SA520- IPSec VPN - Multiple local /remote subnets?

Unanswered Question
Apr 24th, 2010
User Badges:

Hi,


I'm trying to setup an IPSec tunnel between ASA5520 and a SA520. I have multiple subnets (interesting traffic/protected networks) on both locations. On SA 520, I don't see an option to define multiple subnets for local and remote pool under "VPN Policies" screen. Because of that, the tunnel fails during Phase 2 negotiation (mismatching subnets).


Is there a way to define multiple subnets on SA520 or is it limited with one subnet?


Any insight is much appreciated.


Thank you,

Janakan Rajendran.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sat, 04/24/2010 - 08:58
User Badges:
  • Green, 3000 points or more

Janakan,


I don't have an SA520 right now to check, but do you have those multiple subnets contiguous?

In other words, can those multiple subnets be grouped in a single larger network using an appropiate mask?


For instance, if behind the SA520 you have the following four networks:

192.168.0.0/24

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24


Then, you can specify a single network for the interesting traffic as 192.168.0.0/22


If you can't group your multiple subnets, then you must specify multiple entries. I will check on that, but you can check if summarization works on your setup.


Federico.

swingvote Sat, 04/24/2010 - 10:00
User Badges:

Federico,


Thank you for the response. The subnets are not contiguous. I attempted to supernet them and the link established but no data transfer(which I think is an ACL issue that can be handled later). Unfortunately, I cannot go for a wider range on those non contiguous subnets.


-Janakan

Federico Coto F... Sat, 04/24/2010 - 10:07
User Badges:
  • Green, 3000 points or more

Unfortunately I don't have access to an SA520 at the moment.

Where you specify the interesting traffic for VPN, you only have a single entry then?


Federico.

swingvote Sat, 04/24/2010 - 11:34
User Badges:

Yes, only on entry where it gives an option to enter - Single, range or subnet.


-Janakan.

Actions

This Discussion

Related Content