HI,

kkwaskcisco · ‎08-15-2014

Hi;

I am using ASA 5512x, I have a VPN tunnel with remote site, and it is up. I can access to their subnet 172.16.0.0/24 subnet which is added to the wizard during site to site VPN configuration. In remote site, there is another subnet 172.16.1.0/24. How can I extend my VPN tunnel to reach the 2nd subnet?

During my research, I saw a lot of solution using static route, and I tried but it does not help.

Can someone here know how to do it?

thanks!

josfonse · ‎08-15-2014

Hi, If you need to access another subnet over an existing tunnel, all you need to do is to include the new subnet in the interesting traffic (crypto acl). Also you need to make sure NAT exemption is in place. The crypto access list should be mirrored on the remote vpn peer.

kkwaskcisco · ‎08-15-2014

Hi;

I added a similar access list like below but it does not work too.

access-list outside_2_cryptomap extended permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0

nkarthikeyan · ‎08-15-2014

HI,

your access-lis is wrong.... you said 172.16.1.0/24 is the remote site subnet which you already have access.....

you need to add 172.16.1.0/24 as well.... bit source should be your subnet

say in you side LAN hasve 192.168.1.0/24 from which you want to access 172.16.0.0/24 and 172.16.1.0/24.... then crypto acl should be.

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 !

and in NAT0 or nonat statement you need to exempt this as well.....

Make sure that on the other side they make the similar changes....

other end changes would be

access-list outside_2_cryptomap extended permit ip  172.16.1.0 255.255.255.0

192.168.1.0 255.255.255.0.

do not create a different cryptomap.... you have to add in the same crypto map

Regards

Karthik

kkwaskcisco · ‎08-15-2014

I found this similar scenario at http://www.packetu.com/2012/01/23/asa-l2l-vpn-spoke-to-spoke-communication/.

Should I configure my ASA like that?

How to connect to another subnet via VPN?