object-groups for the local and remote networks and that way you only have update that one object for the remote nets.
10-31-2018 10:28 AM
10-31-2018 10:32 AM
That's the one - edit that destination address on the right hand side. Add the new destination subnets to it (or a new object-group that includes the existing and new subnets).
ASDM will let you do it either way, but it makes the running-config clutter up with DM_INLINE_OBJECT items. That makes later troubleshooting harder.
10-31-2018 10:37 AM
Im getting close:).. When I try to edit that and look for the 10.211.0.0/16 etc.. it doesnt show up? but when I goto the ACL manager in the VPN manager they are there? I notice a difference in the manager they have a little IP icon beside them.. but in the Nat manager they are little computers.. so does that mean I need to create them again as objects in the NAT manager?
10-31-2018 10:39 AM
nevermind.. I think I see it in the group manager part.. one sec..:)
10-31-2018 10:47 AM
Ok, Ive added that.. and they look like the attached now, do I need to make any changes to the connection profile at all? currently for remote network it just has the 10.210.0.0/16 there... also we goto monitoring.. all I see is the below, shouldnt I see the other subnet there as well..?? IE: 10.210.0.0 and 10.211.0.0?
IPsec | 10.1.1.0/255.255.255.0/0/0 10.214.0.0/255.255.0.0/0/0 | AES-256 | Tunnel ID: 1994.2 Hashing: SHA256 Encapsulation: Tunnel Rekey Time Interval: 3600 Seconds Rekey Left(T): 3102 Seconds Rekey Data Interval: 4608000 K-Bytes Rekey Left(D): 4607960 K-Bytes Idle Time Out: 30 Minutes Idle TO Left: 29 Minutes Packets Tx: 0 Packets Rx: 493 | 0 40996 |
10-31-2018 11:21 AM
10-31-2018 08:51 PM
It's hard to troubleshoot with only select snippets of ASDM screens. If you can share a sanitized configuration file it would be lot more productive.
If not, you might open a TAC case.
11-01-2018 03:35 PM - edited 11-01-2018 03:35 PM
Hi Marvin,
Attached is the config. The one big problem I can't figure out is why I cant have multiple subnets over the one VPN tunnel. I want to 10.1.210.0.0/16, 10.1.211.0.0/16, 10.1.214.0.0/16, all going over the one tunnel, but what is strange is I can have sub 10.210.0.0 and it works fine, but as soon as I add the others it bumps that one off, and uses the last one I added, its seems for some reason I can only get one sub across the tunnel at a time for some reason? What I am missing? Thanks very much Marvin, youre a HUGE help.
IPsec | 10.1.1.0/255.255.255.0/0/0 10.211.0.0/255.255.0.0/0/0 | AES-256 | Tunnel ID: 2078.2 Hashing: SHA256 Encapsulation: Tunnel Rekey Time Interval: 3600 Seconds Rekey Left(T): 1154 Seconds Rekey Data Interval: 4608000 K-Bytes Rekey Left(D): 4607894 K-Bytes Idle Time Out: 30 Minutes Idle TO Left: 29 Minutes Packets Tx: 1288 Packets Rx: 1329 | 108192 109504 |
11-01-2018 08:53 PM
As far as I can see, that all looks correct from the ASA side.
I can only imagine it's some limitation on the Azure end?
11-03-2018 01:17 PM
If it's a S2S VPN to Azure, you should get hold of the config file for the ASA config from Azure Support.
I've had issues with this myself, you can then log a ticket & they can tshoot the VPN with you.
Regards,
Azam
11-03-2018 01:56 PM
We know that the original poster has made the changes to add the subnets. But do we know that the remote peer/Azure has made corresponding changes?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide