Second subnet through VPN

I have a client who uses two Cisco ASA55XX firewalls to connect their two offices via VPN.  They have recently added iSCSI SANs to each office on a separate subnet and would like to send replication traffic over the VPN.  I don't see a way to add a second subnet to the tunnel in the GUI and when I attempt to add it from command line it doesn't accept the command.  Can this be done and can an example be provided?
SpyderGAsked:
Who is Participating?
 
SebastianAbbinantiConnect With a Mentor Commented:
You said they are using ASA 55xx what is the xx? Do they have security plus licenses?

Also, you would need to route between the SAN and the LAN to get into the ASA. I would suggest a layer three switch which would function as the default gateway on the san, and then route to the ASA, and vice versa.

Once the routing is done, you can route the traffic through the LAN.

Thanks,
S.
0
 
SebastianAbbinantiConnect With a Mentor Commented:
You can add both subnets to the NAT Exemption ACL and included the new subnet on crypto map. Lastly, you will will need to add a route on the firewall with the SAN, unless the SAN is reachable via an interface on the ASA.

Thanks,
S.
0
 
djcanterCommented:
you can change the scope of the networks
ex 192.168.0.0/23 would give you a network 192.168.0.1 - 192.168.1.254
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
SebastianAbbinantiCommented:
The subnets can be non-contiguous. Just add the new subnet to the NAT Exemption ACL and the Crypto Maps at each end.

You may also want to utilize Class Maps and queues to prioritize traffic for the SAN. This is also available on the ASA.

Thanks,
S.
0
 
Istvan KalmarHead of IT Security Division Commented:
0
 
SpyderGAuthor Commented:
Thanks for the quick responses.  They've already created the subnets and they are not contiguous.  I'm not clear how the SAN traffic would know to traverse the VPN without setting an IP on it to use as a gateway.  Since the current IP is on a different subnet, I can't use it as the gateway for the SAN subnet.  Are you able to clarify?
0
 
Istvan KalmarHead of IT Security Division Commented:
It seems we need more infos, please provide us:

sh ver
detailed network plan
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.