![]() ![]() However, you could not either use the ACL_STSVPN-US access-list for the VPN filter since the ASA will filter incoming packets only. No crypto map CM-STSVPN 10 match address STSVPN-USĬrypto map CM-STSVPN 10 match address ACL_STSVPN-USĢ) You also have the same error on the vpn-filter configured. You need to change it to avoid any issues with the traffic negotiation: Here the details:ġ) The access-list configured for the VPN traffic is named ACL_STSVPN-US, however the match address configured on the crypto map is using an object-group name instead: I went over the configuration of both devices and noticed some errors on the ASA configuration. Is this configuration correct for allowing two subnets at each side of the VPN tunnel to communicate with each other. Match identity remote address 2.2.2.2 255.255.255.255Ĭrypto ipsec transform-set TS.VPN2 esp-aes 256 esp-sha256-hmac ![]() Group-policy GrpPolicy-STSVPN-US attributesĬrypto map CM-STSVPN 10 match address STSVPN-USĬrypto map CM-STSVPN 10 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHAĬrypto map CM-STSVPN interface INT-STSVPN Group-policy GrpPolicy-STSVPN-US internal Ikev2 local-authentication pre-shared-key abcd Ikev2 remote-authentication pre-shared-key abcd Network-object 192.168.31.0 255.255.255.0Īccess-list ACL_STSVPN-US extended permit ip object-group STSVPN-LOCAL object-group STSVPN-USĬrypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA You can find my network design attach to this topic.ġ) NAT excemption for the network traffic going over the Site to site VPN. I hope you can help me out with the solution. I could not find a configuration thats fits my problem. I would like to setup a site to stie VPN tunnel with multiple subnets. ![]()
0 Comments
Leave a Reply. |