topic Re: Giving another VLAN access to a VTI tunnel on an ASA in Network Security

Giving another VLAN access to a VTI tunnel on an ASA

aligidpro — Wed, 21 Feb 2024 13:19:11 GMT

Hey Guys,

I have got a problem with a VTI site to site tunnel we created between two ASA's.

The VTI tunnel is up and running and we can use it to access the other site, however on site B we have an extra VLAN which also need access to the subnet on the other side but I can't seem to get it to work.

Site A:

interface Tunnel1 nameif PW-DC1 ip address 192.168.254.10 255.255.255.254 tunnel source interface OUTSIDE tunnel destination 82.XXX.XXX.XX tunnel mode ipsec ipv4 tunnel protection ipsec profile GP-UNIVERSAL-PROFILE tunnel-group 82.XXX.XXX.XX type ipsec-l2l tunnel-group 82.XXX.XXX.XX general-attributes default-group-policy GP-GROUP-POLICY tunnel-group 82.XXX.XXX.XX ipsec-attributes peer-id-validate nocheck ikev2 remote-authentication pre-shared-key XXXXX ikev2 local-authentication pre-shared-key XXXXX access-list PW-DC1-TUNNEL_access_in extended permit ip any any access-list PW-DC1-TUNNEL_access_in extended deny ip any any access-group PW-DC1-TUNNEL_access_in in interface PW-DC1 route PW-DC1 10.30.5.0 255.255.255.0 192.168.254.9 1

Site B:

interface Tunnel3005 nameif DC1-PW ip address 192.168.254.9 255.255.255.254 tunnel source interface OUTSIDE tunnel destination 185.XXX.XXX.X tunnel mode ipsec ipv4 tunnel protection ipsec profile GP-UNIVERSAL-PROFILE tunnel-group 185.XXX.XXX.X type ipsec-l2l tunnel-group 185.XXX.XXX.X general-attributes default-group-policy GP-GROUP-POLICY tunnel-group 185.XXX.XXX.X ipsec-attributes peer-id-validate nocheck ikev2 remote-authentication pre-shared-key XXXX ikev2 local-authentication pre-shared-key XXXX access-list DC1-PW-TUNNEL_access_in extended permit ip any any access-list DC1-PW-TUNNEL_access_in extended deny ip any any access-group DC1-PW-TUNNEL_access_in in interface DC1-PW route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

The tunnel works however I want to give VLAN3005 also access to the subnet 192.168.67.X. If I create a route on a windows server on vlan 3005) using: route -p add 192.168.67.0 mask 255.255.255.0 10.30.5.254 (this is the asa/gateway), the tunnel works but we have a lot of clients and I can't do this on every client. Is there a way to make this work?

Re: Giving another VLAN access to a VTI tunnel on an ASA

Rob Ingram — Wed, 21 Feb 2024 13:30:48 GMT

@aligidpro do the windows clients use the ASA as the default gateway? How is the routing setup on the LAN?

Re: Giving another VLAN access to a VTI tunnel on an ASA

aligidpro — Wed, 21 Feb 2024 13:39:33 GMT

Hi Rob,

The clients use the ASA as gateway. We only have 1 route to the outside

route OUTSIDE 0.0.0.0 0.0.0.0 XXX.XXX.XXX.X 1

And a few other routes for all the vti tunnels we have set up

Re: Giving another VLAN access to a VTI tunnel on an ASA

Rob Ingram — Wed, 21 Feb 2024 13:46:33 GMT

@aligidpro so if the ASA is the default gateway for the clients you need to add static routes to the next hop tunnel interface, do this on both ASAs. Or just enable a routing protocol and redistribute the routes.

Re: Giving another VLAN access to a VTI tunnel on an ASA

MHM Cisco World — Wed, 21 Feb 2024 13:48:52 GMT

Can i see show route in both sites

MHM

Re: Giving another VLAN access to a VTI tunnel on an ASA

aligidpro — Wed, 21 Feb 2024 13:51:40 GMT

Hi Rob,

We have tried the following but with no succes:

route VLAN3005 192.168.67.0 255.255.255.0 10.30.5.254 1

We get the error:

ERROR: Invalid next hop address 10.30.5.254, it matches our IP address

We also tried

route VLAN3005 192.168.67.0 255.255.255.0 192.168.254.10 1

But this doesn't work, the clients still have no access to the other subnet.

Re: Giving another VLAN access to a VTI tunnel on an ASA

aligidpro — Wed, 21 Feb 2024 13:57:44 GMT

Hi MHM,

Here are the routes:

SITE A:

Gateway of last resort is 82.XXX.XXX.6 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 185.XX.XX.5, OUTSIDE C 10.11.0.0 255.255.0.0 is directly connected, VLAN2 L 10.11.254.254 255.255.255.255 is directly connected, VLAN2 S 10.30.5.0 255.255.255.0 [1/0] via 192.168.254.9, PW-DC1 C 10.67.10.0 255.255.255.0 is directly connected, VLAN10 L 10.67.10.254 255.255.255.255 is directly connected, VLAN10 C 10.68.10.0 255.255.255.0 is directly connected, VLAN11 L 10.68.10.253 255.255.255.255 is directly connected, VLAN11 C 10.194.194.14 255.255.255.254 is directly connected, PW-DC2 L 10.194.194.15 255.255.255.255 is directly connected, PW-DC2 C 82.XX.XX.4 255.255.255.252 is directly connected, OUTSIDE L 82.XX.XX.6 255.255.255.255 is directly connected, OUTSIDE S 192.168.8.0 255.255.252.0 [1/0] via 10.194.194.16, PW-DC2 C 192.168.16.0 255.255.255.0 is directly connected, VLAN200 L 192.168.16.254 255.255.255.255 is directly connected, VLAN200 C 192.168.64.0 255.255.248.0 is directly connected, VLAN1 L 192.168.67.254 255.255.255.255 is directly connected, VLAN1 C 192.168.254.10 255.255.255.254 is directly connected, PW-DC1 L 192.168.254.10 255.255.255.255 is directly connected, PW-DC1

SITE B: (i have removed some vlans that to make it shorter but kept all the important vlans)

Re: Giving another VLAN access to a VTI tunnel on an ASA

Rob Ingram — Wed, 21 Feb 2024 13:58:26 GMT

@aligidpro the next hop would be the remote tunnel interface, which is either 192.168.254.10 or .9 depending on which ASA the route is being configured on.

You are using the incorrect nameif aswell, example:

Site A
route PW-DC1 <subnet> <mask> 192.168.254.9

Site B
route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

Re: Giving another VLAN access to a VTI tunnel on an ASA

MHM Cisco World — Wed, 21 Feb 2024 14:03:32 GMT

S 192.168.64.0 255.255.248.0 [1/0] via 192.168.254.10, DC1-PW <<- this I think overlapping with prefix you need to add

Re: Giving another VLAN access to a VTI tunnel on an ASA

aligidpro — Wed, 21 Feb 2024 14:09:25 GMT

I got the following:

route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

But with this I will need to add a static route on the client itself

What do you mean incorrect nameif? I have chosen to not give it the same nameif on both sites so others can see which site is which or do you mean something else?

Re: Giving another VLAN access to a VTI tunnel on an ASA

aligidpro — Wed, 21 Feb 2024 14:13:09 GMT

Hi MHM,

Sorry this was me testing, the subnet is actually 192.168.64.0/21 but we only need the 192.168.67.0/24. I have removed this and put in the correct one now:

S 192.168.67.0 255.255.255.0 [1/0] via 192.168.254.10, DC1-PW C 192.168.254.8 255.255.255.254 is directly connected, DC1-PW L 192.168.254.9 255.255.255.255 is directly connected, DC1-PW

Re: Giving another VLAN access to a VTI tunnel on an ASA

Rob Ingram — Wed, 21 Feb 2024 14:16:40 GMT

@aligidpro you said the clients use the ASA as the default gateway. So the clients should route all traffic to the ASA and then the ASA needs routes in place to route the traffic over the VPN.

The nameif is configured under the ASA interface:

interface Tunnel3005
 nameif DC1-PW

Re: Giving another VLAN access to a VTI tunnel on an ASA

MHM Cisco World — Wed, 21 Feb 2024 14:22:21 GMT

-friend share the last show route
check if there is overlapping

-also you need static route for new subnet only in one side not both
i.e.

you add it to PW-DC1

then you need to add static route in other side
route DC1-PW <subnet> tunnel IP

MHM

Re: Giving another VLAN access to a VTI tunnel on an ASA

aligidpro — Wed, 21 Feb 2024 14:34:09 GMT

Hi MHM,

This is the show route:

SITE A

Gateway of last resort is 82.XXX.XXX.5 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 82.XXX.XXX.5, OUTSIDE C 10.11.0.0 255.255.0.0 is directly connected, VLAN2 L 10.11.254.254 255.255.255.255 is directly connected, VLAN2 S 10.30.5.0 255.255.255.0 [1/0] via 192.168.254.9, PW-DC1 C 10.67.10.0 255.255.255.0 is directly connected, VLAN10 L 10.67.10.254 255.255.255.255 is directly connected, VLAN10 C 10.68.10.0 255.255.255.0 is directly connected, VLAN11 L 10.68.10.253 255.255.255.255 is directly connected, VLAN11 C 10.194.194.14 255.255.255.254 is directly connected, PW-DC2 L 10.194.194.15 255.255.255.255 is directly connected, PW-DC2 C 82.XXX.XXX.4 255.255.255.252 is directly connected, OUTSIDE L 82.XXX.XXX.6 255.255.255.255 is directly connected, OUTSIDE S 192.168.8.0 255.255.252.0 [1/0] via 10.194.194.16, PW-DC2 C 192.168.16.0 255.255.255.0 is directly connected, VLAN200 L 192.168.16.254 255.255.255.255 is directly connected, VLAN200 C 192.168.64.0 255.255.248.0 is directly connected, VLAN1 L 192.168.67.254 255.255.255.255 is directly connected, VLAN1 C 192.168.254.10 255.255.255.254 is directly connected, PW-DC1 L 192.168.254.10 255.255.255.255 is directly connected, PW-DC1

SITE B:

S* 0.0.0.0 0.0.0.0 [1/0] via 185.XXX.XXX.1, OUTSIDE C 10.0.1.0 255.255.255.0 is directly connected, MNGT L 10.0.1.1 255.255.255.255 is directly connected, MNGT C 10.0.2.0 255.255.255.0 is directly connected, OOB L 10.0.2.1 255.255.255.255 is directly connected, OOB C 10.1.0.0 255.255.255.0 is directly connected, ESXI-MNGT L 10.1.0.1 255.255.255.255 is directly connected, ESXI-MNGT C 10.2.0.0 255.255.255.0 is directly connected, AD L 10.2.0.254 255.255.255.255 is directly connected, AD C 10.2.1.0 255.255.255.0 is directly connected, Exchange L 10.2.1.254 255.255.255.255 is directly connected, Exchange C 10.2.2.0 255.255.255.0 is directly connected, Exchange-Sync L 10.2.2.254 255.255.255.255 is directly connected, Exchange-Sync C 10.3.0.0 255.255.255.0 is directly connected, VLAN300 L 10.3.0.1 255.255.255.255 is directly connected, VLAN300 C 10.4.0.0 255.255.255.0 is directly connected, VLAN400 L 10.4.0.254 255.255.255.255 is directly connected, VLAN400 C 10.4.1.0 255.255.255.0 is directly connected, VLAN401 L 10.4.1.254 255.255.255.255 is directly connected, VLAN401 C 10.10.1.0 255.255.255.0 is directly connected, VLAN1001 L 10.10.1.254 255.255.255.255 is directly connected, VLAN1001 C 10.10.2.0 255.255.255.0 is directly connected, VLAN1002 L 10.10.2.254 255.255.255.255 is directly connected, VLAN1002 C 10.10.3.0 255.255.255.0 is directly connected, VLAN1003 L 10.10.3.254 255.255.255.255 is directly connected, VLAN1003 C 10.10.4.0 255.255.255.0 is directly connected, VLAN1004 L 10.10.4.254 255.255.255.255 is directly connected, VLAN1004 C 10.10.5.0 255.255.255.0 is directly connected, VLAN1005 L 10.10.5.254 255.255.255.255 is directly connected, VLAN1005 C 10.10.6.0 255.255.255.0 is directly connected, VLAN1006 L 10.10.6.254 255.255.255.255 is directly connected, VLAN1006 C 10.10.7.0 255.255.255.0 is directly connected, VLAN1007 L 10.10.7.254 255.255.255.255 is directly connected, VLAN1007 C 10.10.8.0 255.255.255.0 is directly connected, VLAN1008 L 10.10.8.254 255.255.255.255 is directly connected, VLAN1008 C 10.10.9.0 255.255.255.0 is directly connected, VLAN1009 L 10.10.9.254 255.255.255.255 is directly connected, VLAN1009 C 10.10.10.0 255.255.255.0 is directly connected, VLAN1010 L 10.10.10.254 255.255.255.255 is directly connected, VLAN1010 C 10.16.255.0 255.255.255.252 is directly connected, vti-DC1-ASA-20.XXX.XXX.54 L 10.16.255.1 255.255.255.255 is directly connected, vti-DC1-ASA-20.XXX.XXX.54 C 10.20.0.0 255.255.255.0 is directly connected, VLAN2000 L 10.20.0.1 255.255.255.255 is directly connected, VLAN2000 C 10.20.1.0 255.255.255.0 is directly connected, VLAN2001 L 10.20.1.1 255.255.255.255 is directly connected, VLAN2001 C 10.20.2.0 255.255.255.0 is directly connected, VLAN2002 L 10.20.2.1 255.255.255.255 is directly connected, VLAN2002 C 10.20.3.0 255.255.255.0 is directly connected, VLAN2003 L 10.20.3.1 255.255.255.255 is directly connected, VLAN2003 C 10.20.4.0 255.255.255.0 is directly connected, VLAN2004 L 10.20.4.1 255.255.255.255 is directly connected, VLAN2004 C 10.20.5.0 255.255.255.0 is directly connected, VLAN2005 L 10.20.5.1 255.255.255.255 is directly connected, VLAN2005 C 10.20.6.0 255.255.255.0 is directly connected, VLAN2006 L 10.20.6.1 255.255.255.255 is directly connected, VLAN2006 C 10.20.7.0 255.255.255.0 is directly connected, VLAN2007 L 10.20.7.1 255.255.255.255 is directly connected, VLAN2007 C 10.20.8.0 255.255.255.0 is directly connected, VLAN2008 L 10.20.8.1 255.255.255.255 is directly connected, VLAN2008 C 10.20.9.0 255.255.255.0 is directly connected, VLAN2009 L 10.20.9.1 255.255.255.255 is directly connected, VLAN2009 C 10.20.10.0 255.255.255.0 is directly connected, VLAN2010 L 10.20.10.1 255.255.255.255 is directly connected, VLAN2010 C 10.29.99.0 255.255.255.0 is directly connected, VLAN2999 L 10.29.99.254 255.255.255.255 is directly connected, VLAN2999 C 10.30.2.0 255.255.255.0 is directly connected, VLAN3002 L 10.30.2.254 255.255.255.255 is directly connected, VLAN3002 C 10.30.5.0 255.255.255.0 is directly connected, VLAN3005 L 10.30.5.254 255.255.255.255 is directly connected, VLAN3005 C 10.30.7.0 255.255.255.0 is directly connected, VLAN3007 L 10.30.7.254 255.255.255.255 is directly connected, VLAN3007 C 10.40.89.0 255.255.255.0 is directly connected, VLAN4089 L 10.40.89.1 255.255.255.255 is directly connected, VLAN4089 C 10.40.90.0 255.255.255.0 is directly connected, VLAN4090 L 10.40.90.1 255.255.255.255 is directly connected, VLAN4090 B 10.255.0.0 255.255.240.0 [20/0] via 10.255.1.254, 2d11h S 10.255.1.254 255.255.255.255 [1/0] via 10.16.255.2, vti-DC1-ASA-20.XXX.XXX.54 S 20.XXX.XXX.54 255.255.255.255 [1/0] via 185.XXX.XXX.1, OUTSIDE B 172.16.0.0 255.255.0.0 [20/0] via 10.255.1.254, 2d11h C 172.16.0.0 255.255.255.0 is directly connected, VLAN1 L 172.16.0.1 255.255.255.255 is directly connected, VLAN1 S 172.16.80.0 255.255.252.0 [1/0] via 192.168.254.6, DC1-DC2 C 185.XXX.XXX.0 255.255.255.0 is directly connected, OUTSIDE L 185.XXX.XXX.4 255.255.255.255 is directly connected, OUTSIDE S 192.168.8.0 255.255.252.0 [1/0] via 192.168.254.6, DC1-DC2 S 192.168.67.0 255.255.255.0 [1/0] via 192.168.254.10, DC1-PW S 192.168.92.0 255.255.252.0 [1/0] via 192.168.254.8, DC1-BLOSH S 192.168.114.0 255.255.254.0 [1/0] via 192.168.254.2, DC1-OFFICE C 192.168.254.0 255.255.255.254 is directly connected, DC1-OFFICE L 192.168.254.1 255.255.255.255 is directly connected, DC1-OFFICE C 192.168.254.4 255.255.255.254 is directly connected, DC1-DC2 L 192.168.254.5 255.255.255.255 is directly connected, DC1-DC2 C 192.168.254.6 255.255.255.254 is directly connected, DC1-BLOSH L 192.168.254.7 255.255.255.255 is directly connected, DC1-BLOSH C 192.168.254.8 255.255.255.254 is directly connected, DC1-PW L 192.168.254.9 255.255.255.255 is directly connected, DC1-PW

The only route I have added is:

Site A:

route PW-DC1 10.30.5.0 255.255.255.0 192.168.254.9 1

Site B:

route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

But this doesn't work unfortunately

Re: Giving another VLAN access to a VTI tunnel on an ASA

aligidpro — Wed, 21 Feb 2024 14:36:33 GMT

Aah I see what you mean, the ASA has a route, for example: route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

But this isn't enough for VLAN3005 because clients on that vlan can not contact devices on 192.168.67.x/24 and if I try adding other routes, it either doesn't work anymore or gives me an error that I can't use it or its the ip of the asa etc

Re: Giving another VLAN access to a VTI tunnel on an ASA

MHM Cisco World — Wed, 21 Feb 2024 15:04:15 GMT

this route 10.30.5.0 is direct attach to site B and static route in site A this correct
Site A:

route PW-DC1 10.30.5.0 255.255.255.0 192.168.254.9 1

site B RIB

C 10.30.5.0 255.255.255.0 is directly connected, VLAN3005 L 10.30.5.254 255.255.255.255 is directly connected, VLAN3005

Site B:

route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

site A RIB
the prefix is different between the "C" and what you add in site B static route

C        192.168.64.0 255.255.248.0 is directly connected, VLAN1
L        192.168.67.254 255.255.255.255 is directly connected, VLAN1

take cup of tea or coffee and check the route you need to add newly is it appear in both site RIB or not
it issue of conflict no more I think.

you also can use
show route ip_address [ mask ][ longer-prefixes

Re: Giving another VLAN access to a VTI tunnel on an ASA

Rob Ingram — Wed, 21 Feb 2024 15:14:17 GMT

@aligidpro change the route:-

no route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1 route DC1-PW 192.168.64.0 255.255.248.0 192.168.254.10 1

Re: Giving another VLAN access to a VTI tunnel on an ASA

Marius Gunnerud — Wed, 21 Feb 2024 21:26:56 GMT

The routing should be correct, that Site A has a route over VTI to 10.30.5.0/24 and Site B has a route to 192.168.67.0/24 also over VTI. Nothing more should be needed for the VPN part. What I am thinking is that this is being blocked in access rules. Have you verified that this traffic is permitted inbound on Site A PW-DC1 interface and also verify that it is permitted in on VLAN3005. interface

Re: Giving another VLAN access to a VTI tunnel on an ASA

aligidpro — Mon, 26 Feb 2024 11:05:26 GMT

Thank you everyone for helping, a reboot of the asa fixed the problem somehow.

Re: Giving another VLAN access to a VTI tunnel on an ASA

MHM Cisco World — Mon, 26 Feb 2024 14:38:54 GMT

thanks for update us
please close this post by select your comment as answer.
thanks a lot
have a nice day

MHM