Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
0
Helpful
6
Replies

Adding Remote Network in ASA 5525

kaleemullahbilal1
Level 1
Level 1

‎03-01-2021 09:09 PM

Dear Members,

 

I am new to ASA Firewall. I want to add remote Networks for an existing tunnel, but i have no idea how to go to the config of the existing tunnel from the command line, as there are multiple tunnels configured..

 

Kaleem

 

 

Labels:
0 Helpful
6 Replies 6

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-01-2021 09:44 PM

"show run crypto map | in <peer IP>" will give you the crypto map sequence_number that is associated with this peer where you want to add remote subnets.

 

Then, "show run crypto map | in <sequence_number>" will show you the access-list_name associated with the same peer.

 

Verify the access-list is correct using "show access-list <access-list_name>". Once the access-list name is verified, you can add the remote subnets.

 

Thank you

Dinesh Moudgil

 

P.S. Please rate helpful posts.

 

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

kaleemullahbilal1
Level 1
Level 1
In response to Dinesh Moudgil

‎03-01-2021 09:56 PM

Thanks for the Quick Reply

 

Then, "show run crypto map | in <sequence_number>" will show you the access-list_name associated with the same peer. (its not showing accesslist associated )

what is the command to add remote subnet ?

Do i need to do NAT exclusion also?

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to kaleemullahbilal1

‎03-01-2021 10:45 PM

Can you please paste the output of

show run crypto map | in <sequence_number> ?

 

To add remote subnet, add the following line to the existing ACL

e.g. access-list <access-list_name> extended permit ip source_network source_subnetmask destination_network destination_subnetmask

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

kaleemullahbilal1
Level 1
Level 1
In response to Dinesh Moudgil

‎03-01-2021 11:28 PM

NSH-ASA/pri/act# show run crypto map | in 50

crypto map NSHVPN_map 50 match address NRLVPN

crypto map NSHVPN_map 50 set pfs group5

crypto map NSHVPN_map 50 set peer 94.X.X.156

crypto map NSHVPN_map 50 set ikev1 transform-set NRLSet

crypto map NSHVPN_map 50 set security-association lifetime seconds 86400

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to kaleemullahbilal1

‎03-02-2021 12:25 AM

So the peer 94.X.X.156 is mapped to ACL NRLVPN

You can configure the following

access-list NRLVPN extended permit ip source_network source_subnetmask destination_network destination_subnetmask

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎03-01-2021 10:58 PM

Hi,

You need to identify the tunnel which you want to change, find the crypto
ACL associated with its crypto map and amend it to include ACL entries for
new subnets.

Example:

ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set
MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association
lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

You will need to modify this ACL

LAN1_LAN2

***** please remember to rate useful posts
0 Helpful
Customers Also Viewed These Support Documents