07-02-2014 02:57 AM
Hi,
We have a Cisco ASA 9.1 and lots of VPN clients which work fine on it.
Now we have to connect a partner site with Site-to-Site VPN.
We have few problems:
Which are the best solutions to configure this Site-to-Site VPN?
Thanks for your help,
Patrick
Solved! Go to Solution.
07-02-2014 05:27 AM
Hi Patrick,
Best option here is you can specify the required subnets alone in cryptomap /encryption domain...
say in 10.0.0.0/8 the other end need to access only few subnets 10.1.0.0/24, 10.10.20.0/24..... you can specify that alone in your crypto acl.... else you can use deny statement for the specific 10.145.0.0/16 in crypto map but am not sure if that gives you the better result.
If you have the access required which is mixed up with multiple 10.x.x.x/8 statements..... then you can have the crypto ACL like the below encryption domains... Here you are skipping 10.145.0.0/16 alone from the subnet range.....
10.0.0.0/9 to 10.145.0.0/16
10.128.0.0/12 to 10.145.0.0/16
10.146.0.0/15 to 10.145.0.0/16
10.148.0.0/14 to 10.145.0.0/16
10.152.0.0/13 to 10.145.0.0/16
10.160.0.0/11 to 10.145.0.0/16
10.192.0.0/10 to 10.145.0.0/16
but make sure that you dont have any servers in 10.145.0.0/16 in your lan that client requires access.....
Link for having deny crypto ACL';s
https://supportforums.cisco.com/discussion/10909276/crypto-acl-question
Regards
Karthik
07-02-2014 03:15 AM
Hi Patrick,
In such case of overlapping network you should get that NAT on both the ends. But you can restrict your encryption domain excluding the 10.145.0.0/16 network through VPN.
Say if they are allowed to access certain segment inside your LAN then specify those subnets alone in crypto ACL.
Regards
Karthik.
07-02-2014 04:59 AM
Hi Karthik,
Thanks for your quick answer :)
How to exclude the 10.145.0.0/16 network in encryption domain? Do you have CLI or ADSM examples?
Regards
Patrick
07-02-2014 05:27 AM
Hi Patrick,
Best option here is you can specify the required subnets alone in cryptomap /encryption domain...
say in 10.0.0.0/8 the other end need to access only few subnets 10.1.0.0/24, 10.10.20.0/24..... you can specify that alone in your crypto acl.... else you can use deny statement for the specific 10.145.0.0/16 in crypto map but am not sure if that gives you the better result.
If you have the access required which is mixed up with multiple 10.x.x.x/8 statements..... then you can have the crypto ACL like the below encryption domains... Here you are skipping 10.145.0.0/16 alone from the subnet range.....
10.0.0.0/9 to 10.145.0.0/16
10.128.0.0/12 to 10.145.0.0/16
10.146.0.0/15 to 10.145.0.0/16
10.148.0.0/14 to 10.145.0.0/16
10.152.0.0/13 to 10.145.0.0/16
10.160.0.0/11 to 10.145.0.0/16
10.192.0.0/10 to 10.145.0.0/16
but make sure that you dont have any servers in 10.145.0.0/16 in your lan that client requires access.....
Link for having deny crypto ACL';s
https://supportforums.cisco.com/discussion/10909276/crypto-acl-question
Regards
Karthik
07-02-2014 05:30 AM
Thanks a lot for your help
Best regards,
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide