nainasipra
asked on
how to add vlan subnet in existing easyVPN setup
I am using EasyVPN:
Head Office(ASA 5510 with public ip) connected to SiteOffice(Cisco Router 2810 with PPPoE)
Head Office network: 192.168.2.0/24
Site Office network: 192.168.1.0/24
Everything is working fine.
Now I have another VLAN subnet(172.16.1.0/24), how I can add this network with existing easyVPN setup?
thanks
Head Office(ASA 5510 with public ip) connected to SiteOffice(Cisco Router 2810 with PPPoE)
Head Office network: 192.168.2.0/24
Site Office network: 192.168.1.0/24
Everything is working fine.
Now I have another VLAN subnet(172.16.1.0/24), how I can add this network with existing easyVPN setup?
thanks
Now I have another VLAN subnet(172.16.1.0/24), how I can add this network with existing easyVPN setup?
where you want to add this ? in ASA or in ROuter ?
kindly post your ASA and router config also .
where you want to add this ? in ASA or in ROuter ?
kindly post your ASA and router config also .
ASKER
with router its working all vlans, only for vpn, look already network(192.168.2.0/24) and network(192.168.1.0/24) communicating with vpn, now i want to have access for all three networks via vpn.
with router my all vlans working fine, but i dont want to give access to vpn for all these.
only three networks(192.168.1.0/24, 192.168.2.0/24, 172.16.1.0/24) should work with VPN as two of them already working fine.
should i have to make changes on remote router also or only ASA change is enough?
and what will be the changes?
thanks
with router my all vlans working fine, but i dont want to give access to vpn for all these.
only three networks(192.168.1.0/24, 192.168.2.0/24, 172.16.1.0/24) should work with VPN as two of them already working fine.
should i have to make changes on remote router also or only ASA change is enough?
and what will be the changes?
thanks
again comming to your Questuion " Now I have another VLAN subnet(172.16.1.0/24), how I can add this network with existing easyVPN setup?"
where is this subnet ? is it behind the ASA or behind the ROuter .
since its a site to site vpn you have to do the chnages on both side .
where is this subnet ? is it behind the ASA or behind the ROuter .
since its a site to site vpn you have to do the chnages on both side .
ASKER
dear anoop,
all vlans behind router, and there is static router on router for one remote network(192.168.1.0/24) to ASA, and VPN is from ASA-to-Remote Router.
2nd, its not site to site VPN, its just easyVPN(remote access vpn).
i think LIBI has a point that on remote side no need any change as it will automatically add once it will be in ACL on ASA.
but still me not clear how to this all.
thanks
all vlans behind router, and there is static router on router for one remote network(192.168.1.0/24) to ASA, and VPN is from ASA-to-Remote Router.
2nd, its not site to site VPN, its just easyVPN(remote access vpn).
i think LIBI has a point that on remote side no need any change as it will automatically add once it will be in ACL on ASA.
but still me not clear how to this all.
thanks
Hi,
can we have the running config of router and ASA? Please mask your private information.
BR,
Libi
can we have the running config of router and ASA? Please mask your private information.
BR,
Libi
ASKER
dear Libi,
Please find attachments for my all devices:
1)- HQ-Router
2)- HQ-ASA
3)- Branch-Router
thanks,
HQ-ROUTER
HQ-ASA5510
BRANCH-ROUTER.txt
Please find attachments for my all devices:
1)- HQ-Router
2)- HQ-ASA
3)- Branch-Router
thanks,
HQ-ROUTER
HQ-ASA5510
BRANCH-ROUTER.txt
Hi,
1 clarification. Is it your new vlan in HQ-Router? And you want allow the branch clients to access this right?
BR,
Libi
1 clarification. Is it your new vlan in HQ-Router? And you want allow the branch clients to access this right?
BR,
Libi
ASKER
Yes it is?
already i have many vlans but only vlan-1 is able to access branch office. now i have add one more new vlan-150 and want to access branch office too.
thanks
already i have many vlans but only vlan-1 is able to access branch office. now i have add one more new vlan-150 and want to access branch office too.
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
dear Libi,
do i really need any static route in branch office.
1)- once you have ezvpn then it will not work automatically ?
2)- do i need to configure interface on ASA with ip 172.16.1.0/24 subnet as it has one ip already with 192.168.2.0/24 subnet
Please can you help me to make sure any changes in branch router first, then on head office
thanks
do i really need any static route in branch office.
1)- once you have ezvpn then it will not work automatically ?
2)- do i need to configure interface on ASA with ip 172.16.1.0/24 subnet as it has one ip already with 192.168.2.0/24 subnet
Please can you help me to make sure any changes in branch router first, then on head office
thanks
Hi
please provide the following output.
show ip route and show ip interface brief - from all the equipment.
show ip route 172.16.1.0 - form branch.
BR,
Libi
please provide the following output.
show ip route and show ip interface brief - from all the equipment.
show ip route 172.16.1.0 - form branch.
BR,
Libi
ASKER
Hi,
Ok, I need this also.
show crypto ipsec client ezvpn form ASA and branch router
and show ip route and show ip interface brief - from ASA also.
BR,
Libi
Ok, I need this also.
show crypto ipsec client ezvpn form ASA and branch router
and show ip route and show ip interface brief - from ASA also.
BR,
Libi
ASKER
Dear Libi,
please find attachments, as i forget enable password on ASA so i am sending you ASDM screenshots.
thank you so much!
ASA-interfaces.png
ASA-Routing.png
show-crypto.txt
please find attachments, as i forget enable password on ASA so i am sending you ASDM screenshots.
thank you so much!
ASA-interfaces.png
ASA-Routing.png
show-crypto.txt
ASKER
anyone who can help me regarding this please......
Yes, you can add Multiple Subnets to an Easy VPN inside interface.
Multiple Subnet Support
For situations in which you have multiple subnets connected to an Easy VPN inside interface, you can optionally include these subnets in the Easy VPN tunnel. First, you must specify the subnets that should be included by defining them in an ACL. To configure an ACL, see "Access control lists, configuring" in the "Additional References" section. Next, you have to use the acl command after the crypto ipsec client ezvpn (global) command to link your ACL to the Easy VPN configuration. Easy VPN Remote will automatically create the IPsec SAs for each subnet that is defined in the ACL as well as for the subnets that are defined on the Easy VPN inside interface.
Note:
Multiple subnets are not supported in client mode.
Note:
This functionality is supported only when the Cisco Easy VPN server and the Cisco Easy VPN client have the same type of Easy VPN configuration. In other words, both must use a Legacy Easy VPN configuration, or both must use a DVTI configuration.
let me know any config help need.
BR,
Libi