Solved: Cisco ASA 5510 and 5512: Routing multiple subnets between Site to Site VPN

nishesh3003 · ‎07-10-2015

Hello Everybody

I am Cisco ASA rookie and I prefer performing most of my work using ASDM before I 'have to' dig in to CLI. I am a CCNA and hopefully someday I can equip myself with enough experience and knowledge to be more comfortable running and interpreting the IOS command line on ASA devices.

So that's me.

Moving on - firstly I would like to highlight my objective: To be able to route multiple subnets sitting behind one VPN Peer site over IPSEC Tunnel to the other Peer.

Following are the hardware devices involved along with example subnets and configurations which are 'known to be working' at present:

Site A - Cisco ASA 5510 Standalone. Inside Network: 10.10.0.0 /16. Outside IP: 80.200.200.10.
Site B - Cisco 5512 in HA Mode. Inside Network: 10.82.4.0/24; 10.82.5.0/24; 10.82.6.0/24. Outside IP: 183.23.55.10.
Site B ASA Firewalls connect to Cisco 3560 Catalyst Switches (2x Stacked Mode). All the subnets defined are configured as a VLAN on the 3560.
An IPSEC Site to Site tunnel is configured between Site A and Site B.
- Remote network for Site A = 10.10.0.0 /16 (configured on Site B)
- Remote network for Site B = 10.82.4.0 /24 (configured on Site A).
- NAT is exempted on both sides.
- Site A ACL = Outside Interface Source Site B Destination Site A Permit
- Site B ACL = Outside Interface Source Site A Destination Site B Permit
- No static routes added on either Firewall.
IPSEC tunnel is currently working. Servers on site A (10.10.0.0 /16) can PING and RDP Servers on Site B (10.82.4.0 /24) and likewise.
Communications to and from the remaining 2 subnets in Site B (5.0 and 6.0 /24) does not work.
I tried adding a static route on the ASA on Site A and Site B to point to each other with the remaining subnets but this did not resolve the issue.

Upon some research I found out that "traffic destined for the remaining 2 subnets in Site B originating from Site A" and the "traffic destined to Site A originating from the remaining 2 subnets in Site B" needs to be traversed through the existing IPSEC tunnel between the 2 sites.

I understand what needs to be done here (assuming the above is correct) but I cannot find any KB that can explain the steps involved in getting it done (preferably from ASDM but if not then CLI will have to do).

Can anyone of you experienced lots help me out here please ?

Abaji Rawool · ‎07-14-2015

Hi,

You should be able to the same crypto map ACL include all source and destination subnets for the l2l VPN. Just make sure these ACLs are mirror of each other and the interesting traffic is exempted from NAT

Example:

Site A with one network a and Site B with 3 networks x, y, z

VPN ACL

permit ip a x

permit ip a y

permit ip a z

Site B will have acl in reverse direction.

HTH

Abaji.

View solution in original post

Abaji Rawool · ‎07-14-2015

Hi,

You should be able to the same crypto map ACL include all source and destination subnets for the l2l VPN. Just make sure these ACLs are mirror of each other and the interesting traffic is exempted from NAT

Example:

Site A with one network a and Site B with 3 networks x, y, z

VPN ACL

permit ip a x

permit ip a y

permit ip a z

Site B will have acl in reverse direction.

HTH

Abaji.

nishesh3003 · ‎08-22-2015

I was able to resolve the issue.

Instead of creating a S2S Profile with an Individual subnet IP (ex: 10.3.3.0/24), I created a Network Object Group containing ALL the subnets that existed behind the ASA that I needed to be accessible over the S2S Tunnel on the other side.

Therefore I created a Network Object Group on both ASA Peers containing the list of network on Site B.

I assigned this Network Object Group on the Source side on Site B and on the Destination side on Site A in their respective S2S VPN Profile.

This fixed the issue. Going forward, if any new subnet were to be added, we only need to amend the Network Object Group on 'both' sides if that new subnet had to accessible over the existing S2S tunnel.