Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
678
Views
0
Helpful
1
Replies

Adding another local network to up site to site -

122gerald
Level 1
Level 1

‎09-11-2012 12:31 PM

Sorry, posted same thing in wrong forum(ccna)

Please advise thanks: ( trying to add a new subnet to a site to site,

(10.xxx.34.0/255.255.255.0)) - the other peer is a cisco asa


show crypto ipssec sa :


protected vrf: (none)

local ident (addr/mask/prot/port): (xxx.119.48.0/255.255.255.128/0/0)

remote ident (addr/mask/prot/port): (10.xxx.34.0/255.255.255.0/0/0)

current_peer xxx.119.51.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0


local crypto endpt.: 68.xxx.227.225, remote crypto endpt.: xxx.119.51.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)


inbound esp sas:


inbound ah sas:


inbound pcp sas:


outbound esp sas:


outbound ah sas:


outbound pcp sas:



show crypto map:


show crypto map

Crypto Map "SDM_CMAP_2" 1 ipsec-isakmp

Description: Tunnel toxxx.119.51.2

Peer = xxx.119.51.2

Extended IP access list 102

access-list 102 permit ip xxx.119.48.0 0.0.0.127 xxx.119.41.0 0.0.0.255

access-list 102 permit ip xxx.119.48.0 0.0.0.127 xxx.119.16.0 0.0.0.255

access-list 102 permit ip xxx.119.48.0 0.0.0.127 xxx.119.47.0 0.0.0.255

access-list 102 permit ip xxx.119.48.0 0.0.0.127 10.xxx.34.0 0.0.0.255

Current peer: xxx.119.51.2

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): Y

DH group: group1

Transform sets={

VPN,

}

Interfaces using crypto map SDM_CMAP_2:

FastEthernet0/0

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎09-11-2012 05:17 PM

Hello Gerald,

All you need to do is to include the proper subnets into the Crypto ACL on both sides ( In this case 102 for the router)

The last thing would be to to do not NAT this traffic (For this work on the NAT configuration)

If need it you can post the entire configuration on both sides and also the new subnet that needs to be able to talk to the ASA internal subnet and I can provide you the setup,

Remember to rate all the answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents