Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
0
Helpful
4
Replies

How to connect to another subnet via VPN?

kkwaskcisco
Level 1
Level 1

‎08-15-2014 04:05 PM

Hi;

 

I am using ASA 5512x, I have a VPN tunnel with remote site, and it is up.  I can access to their subnet 172.16.0.0/24 subnet which is added to the wizard during site to site VPN configuration.  In remote site, there is another subnet 172.16.1.0/24.  How can I extend my VPN tunnel to reach the 2nd subnet?

During my research, I saw a lot of solution using static route, and I tried but it does not help.

Can someone here know how to do it?

 

thanks!

Labels:
0 Helpful
4 Replies 4

josfonse
Cisco Employee
Cisco Employee

‎08-15-2014 06:51 PM

Hi, If you need to access another subnet over an existing tunnel, all you need to do is to include the new subnet in the interesting traffic (crypto acl). Also you need to make sure NAT exemption is in place. The crypto access list should be mirrored on the remote vpn peer.
0 Helpful

kkwaskcisco
Level 1
Level 1
In response to josfonse

‎08-15-2014 09:19 PM

Hi;

 

I added a similar access list like below but it does not work too.

 

access-list outside_2_cryptomap extended permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0
0 Helpful

nkarthikeyan
Level 7
Level 7
In response to kkwaskcisco

‎08-15-2014 10:00 PM

HI,

your access-lis is wrong.... you said 172.16.1.0/24 is the remote site subnet which you already have access.....

you need to add 172.16.1.0/24 as well.... bit source should be your subnet

say in you side LAN hasve 192.168.1.0/24 from which you want to access 172.16.0.0/24 and 172.16.1.0/24.... then crypto acl should be.

 

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 !

and in NAT0 or nonat statement you need to exempt this as well.....

 

Make sure that on the other side they make the similar changes....

other end changes would be

access-list outside_2_cryptomap extended permit ip  172.16.1.0 255.255.255.0 
192.168.1.0 255.255.255.0.
!

do not create a different cryptomap.... you have to add in the same crypto map

 

Regards

Karthik

 

 

0 Helpful

kkwaskcisco
Level 1
Level 1
In response to josfonse

‎08-15-2014 09:36 PM

I found this similar scenario at http://www.packetu.com/2012/01/23/asa-l2l-vpn-spoke-to-spoke-communication/.

 

Should I configure my ASA like that?

0 Helpful
Customers Also Viewed These Support Documents