Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community Member

Site to site vpn route multiple source subnet over vpn tunnel

We have site to site VPN tunnel between our office and AWS cloud and everything seems working great, now we have one more subnet at office location which we want to route over same tunnel so this is what i did. 

 

existing ACL for interesting traffic. 

access-list ACL-VPN extended permit ip 10.0.0.0 255.255.255.0 10.100.4.0 255.255.255.0

new subnet which i want to route over existing tunnel 

access-list ACL-VPN extended permit ip 64.100.200.0 255.255.255.0 10.100.4.0 255.255.255.0

as soon as i add new ACL it bring down previous tunnel and now i can ping from 64 network to 10.100.4.0 network, what is the solution here? 

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Site to site vpn route multiple source subnet over vpn tunnel

Hello @satish.txt1

 

The S2S with AWS are different :)  They only support one security association with Cisco ASA (and maybe other vendors) that´s why the recommendation is to have only one ACL on the crypto map because if you add another it will with both and it will be dropping the connection between the 2 ACLs. 

 

AWS recommend to have source as ANY and permit the subnets from your site and if you want to apply the subnets to a particular ones, you should apply VPN-Filters on the group-policy and permit the ones you really want. 

 

This is the documentation from AWS: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html

 

This is the statement from them: 

! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.
! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically.
! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor
! traffic will be sourced from.
! See section #4 regarding how to restrict the traffic going over the tunnel

 

HTH

Gio

3 REPLIES

Re: Site to site vpn route multiple source subnet over vpn tunnel

Hi,

Could you check whether the new ACL entry overwrite the existing one? Please post the output of 'sh crypto isakmp sa' and 'sh crypto ipsec sa', and part of the running configuration contains the VPN related configs.

HTH,
Meheretab
Silver

Re: Site to site vpn route multiple source subnet over vpn tunnel

Hello @satish.txt1

 

The S2S with AWS are different :)  They only support one security association with Cisco ASA (and maybe other vendors) that´s why the recommendation is to have only one ACL on the crypto map because if you add another it will with both and it will be dropping the connection between the 2 ACLs. 

 

AWS recommend to have source as ANY and permit the subnets from your site and if you want to apply the subnets to a particular ones, you should apply VPN-Filters on the group-policy and permit the ones you really want. 

 

This is the documentation from AWS: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html

 

This is the statement from them: 

! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.
! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically.
! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor
! traffic will be sourced from.
! See section #4 regarding how to restrict the traffic going over the tunnel

 

HTH

Gio

Community Member

Re: Site to site vpn route multiple source subnet over vpn tunnel

You are goddamn!! right!!  Thanks a lot for that hint! it is working now! 

1851
Views
10
Helpful
3
Replies
CreatePlease to create content