Solved: Add network to existing l2l VPN

jeff.velten · ‎05-19-2008

I've successfully set up l2l VPN between our main site and 2 branch offices. Now I would like to allow additional networks from the main site to access the branch sites. The Cisco doc here (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fad90.shtml) shows a method for doing this by adding an additional interface. Is it possible to do this without adding an interface?

Here's the relevant config from the main site ASA (8.0) and one of the remote PIXs (7.0):

=========================

ASA (Main site)

access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.255.0 172.16.29.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 172.16.1.0 255.255.255.0 172.16.29.0 255.255.255.0

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 24.97.x.x

crypto map outside_map 1 set transform-set ESP-3DES-MD5

=========================

PIX (Remote site)

access-list outside_cryptomap_20_2 extended permit ip 172.16.29.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list outside_cryptomap_20_2 extended permit ip 172.16.29.0 255.255.255.0 172.16.1.0 255.255.255.0

crypto map outside_map 20 match address outside_cryptomap_20_2

crypto map outside_map 20 set peer 204.14.x.x

crypto map outside_map 20 set transform-set ESP-3DES-MD5

acomiskey · ‎05-19-2008

Just add the interesting traffic to your access lists. New network = 172.16.2.0/24

ASA (Main site)

access-list outside_1_cryptomap extended permit ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0

PIX (Remote site)

access-list outside_cryptomap_20_2 extended permit ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0

Don't forget about your nat exemption acl as well. For instance....

ASA (Main site)

access-list extended permit ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0

PIX (Remote site)

access-list extended permit ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0

View solution in original post

acomiskey · ‎05-19-2008

Just add the interesting traffic to your access lists. New network = 172.16.2.0/24

ASA (Main site)

access-list outside_1_cryptomap extended permit ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0

PIX (Remote site)

access-list outside_cryptomap_20_2 extended permit ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0

Don't forget about your nat exemption acl as well. For instance....

ASA (Main site)

access-list extended permit ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0

PIX (Remote site)

access-list extended permit ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0

jeff.velten · ‎05-19-2008

Thanks for the reply. I figured out just after posting that I was missing the nat exemption on one end. BTW, for anyone else trying to set this up via ASDM, I found that ASDM tries to use a different cryptomap for the second network. I could only get it to work by setting up the VPN with ASDM, then adding the 2nd network via CLI.

acomiskey · ‎05-19-2008

To do this in ASDM, instead of selecting "add" select "Insert after/before". Then it won't create another acl, it will add the line to the existing acl.

jeff.velten · ‎05-19-2008

Thanks for the suggestion, I'll give that a try next time. ASDM is handy when it works, especially the wizards...