Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8240
Views
15
Helpful
4
Replies

Site to site vpn route multiple source subnet over vpn tunnel

Go to solution
satish.txt1
Level 1
Level 1

‎10-24-2017 07:49 PM - edited ‎03-12-2019 04:39 AM

We have site to site VPN tunnel between our office and AWS cloud and everything seems working great, now we have one more subnet at office location which we want to route over same tunnel so this is what i did. 

 

existing ACL for interesting traffic. 

access-list ACL-VPN extended permit ip 10.0.0.0 255.255.255.0 10.100.4.0 255.255.255.0

new subnet which i want to route over existing tunnel 

access-list ACL-VPN extended permit ip 64.100.200.0 255.255.255.0 10.100.4.0 255.255.255.0

as soon as i add new ACL it bring down previous tunnel and now i can ping from 64 network to 10.100.4.0 network, what is the solution here? 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GioGonza
Level 4
Level 4

‎10-25-2017 06:25 AM

Hello @satish.txt1

 

The S2S with AWS are different :)  They only support one security association with Cisco ASA (and maybe other vendors) that´s why the recommendation is to have only one ACL on the crypto map because if you add another it will with both and it will be dropping the connection between the 2 ACLs. 

 

AWS recommend to have source as ANY and permit the subnets from your site and if you want to apply the subnets to a particular ones, you should apply VPN-Filters on the group-policy and permit the ones you really want. 

 

This is the documentation from AWS: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html

 

This is the statement from them: 

! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.
! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically.
! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor
! traffic will be sourced from.
! See section #4 regarding how to restrict the traffic going over the tunnel

 

HTH

Gio

View solution in original post

4 Replies 4

Go to solution
Meheretab Mengistu
Level 7
Level 7

‎10-24-2017 08:58 PM

Hi,

Could you check whether the new ACL entry overwrite the existing one? Please post the output of 'sh crypto isakmp sa' and 'sh crypto ipsec sa', and part of the running configuration contains the VPN related configs.

HTH,
Meheretab
HTH,
Meheretab
0 Helpful

Go to solution
GioGonza
Level 4
Level 4

‎10-25-2017 06:25 AM

Hello @satish.txt1

 

The S2S with AWS are different :)  They only support one security association with Cisco ASA (and maybe other vendors) that´s why the recommendation is to have only one ACL on the crypto map because if you add another it will with both and it will be dropping the connection between the 2 ACLs. 

 

AWS recommend to have source as ANY and permit the subnets from your site and if you want to apply the subnets to a particular ones, you should apply VPN-Filters on the group-policy and permit the ones you really want. 

 

This is the documentation from AWS: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html

 

This is the statement from them: 

! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.
! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically.
! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor
! traffic will be sourced from.
! See section #4 regarding how to restrict the traffic going over the tunnel

 

HTH

Gio

Go to solution
satish.txt1
Level 1
Level 1
In response to GioGonza

‎10-25-2017 12:56 PM

You are goddamn!! right!!  Thanks a lot for that hint! it is working now! 

0 Helpful

Go to solution
NarcisseTcheumoe5357
Level 1
Level 1
In response to satish.txt1

‎06-10-2021 01:20 PM

Hello,

@satish.txt1 what exactly did you do in order to get this to work ?

did change something on your office router or on AWS side ?

 

I have the same problem where new subnet can not get to my webportal in AWS.

I have Customer Enclave Router (on_premises) connected to Cisco FTD in AWS through another GATEWAY ROUTER (on_premises) basically 

 

CUSTOMER_ROUTER (on_premises) ------------> GATEWAY_ROUTER (on_premises) --------------> FTDv (AWS)

 

@GioGonza Please I need you advises on this issue, I can be reached at nasdepago@gmail.com / ntcheumoe@novetta.com

 

Thank you in advance.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents