Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Adding new network to IPsec VPN

Hi

We are having a IPsec VPN Tunnel setup with client.

The far site gave access to a new range (a website basically hosting on their site)-10.40.36.173:8085

They allowed traffic across the tunnel from: 10.40.36.173:8085  to      10.20.42.0/23, 10.21.42.0/23, 192.168.42.0/24

From my end we are using 3 IP Ranges when sending traffic to farsite:

10.20.42.0/23

10.21.42.0/23
192.168.42.0/24
 

To make sure the traffic that is sent between both end points is sent  across the tunnel encrypted and not via another channel the I want to  write Crypto ACL configured on my side which was already mirrored on  far end.

So I just logged on ASA CLI and went to global mode and added the ACL and no nat to access the destination point from all of our IP Ranges as below,

access-list nonat  extended permit ip 192.168.42.0 255.255.255.0 host 10.40.36.173

access-list nonat line 11 extended permit ip 10.40.42.0 255.255.254.0 host 10.40.36.173

access-list nonat line 11 extended permit ip 10.41.42.0 255.255.254.0 host 10.40.36.173

access-list xx line 4 extended permit ip 192.168.42.0 255.255.255.0 host 10.40.36.173 (hitcnt=30) 0x30941176

access-list xx line 4 extended permit ip 10.40.42.0 255.255.254.0 host 10.40.36.173 (hitcnt=0) 0x30941176

access-list xx line 4 extended permit ip 10.41.42.0 255.255.254.0 host 10.40.36.173 (hitcnt=0) 0x30941176

I cant access though from any of the range but can access all previous configured tools, basically newbee to firewall any help much appreciated

I hope I have not confused anyone, if anyone has any questions please let me know, I look forward for your valuable response,

1 ACCEPTED SOLUTION

Accepted Solutions

Re:Adding new network to IPsec VPN

Hi,

Please run a packet-tracer:

packet-tracer input inside icmp local_network 8 0 remote_network detail

Please attach the output.

Thanks in advance.

Sent from Cisco Technical Support Android App

5 REPLIES

Re:Adding new network to IPsec VPN

Hi,

Are you able to ping from your LAN to the remote host? What exactly stopped working?

Thanks.

Sent from Cisco Technical Support Android App

New Member

Re:Adding new network to IPsec VPN

Hi

Thanks for your reply

Well I cant ping from LAN to remote host either telnet as well on the ports requested, as it is a new acl added to crypto tunnel

do I need to do anything like clear crypto ipsec sa or clear crypto iskamp sa to reestablish the tunnel, as we havent got no one on other side at the moment to actually test.

New Member

Re:Adding new network to IPsec VPN

have the tunnel negotiations completed successfully after the change? what does ur sh cry ipsec sa output look like? as Jav mentioned, a packet tracer from your specified local network to the remote peer network will basically tell us the exact problem. Oh, the power of ASA's.. gotta love the IOS

Re:Adding new network to IPsec VPN

Hi,

Please run a packet-tracer:

packet-tracer input inside icmp local_network 8 0 remote_network detail

Please attach the output.

Thanks in advance.

Sent from Cisco Technical Support Android App

New Member

Adding new network to IPsec VPN

Its a fault with peer ip , assigned crypto map and renegotiated, tunnel up

653
Views
0
Helpful
5
Replies
CreatePlease login to create content