cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
273
Views
0
Helpful
6
Replies

Adding Remote Network in ASA 5525

Dear Members,

 

I am new to ASA Firewall. I want to add remote Networks for an existing tunnel, but i have no idea how to go to the config of the existing tunnel from the command line, as there are multiple tunnels configured..

 

Kaleem

 

 

6 REPLIES 6
Dinesh Moudgil
Cisco Employee

"show run crypto map | in <peer IP>" will give you the crypto map sequence_number that is associated with this peer where you want to add remote subnets.

 

Then, "show run crypto map | in <sequence_number>" will show you the access-list_name associated with the same peer.

 

Verify the access-list is correct using "show access-list <access-list_name>". Once the access-list name is verified, you can add the remote subnets.

 

Thank you

Dinesh Moudgil

 

P.S. Please rate helpful posts.

 

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Thanks for the Quick Reply

 

Then, "show run crypto map | in <sequence_number>" will show you the access-list_name associated with the same peer. (its not showing accesslist associated )

what is the command to add remote subnet ?

Do i need to do NAT exclusion also?

Can you please paste the output of

show run crypto map | in <sequence_number> ?

 

To add remote subnet, add the following line to the existing ACL

e.g. access-list <access-list_name> extended permit ip source_network source_subnetmask destination_network destination_subnetmask

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

NSH-ASA/pri/act# show run crypto map | in 50

crypto map NSHVPN_map 50 match address NRLVPN

crypto map NSHVPN_map 50 set pfs group5

crypto map NSHVPN_map 50 set peer 94.X.X.156

crypto map NSHVPN_map 50 set ikev1 transform-set NRLSet

crypto map NSHVPN_map 50 set security-association lifetime seconds 86400

So the peer 94.X.X.156 is mapped to ACL NRLVPN

You can configure the following

access-list NRLVPN extended permit ip source_network source_subnetmask destination_network destination_subnetmask

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
Mohammed al Baqari
VIP Advisor

Hi,

You need to identify the tunnel which you want to change, find the crypto
ACL associated with its crypto map and amend it to include ACL entries for
new subnets.

Example:

ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set
MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association
lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

You will need to modify this ACL

LAN1_LAN2

***** please remember to rate useful posts
Content for Community-Ad