1. Home
  2. Cisco Systems
  3. Cannot add subnets to Cisco ASA VPN tunnel

Cannot add subnets to Cisco ASA VPN tunnel

Hi Group,

I have a working VPN configured on my ASA 5510. It works very well between two subnets. But I cannot tunnel another subnet through this VPN tunnel. I tried setting access lists on the outside interface. I tried using "sysopt connection permit-vpn". Nothing seems to work.

The VPN tunnel works between those two subnets and lets all traffic through:

10.2.5.0/24 (Cisco ASA) 192.168.90.0/24 (Remote Draytek 2950 VPN router)

I also want to allow traffic through the tunnel from the following remote networks:

192.168.145.0/24 192.168.18.0/24

Here is the part of my ASA configuration where i define the VPN traffic:

access-list VPN_access extended permit ip 10.2.5.0 255.255.255.0

192.168.90.0 255.255.255.0 access-list VPN_access extended permit ip 10.2.5.0 255.255.255.0 192.168.145.0 255.255.255.0 access-list VPN_access extended permit ip 10.2.5.0 255.255.255.0 192.168.18.0 255.255.255.0

crypto map Internet_map 20 match address VPN_access

access-list DMZ_nat0_outbound extended permit ip 10.2.5.0

255.255.255.0 192.168.90.0 255.255.255.0 access-list DMZ_nat0_outbound extended permit ip 10.2.5.0 255.255.255.0 192.168.145.0 255.255.255.0 access-list DMZ_nat0_outbound extended permit ip 10.2.5.0 255.255.255.0 192.168.18.0 255.255.255.0

nat (DMZ) 0 access-list DMZ_nat0_outbound

gw(config)# show crypto ipsec sa interface: Internet Crypto map tag: Internet_map, seq num: 20, local addr: 10.1.2.3

access-list VPN_access permit ip 10.2.5.0 255.255.255.0

192.168.90.0 255.255.255.0 local ident (addr/mask/prot/port): (10.2.5.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.90.0/255.255.255.0/0/0) current_peer: 10.1.2.4

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 710, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 710

local crypto endpt.: 10.1.2.3, remote crypto endpt.: 10.1.2.4

path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 178B4567

inbound esp sas: spi: 0xA9DF5E02 (2849988098) transform: esp-aes esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 8, crypto-map: Internet_map sa timing: remaining key lifetime (sec): 2886 IV size: 16 bytes replay detection support: Y outbound esp sas: spi: 0x178B4567 (395003239) transform: esp-aes esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 8, crypto-map: Internet_map sa timing: remaining key lifetime (sec): 2886 IV size: 16 bytes replay detection support: Y

Thanks for any pointers!

Max

Reply to
Max
Loading thread data ...

Looks like you have your NO NAT set correctly. Is this a LAN-to-LAN tunnel or VPN client? Has IKE phase one been established? It appears to be a LtoL config by the show command. Does the far end router have statics configured pointing to the tunnel?

Greg

Reply to
gcave

It is a LAN-to-LAN tunnel. IKE phase one passes without a problem and the tunnel gets established. I have full connectivity between the subnets, wich are directly connected to either side of the tunnel:

10.2.5.0/24 and 192.168.70.0/24

I have trouble passing through any routed subnets that are not directly attached on either side of the tunnel. The routing of those networks on the remote site works, since we also have other tunnels on the remote site.

The following remote networks are inaccessible over the VPN:

192.168.145.0/24 192.168.18.0/24

Which means that I cannot pass any traffic from:

10.2.5.0/24 to 192.168.145.0/24 (both ways; not a single packet gets through) 10.2.5.0/24 to 192.168.18.0/24 (both ways; not a single packet gets through)

The remote side works fine with severl other tunnels we have in use. The remote site has no trouble passing any traffic on between all the other VPNs attached, and it passes through any defined routed subnets.

Thank you for any pointers!

Max

Reply to
Max

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.