I am using a Cisco ASA 5545, ASDM 7.6, I have a site to site VPN tunnel created and now I would like to route additional traffic over that VPN tunnel. Can you please advise how I would do this via ASDM or CLI.
So the current remote network is 10.210.0.0/16, I would like to route the following remote ranges over the same VPN tunnel.
Address space (10.208.0.0/13):
Solved! Go to Solution.
you can verify different subnets with packet tracer also from asa CLI:
packet tracer input inside icmp source-ip 12345 dest-ip dest-port det
like i said earlier, you can open a ticket with azure & have someone from their end on the phone will testing - if you think the fault lies with them.
I believe that it is critical that we get some confirmation whether the remote side/Azure has made changes corresponding to your changes.
It would be helpful if we could see the output of the command show crypto ipsec sa. And also helpful if we could see updated copy of the config.
Your site-site VPN traffic selection is governed by a crypto map that calls an ACL. Add the additional subnets into that existing ACL and the next time traffic is presented to the ASA to those subnets, it will be encapsulated and sent across the VPN.
The remote end will need a mirror image of the configuration to make it work both ways.
Finally, the NAT exemption for the VPN needs to have the new subnets added to it (again, at both ends).
Ok, Ive added the subnets to the ACL Manager under Site to Site VPN.. can you please explain the NAT exemption part abit more? Where would I need to make those changes?
You should see some NAT entry (or entries) under Configuration > Firewall >NAT. Look for the ones that match the previous source and destination networks.
Ideally you would have used network object-groups for the local and remote networks and that way you only have update that one object for the remote nets.
That's the one - edit that destination address on the right hand side. Add the new destination subnets to it (or a new object-group that includes the existing and new subnets).
ASDM will let you do it either way, but it makes the running-config clutter up with DM_INLINE_OBJECT items. That makes later troubleshooting harder.
Im getting close:).. When I try to edit that and look for the 10.211.0.0/16 etc.. it doesnt show up? but when I goto the ACL manager in the VPN manager they are there? I notice a difference in the manager they have a little IP icon beside them.. but in the Nat manager they are little computers.. so does that mean I need to create them again as objects in the NAT manager?
Ok, Ive added that.. and they look like the attached now, do I need to make any changes to the connection profile at all? currently for remote network it just has the 10.210.0.0/16 there... also we goto monitoring.. all I see is the below, shouldnt I see the other subnet there as well..?? IE: 10.210.0.0 and 10.211.0.0?
|IPsec||10.1.1.0/255.255.255.0/0/0 10.214.0.0/255.255.0.0/0/0||AES-256||Tunnel ID: 1994.2 Hashing: SHA256 Encapsulation: Tunnel Rekey Time Interval: 3600 Seconds Rekey Left(T): 3102 Seconds Rekey Data Interval: 4608000 K-Bytes Rekey Left(D): 4607960 K-Bytes Idle Time Out: 30 Minutes Idle TO Left: 29 Minutes Packets Tx: 0 Packets Rx: 493||0 40996|
It's hard to troubleshoot with only select snippets of ASDM screens. If you can share a sanitized configuration file it would be lot more productive.
If not, you might open a TAC case.
Attached is the config. The one big problem I can't figure out is why I cant have multiple subnets over the one VPN tunnel. I want to 10.1.210.0.0/16, 10.1.211.0.0/16, 10.1.214.0.0/16, all going over the one tunnel, but what is strange is I can have sub 10.210.0.0 and it works fine, but as soon as I add the others it bumps that one off, and uses the last one I added, its seems for some reason I can only get one sub across the tunnel at a time for some reason? What I am missing? Thanks very much Marvin, youre a HUGE help.
|IPsec||10.1.1.0/255.255.255.0/0/0 10.211.0.0/255.255.0.0/0/0||AES-256||Tunnel ID: 2078.2 Hashing: SHA256 Encapsulation: Tunnel Rekey Time Interval: 3600 Seconds Rekey Left(T): 1154 Seconds Rekey Data Interval: 4608000 K-Bytes Rekey Left(D): 4607894 K-Bytes Idle Time Out: 30 Minutes Idle TO Left: 29 Minutes Packets Tx: 1288 Packets Rx: 1329||108192 109504|
As far as I can see, that all looks correct from the ASA side.
I can only imagine it's some limitation on the Azure end?
If it's a S2S VPN to Azure, you should get hold of the config file for the ASA config from Azure Support.
I've had issues with this myself, you can then log a ticket & they can tshoot the VPN with you.
We know that the original poster has made the changes to add the subnets. But do we know that the remote peer/Azure has made corresponding changes?