Solved: Cisco IPSEC VPN

James Hoggard · ‎05-28-2014

Hi,

Hope someone can help!

I have 2 cisco ASA firewall 5512's one at the main office one in a branch office.

We have multiple vlan at the head office and want them to traverse the IPsec but also access certain subnets in the branch vlan.

I understand vlan's are locally significant so how would a define certain subnets to access certain subnet at the other end of the tunnel?

Is this done within the phase 2 were you define your subnets local LAN and remote LAN.

I have only come across LAN to LAN IPsec not multiple LAN's off the same firewall.

Hope the above makes sense?

manish arora · ‎05-28-2014

Not sure how to explain this but I will still give it a try, LAN to LAN ipsec doc is what you are going to use for your multiple vlans as well. The reason they show a single LAN in doc is to make it easier for ppl to understand.

Use the same LAN to LAN IPsec doc, just add all your VLANs in the Crypto ACL as well as Nat exemption rules.

for ex :

Site 1 : 10.10.10.0/24 and 10.10.20.0/24

Site 2 : 10.10.100.0/24 and 10.10.200.0/24

Your Crypto ACL on Site should be :

access-list crypto_map_1 extended permit ip 10.10.10.0 255.255.255.0 10.10.100.0 255.255.255.0

access-list crypto_map_1 extended permit ip 10.10.10.0 255.255.255.0 10.10.200.0 255.255.255.0

access-list crypto_map_1 extended permit ip 10.10.20.0 255.255.255.0 10.10.200.0 255.255.255.0

access-list crypto_map_1 extended permit ip 10.10.20.0 255.255.255.0 10.10.100.0 255.255.255.0

similarly make Nat exemption rules for all the concerned subnets :

for ex

nat (inside,outside) source static OBJ-10.10.10.0 OBJ-10.10.10.0 destination static Obj-10.10.100.0 Obj-10.10.100.0

Manish

View solution in original post

manish arora · ‎05-28-2014