04-24-2010 07:00 AM - edited 02-21-2020 04:37 PM
Hi,
I'm trying to setup an IPSec tunnel between ASA5520 and a SA520. I have multiple subnets (interesting traffic/protected networks) on both locations. On SA 520, I don't see an option to define multiple subnets for local and remote pool under "VPN Policies" screen. Because of that, the tunnel fails during Phase 2 negotiation (mismatching subnets).
Is there a way to define multiple subnets on SA520 or is it limited with one subnet?
Any insight is much appreciated.
Thank you,
Janakan Rajendran.
04-24-2010 08:58 AM
Janakan,
I don't have an SA520 right now to check, but do you have those multiple subnets contiguous?
In other words, can those multiple subnets be grouped in a single larger network using an appropiate mask?
For instance, if behind the SA520 you have the following four networks:
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
Then, you can specify a single network for the interesting traffic as 192.168.0.0/22
If you can't group your multiple subnets, then you must specify multiple entries. I will check on that, but you can check if summarization works on your setup.
Federico.
04-24-2010 10:00 AM
Federico,
Thank you for the response. The subnets are not contiguous. I attempted to supernet them and the link established but no data transfer(which I think is an ACL issue that can be handled later). Unfortunately, I cannot go for a wider range on those non contiguous subnets.
-Janakan
04-24-2010 10:07 AM
Unfortunately I don't have access to an SA520 at the moment.
Where you specify the interesting traffic for VPN, you only have a single entry then?
Federico.
04-24-2010 11:34 AM
Yes, only on entry where it gives an option to enter - Single, range or subnet.
-Janakan.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: