?
Solved

Second subnet through VPN

Posted on 2012-08-20
7
Medium Priority
?
762 Views
Last Modified: 2012-08-23
I have a client who uses two Cisco ASA55XX firewalls to connect their two offices via VPN.  They have recently added iSCSI SANs to each office on a separate subnet and would like to send replication traffic over the VPN.  I don't see a way to add a second subnet to the tunnel in the GUI and when I attempt to add it from command line it doesn't accept the command.  Can this be done and can an example be provided?
0
Comment
Question by:SpyderG
7 Comments
 
LVL 6

Assisted Solution

by:SebastianAbbinanti
SebastianAbbinanti earned 2000 total points
ID: 38312959
You can add both subnets to the NAT Exemption ACL and included the new subnet on crypto map. Lastly, you will will need to add a route on the firewall with the SAN, unless the SAN is reachable via an interface on the ASA.

Thanks,
S.
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38312961
you can change the scope of the networks
ex 192.168.0.0/23 would give you a network 192.168.0.1 - 192.168.1.254
0
 
LVL 6

Expert Comment

by:SebastianAbbinanti
ID: 38312981
The subnets can be non-contiguous. Just add the new subnet to the NAT Exemption ACL and the Crypto Maps at each end.

You may also want to utilize Class Maps and queues to prioritize traffic for the SAN. This is also available on the ASA.

Thanks,
S.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 38313124
0
 

Author Comment

by:SpyderG
ID: 38313365
Thanks for the quick responses.  They've already created the subnets and they are not contiguous.  I'm not clear how the SAN traffic would know to traverse the VPN without setting an IP on it to use as a gateway.  Since the current IP is on a different subnet, I can't use it as the gateway for the SAN subnet.  Are you able to clarify?
0
 
LVL 6

Accepted Solution

by:
SebastianAbbinanti earned 2000 total points
ID: 38313382
You said they are using ASA 55xx what is the xx? Do they have security plus licenses?

Also, you would need to route between the SAN and the LAN to get into the ASA. I would suggest a layer three switch which would function as the default gateway on the san, and then route to the ASA, and vice versa.

Once the routing is done, you can route the traffic through the LAN.

Thanks,
S.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 38314882
It seems we need more infos, please provide us:

sh ver
detailed network plan
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month16 days, 11 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question