Add network to existing l2l VPN

Answered Question
May 19th, 2008

I've successfully set up l2l VPN between our main site and 2 branch offices. Now I would like to allow additional networks from the main site to access the branch sites. The Cisco doc here (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fad90.shtml) shows a method for doing this by adding an additional interface. Is it possible to do this without adding an interface?

Here's the relevant config from the main site ASA (8.0) and one of the remote PIXs (7.0):

=========================

ASA (Main site)

access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.255.0 172.16.29.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 172.16.1.0 255.255.255.0 172.16.29.0 255.255.255.0

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 24.97.x.x

crypto map outside_map 1 set transform-set ESP-3DES-MD5

=========================

PIX (Remote site)

access-list outside_cryptomap_20_2 extended permit ip 172.16.29.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list outside_cryptomap_20_2 extended permit ip 172.16.29.0 255.255.255.0 172.16.1.0 255.255.255.0

crypto map outside_map 20 match address outside_cryptomap_20_2

crypto map outside_map 20 set peer 204.14.x.x

crypto map outside_map 20 set transform-set ESP-3DES-MD5

I have this problem too.
0 votes
Correct Answer by acomiskey about 8 years 6 months ago

Just add the interesting traffic to your access lists. New network = 172.16.2.0/24

ASA (Main site)

access-list outside_1_cryptomap extended permit ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0

PIX (Remote site)

access-list outside_cryptomap_20_2 extended permit ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0

Don't forget about your nat exemption acl as well. For instance....

ASA (Main site)

access-list extended permit ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0

PIX (Remote site)

access-list extended permit ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Mon, 05/19/2008 - 07:34

Just add the interesting traffic to your access lists. New network = 172.16.2.0/24

ASA (Main site)

access-list outside_1_cryptomap extended permit ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0

PIX (Remote site)

access-list outside_cryptomap_20_2 extended permit ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0

Don't forget about your nat exemption acl as well. For instance....

ASA (Main site)

access-list extended permit ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0

PIX (Remote site)

access-list extended permit ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0

jeff.velten Mon, 05/19/2008 - 07:41

Thanks for the reply. I figured out just after posting that I was missing the nat exemption on one end. BTW, for anyone else trying to set this up via ASDM, I found that ASDM tries to use a different cryptomap for the second network. I could only get it to work by setting up the VPN with ASDM, then adding the 2nd network via CLI.

acomiskey Mon, 05/19/2008 - 07:50

To do this in ASDM, instead of selecting "add" select "Insert after/before". Then it won't create another acl, it will add the line to the existing acl.

jeff.velten Mon, 05/19/2008 - 08:35

Thanks for the suggestion, I'll give that a try next time. ASDM is handy when it works, especially the wizards...

Actions

This Discussion