?
Solved

Cisco ASA VPN Access Subnet Access Issue

Posted on 2009-02-17
2
Medium Priority
?
353 Views
Last Modified: 2012-06-27
I have a network of several Cisco ASA's and would like to access them all using one vpn tunnel.  

I currently have the network setup where I can access most of the Hub ASA subnet, which is 192.168.20.0 255.255.255.0  and all the spoke ASA subnets such as 192.168.25.0 255.255.255.0 and 192.168.30.0 255.255.255.0

However the line we are using to assign the VPNAccess ip is...
ip local pool VPNAccess 192.168.20.230-192.168.20.235 mask 255.255.255.248
    which blocks out some of the ip's on the Hub network 20.

I changed the VPN Access to 172.16.20.0-172.16.20.100 mask 255.255.255.0 but then can't access the machines on the spokes.

I prefer to use the 172.16.20.0 subnet for my VPNAccess but don't know how to setup the Hub and Spoke ASA's to accomplish this.

Thanks for the help
0
Comment
Question by:Bob
2 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 1500 total points
ID: 23659409
You will have to modify the hub and spoke VPNs to support your new subnet.

There should be a line on the crypto map that references the access-list.  You have to modify the access list on both ends of the VPN.

HUB:

access-list VPN-Access extended permit ip 172.16.20.0 255.255.255.0 w.x.y.z 255.255.255.0


Spoke:

access-list VPN-Access extended permit ip w.x.y.z 255.255.255.0 172.16.20.0 255.255.255.0


Where w.x.y.z is the spoke subnet.
0
 

Author Comment

by:Bob
ID: 23929927
Ok   Finely able to do this but still no joy.

Do I need to make a route entry somewhere to let the spoke know that it needs to use the hub to access the 172 subnet?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question