cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1883
Views
0
Helpful
8
Replies

cisco ASA 5510 VPN configuration suggestion

patial.satish
Level 1
Level 1

Hi,

we have a cisco ASA5510 and our client owns a Juniper device. we already have a vpn tunnel in place between the two locations and its working fine.

Now, they have some networks which are in more secure zone, if we add those subnets to the present tunnel we are not able to access them.

so what they are suggesting that we can reconfigure the VPN to be a route based VPN instead of policy based  OR  configure a second VPN tunnel.

am not sure of cisco ASA supports route based tunnels???.. Can we create a 2nd tunnel between the same devices ( asa5510 and thei juniper device) as the IP remains same, only the internal remote networks will change for me. is it possible??

do i need to make any changes to the present tunnel??.

thanks

satish

2 Accepted Solutions

Accepted Solutions

CSCO11115084
Level 1
Level 1

Hi,

Cisco ASA doesn't support route base tunnels.

You should add new networks to crypto ACL. They should add new policies to VPN.

View solution in original post

HI satish,

Just add appropriate ACL's to allow traffic between them and add those new subnets in the encryption domain.

Also if they are on the same interface then you need to add " same-security interface intra" command as well

HTH

Kishore

View solution in original post

8 Replies 8

CSCO11115084
Level 1
Level 1

Hi,

Cisco ASA doesn't support route base tunnels.

You should add new networks to crypto ACL. They should add new policies to VPN.

patial.satish
Level 1
Level 1

Hi,

So i just need to create new access lists to the those secure zone subnets and create cypto maps.

Tunnel group settings will remain the same??. right??

thanks

satish

HI satish,

Just add appropriate ACL's to allow traffic between them and add those new subnets in the encryption domain.

Also if they are on the same interface then you need to add " same-security interface intra" command as well

HTH

Kishore

ok..

thanks guys, will be making the changes tonight and will get back to you if any issues.

Thanks to both of you for your replies.

thanks

satish

No worries satish let us know hw you go and if any issues we can help you out

Hi

did the config. but getting the following error ,

Group = x.x.x.x , IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy x.x.x.x/255.255.255.0/0/0 on interface outside

any suggestions!!

Hi satish,

1. First thing make sure that the encryption domains are correct. like -like on both ends

2. Also make sure that the transform set and all matcing as well. please double check the crypto map on both ends as well

2. If you just added the new subnet to the ACL , looks like the crypto map is not recognising it. Maybe just rebuild the crypto map or something

HTH

Kishore

Hi Satish,

After you changed it, does it works at all? Or you just can't see new networks?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: