Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Add extra route to site-to-site VPN SA520

Posted on 2014-11-13
4
Medium Priority
?
326 Views
Last Modified: 2014-11-19
hi
I have stood up a site to site VPN link between a Cisco SA520 and a Cisco SA540 using a single VPN and IKE profile.

I can get IP routing between the branch office and the subnet included in the VPN profile.  ie, 10.80.30.0 to 10.3.0.0. All works.

However, i can't seem to add routes to other subnets in the main site.

When i add the route using the networking tool, the PING appears to travel via the interent and not the VPN tunnel

both routers are on latest firmware.

Do I need to create separate VPN profiles for each subnet I need to transverse via the VPN tunnel?
0
Comment
Question by:Steven Wells
  • 2
  • 2
4 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 40441661
You need to include the IP range in the access-list called in the crypto map. You also need to exclude that subnet from NAT
0
 
LVL 12

Author Comment

by:Steven Wells
ID: 40441663
Hi Akinsd, I am not sure I can do that using the Cisco SA540 Web interface. Normally I am used to using ASA's
0
 
LVL 18

Accepted Solution

by:
Akinsd earned 2000 total points
ID: 40441666
I use ASAs myself via command line.
You may try this manual
http://www.cisco.com/c/dam/en/us/td/docs/security/multi_function_security/multi_function_security_appliance/sa_500/administration/guide/SA500_AG_OL1911404.pdf
I saw a picture in page 20 "Review VPN policy created by wizard"

Somehow somewhere, there should be an area where you would exclude interesting traffic from NAT and include in the ACL used in the policy
0
 
LVL 12

Author Closing Comment

by:Steven Wells
ID: 40453628
the product doesn't support multiple subsets
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question