11-01-2011 03:18 AM
Hi,
we have a cisco ASA5510 and our client owns a Juniper device. we already have a vpn tunnel in place between the two locations and its working fine.
Now, they have some networks which are in more secure zone, if we add those subnets to the present tunnel we are not able to access them.
so what they are suggesting that we can reconfigure the VPN to be a route based VPN instead of policy based OR configure a second VPN tunnel.
am not sure of cisco ASA supports route based tunnels???.. Can we create a 2nd tunnel between the same devices ( asa5510 and thei juniper device) as the IP remains same, only the internal remote networks will change for me. is it possible??
do i need to make any changes to the present tunnel??.
thanks
satish
Solved! Go to Solution.
11-01-2011 04:23 AM
Hi,
Cisco ASA doesn't support route base tunnels.
You should add new networks to crypto ACL. They should add new policies to VPN.
11-01-2011 05:20 AM
HI satish,
Just add appropriate ACL's to allow traffic between them and add those new subnets in the encryption domain.
Also if they are on the same interface then you need to add " same-security interface intra" command as well
HTH
Kishore
11-01-2011 04:23 AM
Hi,
Cisco ASA doesn't support route base tunnels.
You should add new networks to crypto ACL. They should add new policies to VPN.
11-01-2011 05:16 AM
Hi,
So i just need to create new access lists to the those secure zone subnets and create cypto maps.
Tunnel group settings will remain the same??. right??
thanks
satish
11-01-2011 05:20 AM
HI satish,
Just add appropriate ACL's to allow traffic between them and add those new subnets in the encryption domain.
Also if they are on the same interface then you need to add " same-security interface intra" command as well
HTH
Kishore
11-01-2011 05:38 AM
ok..
thanks guys, will be making the changes tonight and will get back to you if any issues.
Thanks to both of you for your replies.
thanks
satish
11-01-2011 05:40 AM
No worries satish let us know hw you go and if any issues we can help you out
11-01-2011 04:07 PM
Hi
did the config. but getting the following error ,
Group = x.x.x.x , IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy x.x.x.x/255.255.255.0/0/0 on interface outside
any suggestions!!
11-01-2011 04:14 PM
Hi satish,
1. First thing make sure that the encryption domains are correct. like -like on both ends
2. Also make sure that the transform set and all matcing as well. please double check the crypto map on both ends as well
2. If you just added the new subnet to the ACL , looks like the crypto map is not recognising it. Maybe just rebuild the crypto map or something
HTH
Kishore
11-02-2011 04:02 AM
Hi Satish,
After you changed it, does it works at all? Or you just can't see new networks?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: