?
Solved

VPN traffic to another subnet

Posted on 2014-03-24
2
Medium Priority
?
565 Views
Last Modified: 2014-03-28
Hi guys,
hope you can help..

My setup is that I have a site to site VPN (cisco ASA):
site1: 10.50.1.x
site2: 10.50.9.x

i can ping all machines, etc on both ends.

however, i need to send traffic from 10.50.1.x subnet destined to 10.50.30.x through a router with IP 10.50.9.254 (that router is able to reach this subnet)
How can i accomplish this - so that all traffic from 10.50.1.x for 10.50.30.x goes through the VPN tunnel and not attempt to go to default route (i.e. internet).

I'm sure this is quite simple, but Cisco stuff is not my game..

Thanks for any help..
Adis
0
Comment
Question by:adispiric
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 4

Accepted Solution

by:
MarcusSjogren earned 2000 total points
ID: 39949954
Hi,

I  believe you have to add 10.50.30.0/24 to your IPSec crypto map and add exempt-rules in the NAT table as well as allow traffic in the access-lists.

You also have to enable hairpinning on the "main hub" 10.50.9.X in order to allow traffic on the same security level to talk to each other.

In global config: same-security-traffic permit intra-interface

Here is also a nice guide on how to get this going.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/64692-enhance-vpn-pix70.html

Difference is that you can skip configuring PIX3 since you want the traffic to flow further on to the network and not to another VPN-tunnel.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 39950354
please provide topology view, and configs
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question