Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

cisco ASA 5510 VPN configuration suggestion

Hi,

we have a cisco ASA5510 and our client owns a Juniper device. we already have a vpn tunnel in place between the two locations and its working fine.

Now, they have some networks which are in more secure zone, if we add those subnets to the present tunnel we are not able to access them.

so what they are suggesting that we can reconfigure the VPN to be a route based VPN instead of policy based  OR  configure a second VPN tunnel.

am not sure of cisco ASA supports route based tunnels???.. Can we create a 2nd tunnel between the same devices ( asa5510 and thei juniper device) as the IP remains same, only the internal remote networks will change for me. is it possible??

do i need to make any changes to the present tunnel??.

thanks

satish

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

cisco ASA 5510 VPN configuration suggestion

Hi,

Cisco ASA doesn't support route base tunnels.

You should add new networks to crypto ACL. They should add new policies to VPN.

cisco ASA 5510 VPN configuration suggestion

HI satish,

Just add appropriate ACL's to allow traffic between them and add those new subnets in the encryption domain.

Also if they are on the same interface then you need to add " same-security interface intra" command as well

HTH

Kishore

8 REPLIES
New Member

cisco ASA 5510 VPN configuration suggestion

Hi,

Cisco ASA doesn't support route base tunnels.

You should add new networks to crypto ACL. They should add new policies to VPN.

New Member

cisco ASA 5510 VPN configuration suggestion

Hi,

So i just need to create new access lists to the those secure zone subnets and create cypto maps.

Tunnel group settings will remain the same??. right??

thanks

satish

cisco ASA 5510 VPN configuration suggestion

HI satish,

Just add appropriate ACL's to allow traffic between them and add those new subnets in the encryption domain.

Also if they are on the same interface then you need to add " same-security interface intra" command as well

HTH

Kishore

New Member

cisco ASA 5510 VPN configuration suggestion

ok..

thanks guys, will be making the changes tonight and will get back to you if any issues.

Thanks to both of you for your replies.

thanks

satish

cisco ASA 5510 VPN configuration suggestion

No worries satish let us know hw you go and if any issues we can help you out

New Member

cisco ASA 5510 VPN configuration suggestion

Hi

did the config. but getting the following error ,

Group = x.x.x.x , IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy x.x.x.x/255.255.255.0/0/0 on interface outside

any suggestions!!

Re: cisco ASA 5510 VPN configuration suggestion

Hi satish,

1. First thing make sure that the encryption domains are correct. like -like on both ends

2. Also make sure that the transform set and all matcing as well. please double check the crypto map on both ends as well

2. If you just added the new subnet to the ACL , looks like the crypto map is not recognising it. Maybe just rebuild the crypto map or something

HTH

Kishore

New Member

cisco ASA 5510 VPN configuration suggestion

Hi Satish,

After you changed it, does it works at all? Or you just can't see new networks?

1582
Views
0
Helpful
8
Replies
CreatePlease login to create content