cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
547
Views
0
Helpful
3
Replies
LMADAdmin
Beginner

Site to site VPN : adding new networks

I have a S2S VPN setup between a pair of ASAs (5510 and 5505) both running latest. Works fine and connects 3 local vLANs to the remote site, which has one /24 subnet. When I try and add a fourth local subnet it takes it but I can't get it to pass traffic to/from the new subnet.

Any ideas what I am misisng?

More details:

5510                              172.100.0.2/22

Core Switch (juniper)       172.100.0.1/22

     vLAN 10 172.100.10.0/24   Handled by the Juniper; DEF GW x.x.x.254 (works)

     default vLAN 172.100.0.0/22 (works)

     PCI vLAN 172.100.50.0/24  Handled by the ASA 5505  (works)

     vLAN 20 172.100.20.0/24     Handled by the Juniper; DEF GW x.x.x.254 (recently added, does not work)

5505                              192.168.100.1/24

     Local network 192.168.100.0/24

I have added vLAN 20 as a remote network on the 5505 and as a local network on the 5510. Applied, broke the connection and re-applied it.

When I ping from the 20 vLAN I get destination cannot be reached from an ISP upstream router and when I tracert, I get DEF GW, ASA's next Hop to the internet and one hop farther out where I get a unreachable message from that (3 hops and a fourth 'hop' that says it cannot reach)

When I ping from vLAN 10 it returns a ping. When I tracert it hits the vLAN Def GW, and then directly to the server I am trying to ping in the remote location (two hops).

I can ping all things local form the 10 & 20 vLANs and get out to the internet fine.

Any help appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
andamani
Cisco Employee

Hi,

You need to ensure that he ASA 5510 has one more statement in the crypto acl stating "permit ip 172.100.20.0 255.255.255.0 192.168.100.0 255.255.255.0"

and a nat exemption ACL having ACE "permit ip 172.100.20.0 255.255.255.0 192.168.100.0 255.255.255.0".

On ASA 5505, you need to have one more statement in the crypto acl stating "permit ip 192.168.100.0 255.255.255.0 172.100.20.0  255.255.255.0"

and a nat  exemption ACL having ACE "permit ip  192.168.100.0 255.255.255.0 172.100.20.0 255.255.255.0".


Hope this helps.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

View solution in original post

3 REPLIES 3
fgoodwin
Beginner

Not seeing you config the first thing I'd suggest is look at nat exemption. If your not exempting your

new network from being natted it won't reach your remote site.

andamani
Cisco Employee

Hi,

You need to ensure that he ASA 5510 has one more statement in the crypto acl stating "permit ip 172.100.20.0 255.255.255.0 192.168.100.0 255.255.255.0"

and a nat exemption ACL having ACE "permit ip 172.100.20.0 255.255.255.0 192.168.100.0 255.255.255.0".

On ASA 5505, you need to have one more statement in the crypto acl stating "permit ip 192.168.100.0 255.255.255.0 172.100.20.0  255.255.255.0"

and a nat  exemption ACL having ACE "permit ip  192.168.100.0 255.255.255.0 172.100.20.0 255.255.255.0".


Hope this helps.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

View solution in original post

That did it. Spot on, thanks!

Content for Community-Ad