How to pass multiple subnets through VPN?? SA520

Unanswered Question
Sep 16th, 2010

Untitled 1.jpg

The dynamic VPN between Cisco SA520 and Juniper SRX is working fine. My problem is Cisco SA520, I cannot pass my three subnets (i.e. 10.10.10.0/24, 10.10.254.0/24 and 192.168.99.0/24) through the SA520's IPSEC VPN policies. In the Remote Traffic selection area of VPN policy there are four options ANY, SINGLE, RANGE and SUBNET. Choosing ANY option i can reach to my three  subnets (10.10.10.0/24, 10.10.254.0/24 and 192.168.99.0/24) but this doesn't fulfill my requirement. I want to split the traffic and pass only 10.10.10.0/24, 10.10.254.0/24 and 192.168.99.0/24 through VPN and Internet traffic through the ADSL. Please help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sudan_023 Sun, 09/19/2010 - 00:20

Hello, I am not using ASA  its SA520 Small Business Security Appliaces.

juliomar Mon, 09/20/2010 - 09:17

Hi Sudan,

On the SA 500 series, there is a way to do this by associating  in your case 3 VPN Policies to the one IKE Policy created with the VPN Wizard.

After creating an initial IKE Policy and VPN Policy (choose remote subnet to 10.10.10.0) when running VPN Wizard, you need to create 2 more policies to reach the other two subnets (10.10.254.x, 192.168.92.x) .  On the VPN ->VPN Policies page, click Add to add a VPN Policy.  Make sure to select Auto Policy for Policy Type;  on the Auto Policy Parameters make sure these values match your configuration and MOST IMPORTANT, on the Select IKE Policy make sure to select the name of the IKE Policy as created in VPN Wizard.  Do this for both extra LANs you need to associate with the IKE Policy.  You should then be able to only pass traffic to those three subnets.

Let me know if this works out for you, or if you need extra help.

Best regards,

Julio Martinez

ciscojoe837 Thu, 10/13/2011 - 18:22

I have a similar problem.  I have an SA540 and another firewall doing a site-to-site vpn no problem.  However, I want to be able to pass traffic on the LAN subnets of the UC540's.  So the SA540's are in front of the UC's, and the UC's WAN port is just doing routing and connected to the LAN port of the SA.  When I setup the vpn, I can ping both WAN ports on the UC's, but I can't ping the UC's data LAN subnet.

SA1 WAN - Public

SA2 WAN - Public

UC540-1 WAN - LAN of SA1 (192.168.8.0/24)

UC540-2 WAN - LAN of SA2 (192.168.159.0/24)

I can ping these in both directions.

UC540-1 DATA LAN - 192.168.9.0/24

UC540-2 DATA LAN - 192.168.10/0/24

I can't ping these at all in either direction.