Solved: Vpn site to site 1 private ip to 6 vlan subnets

AQUALUNGAMERICA · ‎01-12-2014

My firewall is a Cisco ASA 5520 running 8.4(5).

I have to connect a site to site vpn tunnel from one private ip to 6 private subnets. I am working with another engineer on the other side.

private ip----outside static public ip<------site to site----->outsite static public ip----6 private vlans.

Each vlan has to be able to get to the private ip and vice versa. I am trying to figure out what would be the best configuration.

Any suggestions would be appreciated.

Thank you

Carlos

Karsten Iwen · ‎01-12-2014

I think there is no "best configuration" , just only one configuration that should work:

On your ASA configure the VPN with a crypto-ACL like the following:

object network PRIVATE-IP

host 10.10.10.10

object-group network REMOTE-VPN-NETWORKS

network-object 10.100.1.0 255.255.255.0

network-object 10.100.7.0 255.255.255.0

network-object 10.200.1.0 255.255.255.0

...

!

access-list VPN-XXX permit ip object PRIVAT-IP object-group REMOTE-VPN-NETWORK

!

crypto map VPN 10 match address VPN-XXX

On the other side, the crypto ACL has to be exactly mirrored. And you have to exempt the traffic from NAT.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Karsten Iwen · ‎01-12-2014