Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
975
Views
0
Helpful
3
Replies

Site to site VPN : adding new networks

Go to solution
LMADAdmin
Level 1
Level 1

‎05-06-2011 11:36 AM

I have a S2S VPN setup between a pair of ASAs (5510 and 5505) both running latest. Works fine and connects 3 local vLANs to the remote site, which has one /24 subnet. When I try and add a fourth local subnet it takes it but I can't get it to pass traffic to/from the new subnet.

Any ideas what I am misisng?

More details:

5510                              172.100.0.2/22

Core Switch (juniper)       172.100.0.1/22

     vLAN 10 172.100.10.0/24   Handled by the Juniper; DEF GW x.x.x.254 (works)

     default vLAN 172.100.0.0/22 (works)

     PCI vLAN 172.100.50.0/24  Handled by the ASA 5505  (works)

     vLAN 20 172.100.20.0/24     Handled by the Juniper; DEF GW x.x.x.254 (recently added, does not work)

5505                              192.168.100.1/24

     Local network 192.168.100.0/24

I have added vLAN 20 as a remote network on the 5505 and as a local network on the 5510. Applied, broke the connection and re-applied it.

When I ping from the 20 vLAN I get destination cannot be reached from an ISP upstream router and when I tracert, I get DEF GW, ASA's next Hop to the internet and one hop farther out where I get a unreachable message from that (3 hops and a fourth 'hop' that says it cannot reach)

When I ping from vLAN 10 it returns a ping. When I tracert it hits the vLAN Def GW, and then directly to the server I am trying to ping in the remote location (two hops).

I can ping all things local form the 10 & 20 vLANs and get out to the internet fine.

Any help appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andamani
Cisco Employee
Cisco Employee

‎05-06-2011 05:55 PM

Hi,

You need to ensure that he ASA 5510 has one more statement in the crypto acl stating "permit ip 172.100.20.0 255.255.255.0 192.168.100.0 255.255.255.0"

and a nat exemption ACL having ACE "permit ip 172.100.20.0 255.255.255.0 192.168.100.0 255.255.255.0".

On ASA 5505, you need to have one more statement in the crypto acl stating "permit ip 192.168.100.0 255.255.255.0 172.100.20.0  255.255.255.0"

and a nat  exemption ACL having ACE "permit ip  192.168.100.0 255.255.255.0 172.100.20.0 255.255.255.0".


Hope this helps.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
fgoodwin
Level 1
Level 1

‎05-06-2011 11:48 AM

Not seeing you config the first thing I'd suggest is look at nat exemption. If your not exempting your

new network from being natted it won't reach your remote site.

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee

‎05-06-2011 05:55 PM

Hi,

You need to ensure that he ASA 5510 has one more statement in the crypto acl stating "permit ip 172.100.20.0 255.255.255.0 192.168.100.0 255.255.255.0"

and a nat exemption ACL having ACE "permit ip 172.100.20.0 255.255.255.0 192.168.100.0 255.255.255.0".

On ASA 5505, you need to have one more statement in the crypto acl stating "permit ip 192.168.100.0 255.255.255.0 172.100.20.0  255.255.255.0"

and a nat  exemption ACL having ACE "permit ip  192.168.100.0 255.255.255.0 172.100.20.0 255.255.255.0".


Hope this helps.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

Go to solution
LMADAdmin
Level 1
Level 1
In response to andamani

‎05-09-2011 10:48 AM

That did it. Spot on, thanks!

0 Helpful
Customers Also Viewed These Support Documents