cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10014
Views
20
Helpful
32
Replies

Add new subnets to site to site VPN tunnel are already created.

virtuali1151
Level 1
Level 1

Hello,

 

I am using a Cisco ASA 5545, ASDM 7.6, I have a site to site VPN tunnel created and now I would like to route additional traffic over that VPN tunnel.  Can you please advise how I would do this via ASDM or CLI.

 

So the current remote network is 10.210.0.0/16, I would like to route the following remote ranges over the same VPN tunnel.

 

Address space (10.208.0.0/13):


10.210.0.0/16
10.211.0.0/16
10.212.0.0/16
10.213.0.0/16
10.214.0.0/16

32 Replies 32

HI Richard,

 

I have asked the other end to engage Azure to see why we cant get multiple subs across the one tunnel.  I will keep all posted on the outcome.. tks for your input mate.

 

Cheers.

Here is what the packet trace shows.. for some reason only one subnet is being allowed across, 10.211.0.0/16 is being dropped and 10.214.0.0/16 is being allowed across the VPN tunnel any ideas why?

 

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f2965cdcc60, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0x7f295e83dde0, reverse, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.211.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Hi Azam.

 

Thanks for your info, I have engaged the other side to get them to check with Azure as well to troubleshoot why we cant get multiple subs over the one tunnel.  Can I ask were you able to get multiple subs over a single tunnel?

 

Tks mate.

 

Hi,

I'm not sure I understand the question.

As per standard VPN config, the local & remote subnets (or Proxy IDs) are defined in an access-list that is referenced in your crypto map.

Regards

Azam

I added the subnets (IE: 10.210.0.0/16 , 10.211.0.0/16, 10.212.0.0/16) to the crypto map ACL list, but everytime only one subnet would show up in the monitoring, IE: 10.210.0.0/16 etc.. so I believe the reason is something is not correct on the Azure side.

you can verify different subnets with packet tracer also from asa CLI:

packet tracer input inside icmp source-ip 12345 dest-ip dest-port det

like i said earlier, you can open a ticket with azure & have someone from their end on the phone will testing - if you think the fault lies with them.

regards

azam

I have suggested they engage Azure Support.. So I will post back once we hear..:) Tks for your suggestions.

Here is what the packet trace shows.. for some reason only one subnet is being allowed across, 10.211.0.0/16 is being dropped and 10.214.0.0/16 is being allowed across the VPN tunnel any ideas why?

 

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f2965cdcc60, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0x7f295e83dde0, reverse, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.211.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside


Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f295ceccb00, priority=70, domain=encrypt, deny=false
hits=476, user_data=0x176f2e4, cs_id=0x7f295e83dde0, reverse, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.214.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Here is what the packet trace shows.. for some reason only one subnet is being allowed across, 10.211.0.0/16 is being dropped and 10.214.0.0/16 is being allowed across the VPN tunnel, any ideas why?

 

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f2965cdcc60, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0x7f295e83dde0, reverse, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.211.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

ensure you have all remote subnets in your crypto acl

also ensure routing is correct for that subnet

other than that, you'd have to post the config

regards, mk

Ok, So here is my Crypto Map:

 

static: 1 1 10.1.1.0/24
10.210.0.0/16
10.211.0.0/16
10.212.0.0/16
10.213.0.0/16
10.214.0.0/16 ip Protect ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 Azure-Ipsec-Tunnel-onpremise-x.x.x.x [Ljava.lang.String;@e715a0 False False bidirectional 01:00:00 or 4608000 KB main []

 

and the attached image is my ACL manager Subnets.

 

the nat rule is:

 

20 inside outside OnPremisesNetworks_10_1_1_0 AzureNetworks_10_211_0_0 any -- Original -- -- Original -- -- Original -- No Proxy ARP,Route Lookup  

 

 

All the subs are in the group-object AzureNetworks... what I cant figure out is why only 10.214.0.0/16 is showing in monitoring and none of the other subs??? Any when I do a packet trace the only one that successfully gets through is 10.214.0.0/16.. all others are failing at VPN.

 

I believe that it is critical that we get some confirmation whether the remote side/Azure has made changes corresponding to your changes.

 

It would be helpful if we could see the output of the command show crypto ipsec sa. And also helpful if we could see updated copy of the config.

 

HTH

 

Rick

HTH

Rick

After engaging Microsoft to get their input of what they were seeing, it was confirmed the Azure side was not config'ed correctly. Thanks so much for all your assistance.

like I suggested in the earlier posting :)

thanks for the update!

regards, mk

please rate if helpful or solved :)

 

Thanks for updating to tell us that it is confirmed that Azure was not correctly configured. I am glad that your problem is solved. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. One of the good things about these communities is having multiple people contributing to solving the issue. Several people made suggestions pointing in the right direction. These communities are excellent places to ask questions and to learn about networking. I hope to see you continue to be active in the community.

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: