Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Cisco IPSEC VPN

Hi,

 

Hope someone can help!

 

I have 2 cisco ASA firewall 5512's one at the main office one in a branch office.

 

We have multiple vlan at the head office and want them to traverse the IPsec but also access certain subnets in the branch vlan.

 

I understand vlan's are locally significant so how would a define certain subnets to access certain subnet at the other end of the tunnel?

 

Is this done within the phase 2 were you define your subnets local LAN and remote LAN.

 

I have only come across LAN to LAN IPsec not multiple LAN's off the same firewall.

 

Hope the above makes sense?

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Not sure how to explain this

Not sure how to explain this but I will still give it a try, LAN to LAN ipsec doc is what you are going to use for your multiple vlans as well. The reason they show a single LAN in doc is to make it easier for ppl to understand.

Use the same LAN to LAN IPsec doc, just add all your VLANs in the Crypto ACL as well as Nat exemption rules. 

for ex :

Site 1 : 10.10.10.0/24 and 10.10.20.0/24

Site 2 : 10.10.100.0/24 and 10.10.200.0/24

Your Crypto ACL on Site should be :

access-list crypto_map_1  extended permit ip 10.10.10.0 255.255.255.0 10.10.100.0 255.255.255.0

access-list crypto_map_1  extended permit ip 10.10.10.0 255.255.255.0 10.10.200.0 255.255.255.0

access-list crypto_map_1  extended permit ip 10.10.20.0 255.255.255.0 10.10.200.0 255.255.255.0

access-list crypto_map_1  extended permit ip 10.10.20.0 255.255.255.0 10.10.100.0 255.255.255.0

 

similarly make Nat exemption rules for all the concerned subnets :

for ex

nat (inside,outside) source static OBJ-10.10.10.0 OBJ-10.10.10.0 destination static Obj-10.10.100.0 Obj-10.10.100.0

Manish

2 REPLIES

Not sure how to explain this

Not sure how to explain this but I will still give it a try, LAN to LAN ipsec doc is what you are going to use for your multiple vlans as well. The reason they show a single LAN in doc is to make it easier for ppl to understand.

Use the same LAN to LAN IPsec doc, just add all your VLANs in the Crypto ACL as well as Nat exemption rules. 

for ex :

Site 1 : 10.10.10.0/24 and 10.10.20.0/24

Site 2 : 10.10.100.0/24 and 10.10.200.0/24

Your Crypto ACL on Site should be :

access-list crypto_map_1  extended permit ip 10.10.10.0 255.255.255.0 10.10.100.0 255.255.255.0

access-list crypto_map_1  extended permit ip 10.10.10.0 255.255.255.0 10.10.200.0 255.255.255.0

access-list crypto_map_1  extended permit ip 10.10.20.0 255.255.255.0 10.10.200.0 255.255.255.0

access-list crypto_map_1  extended permit ip 10.10.20.0 255.255.255.0 10.10.100.0 255.255.255.0

 

similarly make Nat exemption rules for all the concerned subnets :

for ex

nat (inside,outside) source static OBJ-10.10.10.0 OBJ-10.10.10.0 destination static Obj-10.10.100.0 Obj-10.10.100.0

Manish

Community Member

Thanks for the response. Now

Thanks for the response. Now I understand. Great post.

52
Views
0
Helpful
2
Replies
CreatePlease to create content