Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Vpn site to site 1 private ip to 6 vlan subnets

My firewall is a Cisco ASA 5520 running 8.4(5).

I have to connect a site to site vpn tunnel from one private ip to 6 private subnets. I am working with another engineer on the other side.

private ip----outside static public ip<------site to site----->outsite static public ip----6 private vlans.

Each vlan has to be able to get to the private ip and vice versa. I am trying to figure out what would be the best configuration.

Any suggestions would be appreciated.

Thank you

Carlos               

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: Vpn site to site 1 private ip to 6 vlan subnets

I think there is no "best configuration" , just only one configuration that should work:

On your ASA configure the VPN with a crypto-ACL like the following:

object network PRIVATE-IP

  host 10.10.10.10

object-group network REMOTE-VPN-NETWORKS

  network-object 10.100.1.0 255.255.255.0

  network-object 10.100.7.0 255.255.255.0

  network-object 10.200.1.0 255.255.255.0

  ...

!

access-list VPN-XXX permit ip object PRIVAT-IP object-group REMOTE-VPN-NETWORK

!

crypto map VPN 10 match address VPN-XXX

On the other side, the crypto ACL has to be exactly mirrored. And you have to exempt the traffic from NAT.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
1 REPLY
VIP Purple

Re: Vpn site to site 1 private ip to 6 vlan subnets

I think there is no "best configuration" , just only one configuration that should work:

On your ASA configure the VPN with a crypto-ACL like the following:

object network PRIVATE-IP

  host 10.10.10.10

object-group network REMOTE-VPN-NETWORKS

  network-object 10.100.1.0 255.255.255.0

  network-object 10.100.7.0 255.255.255.0

  network-object 10.200.1.0 255.255.255.0

  ...

!

access-list VPN-XXX permit ip object PRIVAT-IP object-group REMOTE-VPN-NETWORK

!

crypto map VPN 10 match address VPN-XXX

On the other side, the crypto ACL has to be exactly mirrored. And you have to exempt the traffic from NAT.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
211
Views
0
Helpful
1
Replies