Hi Group,
I have a working VPN configured on my ASA 5510. It works very well between two subnets. But I cannot tunnel another subnet through this VPN tunnel. I tried setting access lists on the outside interface. I tried using "sysopt connection permit-vpn". Nothing seems to work.
The VPN tunnel works between those two subnets and lets all traffic through:
10.2.5.0/24 (Cisco ASA) 192.168.90.0/24 (Remote Draytek 2950 VPN router)I also want to allow traffic through the tunnel from the following remote networks:
192.168.145.0/24 192.168.18.0/24Here is the part of my ASA configuration where i define the VPN traffic:
access-list VPN_access extended permit ip 10.2.5.0 255.255.255.0
192.168.90.0 255.255.255.0 access-list VPN_access extended permit ip 10.2.5.0 255.255.255.0 192.168.145.0 255.255.255.0 access-list VPN_access extended permit ip 10.2.5.0 255.255.255.0 192.168.18.0 255.255.255.0crypto map Internet_map 20 match address VPN_access
access-list DMZ_nat0_outbound extended permit ip 10.2.5.0
255.255.255.0 192.168.90.0 255.255.255.0 access-list DMZ_nat0_outbound extended permit ip 10.2.5.0 255.255.255.0 192.168.145.0 255.255.255.0 access-list DMZ_nat0_outbound extended permit ip 10.2.5.0 255.255.255.0 192.168.18.0 255.255.255.0nat (DMZ) 0 access-list DMZ_nat0_outbound
gw(config)# show crypto ipsec sa interface: Internet Crypto map tag: Internet_map, seq num: 20, local addr: 10.1.2.3
access-list VPN_access permit ip 10.2.5.0 255.255.255.0
192.168.90.0 255.255.255.0 local ident (addr/mask/prot/port): (10.2.5.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.90.0/255.255.255.0/0/0) current_peer: 10.1.2.4#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 710, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 710
local crypto endpt.: 10.1.2.3, remote crypto endpt.: 10.1.2.4
path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 178B4567
inbound esp sas: spi: 0xA9DF5E02 (2849988098) transform: esp-aes esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 8, crypto-map: Internet_map sa timing: remaining key lifetime (sec): 2886 IV size: 16 bytes replay detection support: Y outbound esp sas: spi: 0x178B4567 (395003239) transform: esp-aes esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 8, crypto-map: Internet_map sa timing: remaining key lifetime (sec): 2886 IV size: 16 bytes replay detection support: Y
Thanks for any pointers!
Max