02-21-2024 05:19 AM
Hey Guys,
I have got a problem with a VTI site to site tunnel we created between two ASA's.
The VTI tunnel is up and running and we can use it to access the other site, however on site B we have an extra VLAN which also need access to the subnet on the other side but I can't seem to get it to work.
Site A:
interface Tunnel1
nameif PW-DC1
ip address 192.168.254.10 255.255.255.254
tunnel source interface OUTSIDE
tunnel destination 82.XXX.XXX.XX
tunnel mode ipsec ipv4
tunnel protection ipsec profile GP-UNIVERSAL-PROFILE
tunnel-group 82.XXX.XXX.XX type ipsec-l2l
tunnel-group 82.XXX.XXX.XX general-attributes
default-group-policy GP-GROUP-POLICY
tunnel-group 82.XXX.XXX.XX ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key XXXXX
ikev2 local-authentication pre-shared-key XXXXX
access-list PW-DC1-TUNNEL_access_in extended permit ip any any
access-list PW-DC1-TUNNEL_access_in extended deny ip any any
access-group PW-DC1-TUNNEL_access_in in interface PW-DC1
route PW-DC1 10.30.5.0 255.255.255.0 192.168.254.9 1
Site B:
interface Tunnel3005
nameif DC1-PW
ip address 192.168.254.9 255.255.255.254
tunnel source interface OUTSIDE
tunnel destination 185.XXX.XXX.X
tunnel mode ipsec ipv4
tunnel protection ipsec profile GP-UNIVERSAL-PROFILE
tunnel-group 185.XXX.XXX.X type ipsec-l2l
tunnel-group 185.XXX.XXX.X general-attributes
default-group-policy GP-GROUP-POLICY
tunnel-group 185.XXX.XXX.X ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key XXXX
ikev2 local-authentication pre-shared-key XXXX
access-list DC1-PW-TUNNEL_access_in extended permit ip any any
access-list DC1-PW-TUNNEL_access_in extended deny ip any any
access-group DC1-PW-TUNNEL_access_in in interface DC1-PW
route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1
The tunnel works however I want to give VLAN3005 also access to the subnet 192.168.67.X. If I create a route on a windows server on vlan 3005) using: route -p add 192.168.67.0 mask 255.255.255.0 10.30.5.254 (this is the asa/gateway), the tunnel works but we have a lot of clients and I can't do this on every client. Is there a way to make this work?
Solved! Go to Solution.
02-26-2024 03:05 AM
Thank you everyone for helping, a reboot of the asa fixed the problem somehow.
02-21-2024 05:30 AM
@aligidpro do the windows clients use the ASA as the default gateway? How is the routing setup on the LAN?
02-21-2024 05:39 AM
Hi Rob,
The clients use the ASA as gateway. We only have 1 route to the outside
route OUTSIDE 0.0.0.0 0.0.0.0 XXX.XXX.XXX.X 1
And a few other routes for all the vti tunnels we have set up
02-21-2024 05:46 AM
@aligidpro so if the ASA is the default gateway for the clients you need to add static routes to the next hop tunnel interface, do this on both ASAs. Or just enable a routing protocol and redistribute the routes.
02-21-2024 05:51 AM
Hi Rob,
We have tried the following but with no succes:
route VLAN3005 192.168.67.0 255.255.255.0 10.30.5.254 1
We get the error:
ERROR: Invalid next hop address 10.30.5.254, it matches our IP address
We also tried
route VLAN3005 192.168.67.0 255.255.255.0 192.168.254.10 1
But this doesn't work, the clients still have no access to the other subnet.
02-21-2024 05:58 AM
@aligidpro the next hop would be the remote tunnel interface, which is either 192.168.254.10 or .9 depending on which ASA the route is being configured on.
You are using the incorrect nameif aswell, example:
Site A
route PW-DC1 <subnet> <mask> 192.168.254.9
Site B
route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1
02-21-2024 06:09 AM
I got the following:
route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1
But with this I will need to add a static route on the client itself
What do you mean incorrect nameif? I have chosen to not give it the same nameif on both sites so others can see which site is which or do you mean something else?
02-21-2024 06:16 AM
@aligidpro you said the clients use the ASA as the default gateway. So the clients should route all traffic to the ASA and then the ASA needs routes in place to route the traffic over the VPN.
The nameif is configured under the ASA interface:
interface Tunnel3005
nameif DC1-PW
02-21-2024 06:36 AM
Aah I see what you mean, the ASA has a route, for example: route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1
But this isn't enough for VLAN3005 because clients on that vlan can not contact devices on 192.168.67.x/24 and if I try adding other routes, it either doesn't work anymore or gives me an error that I can't use it or its the ip of the asa etc
02-21-2024 05:48 AM
Can i see show route in both sites
MHM
02-21-2024 05:57 AM
Hi MHM,
Here are the routes:
SITE A:
Gateway of last resort is 82.XXX.XXX.6 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 185.XX.XX.5, OUTSIDE
C 10.11.0.0 255.255.0.0 is directly connected, VLAN2
L 10.11.254.254 255.255.255.255 is directly connected, VLAN2
S 10.30.5.0 255.255.255.0 [1/0] via 192.168.254.9, PW-DC1
C 10.67.10.0 255.255.255.0 is directly connected, VLAN10
L 10.67.10.254 255.255.255.255 is directly connected, VLAN10
C 10.68.10.0 255.255.255.0 is directly connected, VLAN11
L 10.68.10.253 255.255.255.255 is directly connected, VLAN11
C 10.194.194.14 255.255.255.254 is directly connected, PW-DC2
L 10.194.194.15 255.255.255.255 is directly connected, PW-DC2
C 82.XX.XX.4 255.255.255.252 is directly connected, OUTSIDE
L 82.XX.XX.6 255.255.255.255 is directly connected, OUTSIDE
S 192.168.8.0 255.255.252.0 [1/0] via 10.194.194.16, PW-DC2
C 192.168.16.0 255.255.255.0 is directly connected, VLAN200
L 192.168.16.254 255.255.255.255 is directly connected, VLAN200
C 192.168.64.0 255.255.248.0 is directly connected, VLAN1
L 192.168.67.254 255.255.255.255 is directly connected, VLAN1
C 192.168.254.10 255.255.255.254 is directly connected, PW-DC1
L 192.168.254.10 255.255.255.255 is directly connected, PW-DC1
SITE B: (i have removed some vlans that to make it shorter but kept all the important vlans)
S* 0.0.0.0 0.0.0.0 [1/0] via 185.XXX.XXX.1, OUTSIDE
C 10.0.1.0 255.255.255.0 is directly connected, MNGT
L 10.0.1.1 255.255.255.255 is directly connected, MNGT
C 10.0.2.0 255.255.255.0 is directly connected, OOB
L 10.0.2.1 255.255.255.255 is directly connected, OOB
C 10.16.255.0 255.255.255.252
is directly connected, vti-DC1-ASA-20.XXX.XXX.54
L 10.16.255.1 255.255.255.255
is directly connected, vti-DC1-ASA-20.XXX.XXX.54
C 10.29.99.0 255.255.255.0 is directly connected, VLAN2999
L 10.29.99.254 255.255.255.255 is directly connected, VLAN2999
C 10.30.2.0 255.255.255.0 is directly connected, VLAN3002
L 10.30.2.254 255.255.255.255 is directly connected, VLAN3002
C 10.30.5.0 255.255.255.0 is directly connected, VLAN3005
L 10.30.5.254 255.255.255.255 is directly connected, VLAN3005
C 10.30.7.0 255.255.255.0 is directly connected, VLAN3007
L 10.30.7.254 255.255.255.255 is directly connected, VLAN3007
B 10.255.0.0 255.255.240.0 [20/0] via 10.255.1.254, 2d10h
S 10.255.1.254 255.255.255.255
[1/0] via 10.16.255.2, vti-DC1-ASA-20.XXX.XXX.54
S 20.XXX.XXX.54 255.255.255.255 [1/0] via 185.XXX.XXX.1, OUTSIDE
B 172.16.0.0 255.255.0.0 [20/0] via 10.255.1.254, 2d10h
C 172.16.0.0 255.255.255.0 is directly connected, VLAN1
L 172.16.0.1 255.255.255.255 is directly connected, VLAN1
S 172.16.80.0 255.255.252.0 [1/0] via 192.168.254.6, DC1-DC2
C 185.XXX.XXX.0 255.255.255.0 is directly connected, OUTSIDE
L 185.XXX.XXX.4 255.255.255.255 is directly connected, OUTSIDE
S 192.168.8.0 255.255.252.0 [1/0] via 192.168.254.6, DC1-DC2
S 192.168.64.0 255.255.248.0 [1/0] via 192.168.254.10, DC1-PW
S 192.168.114.0 255.255.254.0 [1/0] via 192.168.254.2, DC1-OFFICE
C 192.168.254.0 255.255.255.254 is directly connected, DC1-OFFICE
L 192.168.254.1 255.255.255.255 is directly connected, DC1-OFFICE
C 192.168.254.4 255.255.255.254 is directly connected, DC1-DC2
L 192.168.254.5 255.255.255.255 is directly connected, DC1-DC2
C 192.168.254.8 255.255.255.254 is directly connected, DC1-PW
L 192.168.254.9 255.255.255.255 is directly connected, DC1-PW
02-21-2024 06:03 AM
S 192.168.64.0 255.255.248.0 [1/0] via 192.168.254.10, DC1-PW <<- this I think overlapping with prefix you need to add
02-21-2024 06:13 AM
Hi MHM,
Sorry this was me testing, the subnet is actually 192.168.64.0/21 but we only need the 192.168.67.0/24. I have removed this and put in the correct one now:
S 192.168.67.0 255.255.255.0 [1/0] via 192.168.254.10, DC1-PW
C 192.168.254.8 255.255.255.254 is directly connected, DC1-PW
L 192.168.254.9 255.255.255.255 is directly connected, DC1-PW
02-21-2024 06:22 AM - edited 02-21-2024 06:22 AM
-friend share the last show route
check if there is overlapping
-also you need static route for new subnet only in one side not both
i.e.
you add it to PW-DC1
then you need to add static route in other side
route DC1-PW <subnet> tunnel IP
MHM
02-21-2024 06:34 AM
Hi MHM,
This is the show route:
SITE A
Gateway of last resort is 82.XXX.XXX.5 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 82.XXX.XXX.5, OUTSIDE
C 10.11.0.0 255.255.0.0 is directly connected, VLAN2
L 10.11.254.254 255.255.255.255 is directly connected, VLAN2
S 10.30.5.0 255.255.255.0 [1/0] via 192.168.254.9, PW-DC1
C 10.67.10.0 255.255.255.0 is directly connected, VLAN10
L 10.67.10.254 255.255.255.255 is directly connected, VLAN10
C 10.68.10.0 255.255.255.0 is directly connected, VLAN11
L 10.68.10.253 255.255.255.255 is directly connected, VLAN11
C 10.194.194.14 255.255.255.254 is directly connected, PW-DC2
L 10.194.194.15 255.255.255.255 is directly connected, PW-DC2
C 82.XXX.XXX.4 255.255.255.252 is directly connected, OUTSIDE
L 82.XXX.XXX.6 255.255.255.255 is directly connected, OUTSIDE
S 192.168.8.0 255.255.252.0 [1/0] via 10.194.194.16, PW-DC2
C 192.168.16.0 255.255.255.0 is directly connected, VLAN200
L 192.168.16.254 255.255.255.255 is directly connected, VLAN200
C 192.168.64.0 255.255.248.0 is directly connected, VLAN1
L 192.168.67.254 255.255.255.255 is directly connected, VLAN1
C 192.168.254.10 255.255.255.254 is directly connected, PW-DC1
L 192.168.254.10 255.255.255.255 is directly connected, PW-DC1
SITE B:
S* 0.0.0.0 0.0.0.0 [1/0] via 185.XXX.XXX.1, OUTSIDE
C 10.0.1.0 255.255.255.0 is directly connected, MNGT
L 10.0.1.1 255.255.255.255 is directly connected, MNGT
C 10.0.2.0 255.255.255.0 is directly connected, OOB
L 10.0.2.1 255.255.255.255 is directly connected, OOB
C 10.1.0.0 255.255.255.0 is directly connected, ESXI-MNGT
L 10.1.0.1 255.255.255.255 is directly connected, ESXI-MNGT
C 10.2.0.0 255.255.255.0 is directly connected, AD
L 10.2.0.254 255.255.255.255 is directly connected, AD
C 10.2.1.0 255.255.255.0 is directly connected, Exchange
L 10.2.1.254 255.255.255.255 is directly connected, Exchange
C 10.2.2.0 255.255.255.0 is directly connected, Exchange-Sync
L 10.2.2.254 255.255.255.255 is directly connected, Exchange-Sync
C 10.3.0.0 255.255.255.0 is directly connected, VLAN300
L 10.3.0.1 255.255.255.255 is directly connected, VLAN300
C 10.4.0.0 255.255.255.0 is directly connected, VLAN400
L 10.4.0.254 255.255.255.255 is directly connected, VLAN400
C 10.4.1.0 255.255.255.0 is directly connected, VLAN401
L 10.4.1.254 255.255.255.255 is directly connected, VLAN401
C 10.10.1.0 255.255.255.0 is directly connected, VLAN1001
L 10.10.1.254 255.255.255.255 is directly connected, VLAN1001
C 10.10.2.0 255.255.255.0 is directly connected, VLAN1002
L 10.10.2.254 255.255.255.255 is directly connected, VLAN1002
C 10.10.3.0 255.255.255.0 is directly connected, VLAN1003
L 10.10.3.254 255.255.255.255 is directly connected, VLAN1003
C 10.10.4.0 255.255.255.0 is directly connected, VLAN1004
L 10.10.4.254 255.255.255.255 is directly connected, VLAN1004
C 10.10.5.0 255.255.255.0 is directly connected, VLAN1005
L 10.10.5.254 255.255.255.255 is directly connected, VLAN1005
C 10.10.6.0 255.255.255.0 is directly connected, VLAN1006
L 10.10.6.254 255.255.255.255 is directly connected, VLAN1006
C 10.10.7.0 255.255.255.0 is directly connected, VLAN1007
L 10.10.7.254 255.255.255.255 is directly connected, VLAN1007
C 10.10.8.0 255.255.255.0 is directly connected, VLAN1008
L 10.10.8.254 255.255.255.255 is directly connected, VLAN1008
C 10.10.9.0 255.255.255.0 is directly connected, VLAN1009
L 10.10.9.254 255.255.255.255 is directly connected, VLAN1009
C 10.10.10.0 255.255.255.0 is directly connected, VLAN1010
L 10.10.10.254 255.255.255.255 is directly connected, VLAN1010
C 10.16.255.0 255.255.255.252
is directly connected, vti-DC1-ASA-20.XXX.XXX.54
L 10.16.255.1 255.255.255.255
is directly connected, vti-DC1-ASA-20.XXX.XXX.54
C 10.20.0.0 255.255.255.0 is directly connected, VLAN2000
L 10.20.0.1 255.255.255.255 is directly connected, VLAN2000
C 10.20.1.0 255.255.255.0 is directly connected, VLAN2001
L 10.20.1.1 255.255.255.255 is directly connected, VLAN2001
C 10.20.2.0 255.255.255.0 is directly connected, VLAN2002
L 10.20.2.1 255.255.255.255 is directly connected, VLAN2002
C 10.20.3.0 255.255.255.0 is directly connected, VLAN2003
L 10.20.3.1 255.255.255.255 is directly connected, VLAN2003
C 10.20.4.0 255.255.255.0 is directly connected, VLAN2004
L 10.20.4.1 255.255.255.255 is directly connected, VLAN2004
C 10.20.5.0 255.255.255.0 is directly connected, VLAN2005
L 10.20.5.1 255.255.255.255 is directly connected, VLAN2005
C 10.20.6.0 255.255.255.0 is directly connected, VLAN2006
L 10.20.6.1 255.255.255.255 is directly connected, VLAN2006
C 10.20.7.0 255.255.255.0 is directly connected, VLAN2007
L 10.20.7.1 255.255.255.255 is directly connected, VLAN2007
C 10.20.8.0 255.255.255.0 is directly connected, VLAN2008
L 10.20.8.1 255.255.255.255 is directly connected, VLAN2008
C 10.20.9.0 255.255.255.0 is directly connected, VLAN2009
L 10.20.9.1 255.255.255.255 is directly connected, VLAN2009
C 10.20.10.0 255.255.255.0 is directly connected, VLAN2010
L 10.20.10.1 255.255.255.255 is directly connected, VLAN2010
C 10.29.99.0 255.255.255.0 is directly connected, VLAN2999
L 10.29.99.254 255.255.255.255 is directly connected, VLAN2999
C 10.30.2.0 255.255.255.0 is directly connected, VLAN3002
L 10.30.2.254 255.255.255.255 is directly connected, VLAN3002
C 10.30.5.0 255.255.255.0 is directly connected, VLAN3005
L 10.30.5.254 255.255.255.255 is directly connected, VLAN3005
C 10.30.7.0 255.255.255.0 is directly connected, VLAN3007
L 10.30.7.254 255.255.255.255 is directly connected, VLAN3007
C 10.40.89.0 255.255.255.0 is directly connected, VLAN4089
L 10.40.89.1 255.255.255.255 is directly connected, VLAN4089
C 10.40.90.0 255.255.255.0 is directly connected, VLAN4090
L 10.40.90.1 255.255.255.255 is directly connected, VLAN4090
B 10.255.0.0 255.255.240.0 [20/0] via 10.255.1.254, 2d11h
S 10.255.1.254 255.255.255.255
[1/0] via 10.16.255.2, vti-DC1-ASA-20.XXX.XXX.54
S 20.XXX.XXX.54 255.255.255.255 [1/0] via 185.XXX.XXX.1, OUTSIDE
B 172.16.0.0 255.255.0.0 [20/0] via 10.255.1.254, 2d11h
C 172.16.0.0 255.255.255.0 is directly connected, VLAN1
L 172.16.0.1 255.255.255.255 is directly connected, VLAN1
S 172.16.80.0 255.255.252.0 [1/0] via 192.168.254.6, DC1-DC2
C 185.XXX.XXX.0 255.255.255.0 is directly connected, OUTSIDE
L 185.XXX.XXX.4 255.255.255.255 is directly connected, OUTSIDE
S 192.168.8.0 255.255.252.0 [1/0] via 192.168.254.6, DC1-DC2
S 192.168.67.0 255.255.255.0 [1/0] via 192.168.254.10, DC1-PW
S 192.168.92.0 255.255.252.0 [1/0] via 192.168.254.8, DC1-BLOSH
S 192.168.114.0 255.255.254.0 [1/0] via 192.168.254.2, DC1-OFFICE
C 192.168.254.0 255.255.255.254 is directly connected, DC1-OFFICE
L 192.168.254.1 255.255.255.255 is directly connected, DC1-OFFICE
C 192.168.254.4 255.255.255.254 is directly connected, DC1-DC2
L 192.168.254.5 255.255.255.255 is directly connected, DC1-DC2
C 192.168.254.6 255.255.255.254 is directly connected, DC1-BLOSH
L 192.168.254.7 255.255.255.255 is directly connected, DC1-BLOSH
C 192.168.254.8 255.255.255.254 is directly connected, DC1-PW
L 192.168.254.9 255.255.255.255 is directly connected, DC1-PW
The only route I have added is:
Site A:
route PW-DC1 10.30.5.0 255.255.255.0 192.168.254.9 1
Site B:
route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1
But this doesn't work unfortunately
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide