cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3734
Views
20
Helpful
32
Replies
Highlighted
Beginner

Add new subnets to site to site VPN tunnel are already created.

Hello,

 

I am using a Cisco ASA 5545, ASDM 7.6, I have a site to site VPN tunnel created and now I would like to route additional traffic over that VPN tunnel.  Can you please advise how I would do this via ASDM or CLI.

 

So the current remote network is 10.210.0.0/16, I would like to route the following remote ranges over the same VPN tunnel.

 

Address space (10.208.0.0/13):


10.210.0.0/16
10.211.0.0/16
10.212.0.0/16
10.213.0.0/16
10.214.0.0/16

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

you can verify different subnets with packet tracer also from asa CLI:

packet tracer input inside icmp source-ip 12345 dest-ip dest-port det

like i said earlier, you can open a ticket with azure & have someone from their end on the phone will testing - if you think the fault lies with them.

regards

azam

View solution in original post

Highlighted

I believe that it is critical that we get some confirmation whether the remote side/Azure has made changes corresponding to your changes.

 

It would be helpful if we could see the output of the command show crypto ipsec sa. And also helpful if we could see updated copy of the config.

 

HTH

 

Rick

HTH

Rick

View solution in original post

32 REPLIES 32
Highlighted
Hall of Fame Guru

Your site-site VPN traffic selection is governed by a crypto map that calls an ACL. Add the additional subnets into that existing ACL and the next time traffic is presented to the ASA to those subnets, it will be encapsulated and sent across the VPN.

 

The remote end will need a mirror image of the configuration to make it work both ways.

 

Finally, the NAT exemption for the VPN needs to have the new subnets added to it (again, at both ends).

Highlighted

Hi Marvin,

Ok, Ive added the subnets to the ACL Manager under Site to Site VPN.. can you please explain the NAT exemption part abit more? Where would I need to make those changes?

Highlighted

You should see some NAT entry (or entries) under Configuration > Firewall >NAT. Look for the ones that match the previous source and destination networks.

 

Ideally you would have used network object-groups for the local and remote networks and that way you only have update that one object for the remote nets.

Highlighted

I have attached an image of the nat rules I see under firewall nate rules.

Highlighted

That's the one - edit that destination address on the right hand side. Add the new destination subnets to it (or a new object-group that includes the existing and new subnets).

 

ASDM will let you do it either way, but it makes the running-config clutter up with DM_INLINE_OBJECT items. That makes later troubleshooting harder.

Highlighted

Im getting close:).. When I try to edit that and look for the 10.211.0.0/16 etc.. it doesnt show up? but when I goto the ACL manager in the VPN manager they are there? I notice a difference in the manager they have a little IP icon beside them.. but in the Nat manager they are little computers.. so does that mean I need to create them again as objects in the NAT manager?

Highlighted

nevermind.. I think I see it in the group manager part.. one sec..:)

Highlighted

Ok, Ive added that.. and they look like the attached now, do I need to make any changes to the connection profile at all? currently for remote network it just has the 10.210.0.0/16 there... also we goto monitoring.. all I see is the below, shouldnt I see the other subnet there as well..?? IE: 10.210.0.0 and 10.211.0.0?

 

  IPsec 10.1.1.0/255.255.255.0/0/0 10.214.0.0/255.255.0.0/0/0 AES-256 Tunnel ID: 1994.2 Hashing: SHA256 Encapsulation: Tunnel Rekey Time Interval: 3600 Seconds Rekey Left(T): 3102 Seconds Rekey Data Interval: 4608000 K-Bytes Rekey Left(D): 4607960 K-Bytes Idle Time Out: 30 Minutes Idle TO Left: 29 Minutes Packets Tx: 0 Packets Rx: 493 0 40996

 

Highlighted

And for some reason now when I do a packet trace from our prem 10.1.1.1 to 10.210.0.1. it seems to fail.  see the attached.. not sure why it is doing that now?

Highlighted

It's hard to troubleshoot with only select snippets of ASDM screens. If you can share a sanitized configuration file it would be lot more productive.

 

If not, you might open a TAC case.

Highlighted

Hi Marvin,

 

Attached is the config.  The one big problem I can't figure out is why I cant have multiple subnets over the one VPN tunnel.  I want to 10.1.210.0.0/16, 10.1.211.0.0/16, 10.1.214.0.0/16, all going over the one tunnel, but what is strange is I can have sub 10.210.0.0 and it works fine, but as soon as I add the others it bumps that one off, and uses the last one I added, its seems for some reason I can only get one sub across the tunnel at a time for some reason? What I am missing? Thanks very much Marvin, youre a HUGE help.

 

  IPsec 10.1.1.0/255.255.255.0/0/0 10.211.0.0/255.255.0.0/0/0 AES-256 Tunnel ID: 2078.2 Hashing: SHA256 Encapsulation: Tunnel Rekey Time Interval: 3600 Seconds Rekey Left(T): 1154 Seconds Rekey Data Interval: 4608000 K-Bytes Rekey Left(D): 4607894 K-Bytes Idle Time Out: 30 Minutes Idle TO Left: 29 Minutes Packets Tx: 1288 Packets Rx: 1329 108192 109504
Highlighted

As far as I can see, that all looks correct from the ASA side.

 

I can only imagine it's some limitation on the Azure end?

Highlighted

If it's a S2S VPN to Azure, you should get hold of the config file for the ASA config from Azure Support.

I've had issues with this myself, you can then log a ticket & they can tshoot the VPN with you.

Regards,

Azam

Highlighted

We know that the original poster has made the changes to add the subnets. But do we know that the remote peer/Azure has made corresponding changes?

 

HTH

 

Rick

HTH

Rick