multiple internal subnets access ASA 5505 VPN Tunnel

Hi there,
We have a MPLS network, with a Cisco ASA 5505  in the data centre acting as the company firewall  The ASA creates a Ipsec VPN tunnel to America to allow access to a server. We need all subnets in the MPLS to be able to access the servers through this VPN tunnel. In the exampe I have attached, Im just giving an example of 1 subnet (192.168.102.0/24). All Internet traffic is routing out correclty through the ASA, and this is shown in the logs. However, when I try to get access to the server over the VPN, it does not work. The ASA can ping the remote server fine. I have attached a shortened copy of the running config, and a diagram of the setup. In the crypto map of the firewall in America, do we have to add all remote subnets? When it was configured, it was only configured for 172.16.194.22/252.

Config:
ASA-Subnets-over-VPN.txt

Thoughts?
 
Diagram
greentriangleAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
You might be better off setting up the VPN between the. Two locations to include routing advertising over the VON this will provide you with a dynamic option to add segments as they are seen.
Other wise, your LAN to Lan VPN must include the IP segments on the one side and the same added on the other side.
On one side is to allow the IPs to go through the VPN to the other side, on the other side to allow the IPs to come in and to have a path back.

Then your MPLS network needs to advertise what IP segments are available through it including the remote 192.168.4.0/24

It is all an issue of routing on the one hand, and then routing over VPN.
0
ffleismaSenior Network EngineerCommented:
In the crypto map of the firewall in America, do we have to add all remote subnets? When it was configured, it was only configured for 172.16.194.22/252.
yes, on the firewall in America you'll need to add the subnets across the MPLS that is requiring access to 192.168.4.0/24.
Adding them would pertain to the permissive ACL, VPN ACL, NAT ACL (no NAT on this case) and routing (assuming America site has default routing this might not be needed).

This also applies on the ASA (111.111.111.111).
NAT
VPN ACL
permissive ACL, though I didn't notice any on the configuration you have given so i'm assuming you are allowing all traffic from lower security-level 0 (inside) to  higher security-level (outside)-default action.
access-list NONAT extended permit ip 172.16.194.20 255.255.255.252 192.168.4.0 255.255.255.0 
access-list VPN extended permit ip 172.16.194.20 255.255.255.252 192.168.4.0 255.255.255.0
!
ADD
!
access-list NONAT extended permit ip MPLS_SUBNETS MASK 192.168.4.0 255.255.255.0 
access-list VPN extended permit ip MPLS_SUBNETS MASK 192.168.4.0 255.255.255.0

Open in new window

Since you mentioned MPLS remote sites are already routing default route out towards the ASA, you may not need to add routing for 192.168.4.0 to be known by the remote site, they'll just treat it as a unknown route and will take the default.

Hope this makes sense and hopefully help you. let me know if you have further questions and I'll be glad to help out.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.