cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
637
Views
1
Helpful
19
Replies

Giving another VLAN access to a VTI tunnel on an ASA

aligidpro
Level 1
Level 1

Hey Guys,

I have got a problem with a VTI site to site tunnel we created between two ASA's.

The VTI tunnel is up and running and we can use it to access the other site, however on site B we have an extra VLAN which also need access to the subnet on the other side but I can't seem to get it to work.

Site A:

 

interface Tunnel1
nameif PW-DC1
ip address 192.168.254.10 255.255.255.254
tunnel source interface OUTSIDE
tunnel destination 82.XXX.XXX.XX
tunnel mode ipsec ipv4
tunnel protection ipsec profile GP-UNIVERSAL-PROFILE

tunnel-group 82.XXX.XXX.XX type ipsec-l2l
tunnel-group 82.XXX.XXX.XX general-attributes
default-group-policy GP-GROUP-POLICY
tunnel-group 82.XXX.XXX.XX ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key XXXXX
ikev2 local-authentication pre-shared-key XXXXX

access-list PW-DC1-TUNNEL_access_in extended permit ip any any
access-list PW-DC1-TUNNEL_access_in extended deny ip any any

access-group PW-DC1-TUNNEL_access_in in interface PW-DC1


route PW-DC1 10.30.5.0 255.255.255.0 192.168.254.9 1

 

Site B:

 

interface Tunnel3005
nameif DC1-PW
ip address 192.168.254.9 255.255.255.254
tunnel source interface OUTSIDE
tunnel destination 185.XXX.XXX.X
tunnel mode ipsec ipv4
tunnel protection ipsec profile GP-UNIVERSAL-PROFILE

tunnel-group 185.XXX.XXX.X type ipsec-l2l
tunnel-group 185.XXX.XXX.X general-attributes
default-group-policy GP-GROUP-POLICY
tunnel-group 185.XXX.XXX.X ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key XXXX
ikev2 local-authentication pre-shared-key XXXX

access-list DC1-PW-TUNNEL_access_in extended permit ip any any
access-list DC1-PW-TUNNEL_access_in extended deny ip any any

access-group DC1-PW-TUNNEL_access_in in interface DC1-PW


route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

 

 The tunnel works however I want to give VLAN3005 also access to the subnet 192.168.67.X. If I create a route on a windows server on vlan 3005) using: route -p add 192.168.67.0 mask 255.255.255.0 10.30.5.254 (this is the asa/gateway), the tunnel works but we have a lot of clients and I can't do this on every client. Is there a way to make this work?

1 Accepted Solution

Accepted Solutions

aligidpro
Level 1
Level 1

Thank you everyone for helping, a reboot of the asa fixed the problem somehow.

View solution in original post

19 Replies 19

@aligidpro do the windows clients use the ASA as the default gateway? How is the routing setup on the LAN?

Hi Rob,

The clients use the ASA as gateway. We only have 1 route to the outside 

 

route OUTSIDE 0.0.0.0 0.0.0.0 XXX.XXX.XXX.X 1

And a few other routes for all the vti tunnels we have set up

@aligidpro so if the ASA is the default gateway for the clients you need to add static routes to the next hop tunnel interface, do this on both ASAs. Or just enable a routing protocol and redistribute the routes.

Hi Rob,

We have tried the following but with no succes:

 

route VLAN3005 192.168.67.0 255.255.255.0 10.30.5.254 1

 

We get the error: 

 

ERROR: Invalid next hop address 10.30.5.254, it matches our IP address

 

We also tried 

 

route VLAN3005 192.168.67.0 255.255.255.0 192.168.254.10 1

But this doesn't work, the clients still have no access to the other subnet.

 

@aligidpro the next hop would be the remote tunnel interface, which is either 192.168.254.10 or .9 depending on which ASA the route is being configured on.

You are using the incorrect nameif aswell, example:

Site A
route PW-DC1 <subnet> <mask> 192.168.254.9

Site B
route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

I got the following: 

route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

But with this I will need to add a static route on the client itself

 

What do you mean incorrect nameif? I have chosen to not give it the same nameif on both sites so others can see which site is which or do you mean something else?

@aligidpro you said the clients use the ASA as the default gateway. So the clients should route all traffic to the ASA and then the ASA needs routes in place to route the traffic over the VPN.

The nameif is configured under the ASA interface: 

interface Tunnel3005
nameif DC1-PW

 

Aah I see what you mean, the ASA has a route, for example: route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

But this isn't enough for VLAN3005 because clients on that vlan can not contact devices on 192.168.67.x/24 and if I try adding other routes, it either doesn't work anymore or gives me an error that I can't use it or its the ip of the asa etc

Can i see show route in both sites

MHM

Hi MHM,

Here are the routes:

SITE A:

Gateway of last resort is 82.XXX.XXX.6 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 185.XX.XX.5, OUTSIDE
C        10.11.0.0 255.255.0.0 is directly connected, VLAN2
L        10.11.254.254 255.255.255.255 is directly connected, VLAN2
S        10.30.5.0 255.255.255.0 [1/0] via 192.168.254.9, PW-DC1
C        10.67.10.0 255.255.255.0 is directly connected, VLAN10
L        10.67.10.254 255.255.255.255 is directly connected, VLAN10
C        10.68.10.0 255.255.255.0 is directly connected, VLAN11
L        10.68.10.253 255.255.255.255 is directly connected, VLAN11
C        10.194.194.14 255.255.255.254 is directly connected, PW-DC2
L        10.194.194.15 255.255.255.255 is directly connected, PW-DC2
C        82.XX.XX.4 255.255.255.252 is directly connected, OUTSIDE
L        82.XX.XX.6 255.255.255.255 is directly connected, OUTSIDE
S        192.168.8.0 255.255.252.0 [1/0] via 10.194.194.16, PW-DC2
C        192.168.16.0 255.255.255.0 is directly connected, VLAN200
L        192.168.16.254 255.255.255.255 is directly connected, VLAN200
C        192.168.64.0 255.255.248.0 is directly connected, VLAN1
L        192.168.67.254 255.255.255.255 is directly connected, VLAN1
C        192.168.254.10 255.255.255.254 is directly connected, PW-DC1
L        192.168.254.10 255.255.255.255 is directly connected, PW-DC1

SITE B: (i have removed some vlans that to make it shorter but kept all the important vlans)

S*       0.0.0.0 0.0.0.0 [1/0] via 185.XXX.XXX.1, OUTSIDE
C        10.0.1.0 255.255.255.0 is directly connected, MNGT
L        10.0.1.1 255.255.255.255 is directly connected, MNGT
C        10.0.2.0 255.255.255.0 is directly connected, OOB
L        10.0.2.1 255.255.255.255 is directly connected, OOB
C        10.16.255.0 255.255.255.252
           is directly connected, vti-DC1-ASA-20.XXX.XXX.54
L        10.16.255.1 255.255.255.255
           is directly connected, vti-DC1-ASA-20.XXX.XXX.54
C        10.29.99.0 255.255.255.0 is directly connected, VLAN2999
L        10.29.99.254 255.255.255.255 is directly connected, VLAN2999
C        10.30.2.0 255.255.255.0 is directly connected, VLAN3002
L        10.30.2.254 255.255.255.255 is directly connected, VLAN3002
C        10.30.5.0 255.255.255.0 is directly connected, VLAN3005
L        10.30.5.254 255.255.255.255 is directly connected, VLAN3005
C        10.30.7.0 255.255.255.0 is directly connected, VLAN3007
L        10.30.7.254 255.255.255.255 is directly connected, VLAN3007
B        10.255.0.0 255.255.240.0 [20/0] via 10.255.1.254, 2d10h
S        10.255.1.254 255.255.255.255
           [1/0] via 10.16.255.2, vti-DC1-ASA-20.XXX.XXX.54
S        20.XXX.XXX.54 255.255.255.255 [1/0] via 185.XXX.XXX.1, OUTSIDE
B        172.16.0.0 255.255.0.0 [20/0] via 10.255.1.254, 2d10h
C        172.16.0.0 255.255.255.0 is directly connected, VLAN1
L        172.16.0.1 255.255.255.255 is directly connected, VLAN1
S        172.16.80.0 255.255.252.0 [1/0] via 192.168.254.6, DC1-DC2
C        185.XXX.XXX.0 255.255.255.0 is directly connected, OUTSIDE
L        185.XXX.XXX.4 255.255.255.255 is directly connected, OUTSIDE
S        192.168.8.0 255.255.252.0 [1/0] via 192.168.254.6, DC1-DC2
S        192.168.64.0 255.255.248.0 [1/0] via 192.168.254.10, DC1-PW
S        192.168.114.0 255.255.254.0 [1/0] via 192.168.254.2, DC1-OFFICE
C        192.168.254.0 255.255.255.254 is directly connected, DC1-OFFICE
L        192.168.254.1 255.255.255.255 is directly connected, DC1-OFFICE
C        192.168.254.4 255.255.255.254 is directly connected, DC1-DC2
L        192.168.254.5 255.255.255.255 is directly connected, DC1-DC2
C        192.168.254.8 255.255.255.254 is directly connected, DC1-PW
L        192.168.254.9 255.255.255.255 is directly connected, DC1-PW

  

S        192.168.64.0 255.255.248.0 [1/0] via 192.168.254.10, DC1-PW <<- this I think overlapping with prefix you need to add

Screenshot (125).png

Hi MHM,

Sorry this was me testing, the subnet is actually 192.168.64.0/21 but we only need the 192.168.67.0/24. I have removed this and put in the correct one now:

S        192.168.67.0 255.255.255.0 [1/0] via 192.168.254.10, DC1-PW
C        192.168.254.8 255.255.255.254 is directly connected, DC1-PW
L        192.168.254.9 255.255.255.255 is directly connected, DC1-PW

 

-friend share the last show route
check if there is overlapping 

-also you need static route for new subnet only in one side not both 
i.e.

you add it to PW-DC1 

then you need to add static route in other side
route DC1-PW <subnet> tunnel IP

MHM

 

Hi MHM,

This is the show route:

SITE A

Gateway of last resort is 82.XXX.XXX.5 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 82.XXX.XXX.5, OUTSIDE
C        10.11.0.0 255.255.0.0 is directly connected, VLAN2
L        10.11.254.254 255.255.255.255 is directly connected, VLAN2
S        10.30.5.0 255.255.255.0 [1/0] via 192.168.254.9, PW-DC1
C        10.67.10.0 255.255.255.0 is directly connected, VLAN10
L        10.67.10.254 255.255.255.255 is directly connected, VLAN10
C        10.68.10.0 255.255.255.0 is directly connected, VLAN11
L        10.68.10.253 255.255.255.255 is directly connected, VLAN11
C        10.194.194.14 255.255.255.254 is directly connected, PW-DC2
L        10.194.194.15 255.255.255.255 is directly connected, PW-DC2
C        82.XXX.XXX.4 255.255.255.252 is directly connected, OUTSIDE
L        82.XXX.XXX.6 255.255.255.255 is directly connected, OUTSIDE
S        192.168.8.0 255.255.252.0 [1/0] via 10.194.194.16, PW-DC2
C        192.168.16.0 255.255.255.0 is directly connected, VLAN200
L        192.168.16.254 255.255.255.255 is directly connected, VLAN200
C        192.168.64.0 255.255.248.0 is directly connected, VLAN1
L        192.168.67.254 255.255.255.255 is directly connected, VLAN1
C        192.168.254.10 255.255.255.254 is directly connected, PW-DC1
L        192.168.254.10 255.255.255.255 is directly connected, PW-DC1

SITE B:

S*       0.0.0.0 0.0.0.0 [1/0] via 185.XXX.XXX.1, OUTSIDE
C        10.0.1.0 255.255.255.0 is directly connected, MNGT
L        10.0.1.1 255.255.255.255 is directly connected, MNGT
C        10.0.2.0 255.255.255.0 is directly connected, OOB
L        10.0.2.1 255.255.255.255 is directly connected, OOB
C        10.1.0.0 255.255.255.0 is directly connected, ESXI-MNGT
L        10.1.0.1 255.255.255.255 is directly connected, ESXI-MNGT
C        10.2.0.0 255.255.255.0 is directly connected, AD
L        10.2.0.254 255.255.255.255 is directly connected, AD
C        10.2.1.0 255.255.255.0 is directly connected, Exchange
L        10.2.1.254 255.255.255.255 is directly connected, Exchange
C        10.2.2.0 255.255.255.0 is directly connected, Exchange-Sync
L        10.2.2.254 255.255.255.255 is directly connected, Exchange-Sync
C        10.3.0.0 255.255.255.0 is directly connected, VLAN300
L        10.3.0.1 255.255.255.255 is directly connected, VLAN300
C        10.4.0.0 255.255.255.0 is directly connected, VLAN400
L        10.4.0.254 255.255.255.255 is directly connected, VLAN400
C        10.4.1.0 255.255.255.0 is directly connected, VLAN401
L        10.4.1.254 255.255.255.255 is directly connected, VLAN401
C        10.10.1.0 255.255.255.0 is directly connected, VLAN1001
L        10.10.1.254 255.255.255.255 is directly connected, VLAN1001
C        10.10.2.0 255.255.255.0 is directly connected, VLAN1002
L        10.10.2.254 255.255.255.255 is directly connected, VLAN1002
C        10.10.3.0 255.255.255.0 is directly connected, VLAN1003
L        10.10.3.254 255.255.255.255 is directly connected, VLAN1003
C        10.10.4.0 255.255.255.0 is directly connected, VLAN1004
L        10.10.4.254 255.255.255.255 is directly connected, VLAN1004
C        10.10.5.0 255.255.255.0 is directly connected, VLAN1005
L        10.10.5.254 255.255.255.255 is directly connected, VLAN1005
C        10.10.6.0 255.255.255.0 is directly connected, VLAN1006
L        10.10.6.254 255.255.255.255 is directly connected, VLAN1006
C        10.10.7.0 255.255.255.0 is directly connected, VLAN1007
L        10.10.7.254 255.255.255.255 is directly connected, VLAN1007
C        10.10.8.0 255.255.255.0 is directly connected, VLAN1008
L        10.10.8.254 255.255.255.255 is directly connected, VLAN1008
C        10.10.9.0 255.255.255.0 is directly connected, VLAN1009
L        10.10.9.254 255.255.255.255 is directly connected, VLAN1009
C        10.10.10.0 255.255.255.0 is directly connected, VLAN1010
L        10.10.10.254 255.255.255.255 is directly connected, VLAN1010
C        10.16.255.0 255.255.255.252
           is directly connected, vti-DC1-ASA-20.XXX.XXX.54
L        10.16.255.1 255.255.255.255
           is directly connected, vti-DC1-ASA-20.XXX.XXX.54
C        10.20.0.0 255.255.255.0 is directly connected, VLAN2000
L        10.20.0.1 255.255.255.255 is directly connected, VLAN2000
C        10.20.1.0 255.255.255.0 is directly connected, VLAN2001
L        10.20.1.1 255.255.255.255 is directly connected, VLAN2001
C        10.20.2.0 255.255.255.0 is directly connected, VLAN2002
L        10.20.2.1 255.255.255.255 is directly connected, VLAN2002
C        10.20.3.0 255.255.255.0 is directly connected, VLAN2003
L        10.20.3.1 255.255.255.255 is directly connected, VLAN2003
C        10.20.4.0 255.255.255.0 is directly connected, VLAN2004
L        10.20.4.1 255.255.255.255 is directly connected, VLAN2004
C        10.20.5.0 255.255.255.0 is directly connected, VLAN2005
L        10.20.5.1 255.255.255.255 is directly connected, VLAN2005
C        10.20.6.0 255.255.255.0 is directly connected, VLAN2006
L        10.20.6.1 255.255.255.255 is directly connected, VLAN2006
C        10.20.7.0 255.255.255.0 is directly connected, VLAN2007
L        10.20.7.1 255.255.255.255 is directly connected, VLAN2007
C        10.20.8.0 255.255.255.0 is directly connected, VLAN2008
L        10.20.8.1 255.255.255.255 is directly connected, VLAN2008
C        10.20.9.0 255.255.255.0 is directly connected, VLAN2009
L        10.20.9.1 255.255.255.255 is directly connected, VLAN2009
C        10.20.10.0 255.255.255.0 is directly connected, VLAN2010
L        10.20.10.1 255.255.255.255 is directly connected, VLAN2010
C        10.29.99.0 255.255.255.0 is directly connected, VLAN2999
L        10.29.99.254 255.255.255.255 is directly connected, VLAN2999
C        10.30.2.0 255.255.255.0 is directly connected, VLAN3002
L        10.30.2.254 255.255.255.255 is directly connected, VLAN3002
C        10.30.5.0 255.255.255.0 is directly connected, VLAN3005
L        10.30.5.254 255.255.255.255 is directly connected, VLAN3005
C        10.30.7.0 255.255.255.0 is directly connected, VLAN3007
L        10.30.7.254 255.255.255.255 is directly connected, VLAN3007
C        10.40.89.0 255.255.255.0 is directly connected, VLAN4089
L        10.40.89.1 255.255.255.255 is directly connected, VLAN4089
C        10.40.90.0 255.255.255.0 is directly connected, VLAN4090
L        10.40.90.1 255.255.255.255 is directly connected, VLAN4090
B        10.255.0.0 255.255.240.0 [20/0] via 10.255.1.254, 2d11h
S        10.255.1.254 255.255.255.255
           [1/0] via 10.16.255.2, vti-DC1-ASA-20.XXX.XXX.54
S        20.XXX.XXX.54 255.255.255.255 [1/0] via 185.XXX.XXX.1, OUTSIDE
B        172.16.0.0 255.255.0.0 [20/0] via 10.255.1.254, 2d11h
C        172.16.0.0 255.255.255.0 is directly connected, VLAN1
L        172.16.0.1 255.255.255.255 is directly connected, VLAN1
S        172.16.80.0 255.255.252.0 [1/0] via 192.168.254.6, DC1-DC2
C        185.XXX.XXX.0 255.255.255.0 is directly connected, OUTSIDE
L        185.XXX.XXX.4 255.255.255.255 is directly connected, OUTSIDE
S        192.168.8.0 255.255.252.0 [1/0] via 192.168.254.6, DC1-DC2
S        192.168.67.0 255.255.255.0 [1/0] via 192.168.254.10, DC1-PW
S        192.168.92.0 255.255.252.0 [1/0] via 192.168.254.8, DC1-BLOSH
S        192.168.114.0 255.255.254.0 [1/0] via 192.168.254.2, DC1-OFFICE
C        192.168.254.0 255.255.255.254 is directly connected, DC1-OFFICE
L        192.168.254.1 255.255.255.255 is directly connected, DC1-OFFICE
C        192.168.254.4 255.255.255.254 is directly connected, DC1-DC2
L        192.168.254.5 255.255.255.255 is directly connected, DC1-DC2
C        192.168.254.6 255.255.255.254 is directly connected, DC1-BLOSH
L        192.168.254.7 255.255.255.255 is directly connected, DC1-BLOSH
C        192.168.254.8 255.255.255.254 is directly connected, DC1-PW
L        192.168.254.9 255.255.255.255 is directly connected, DC1-PW

The only route I have added is: 

Site A:

route PW-DC1 10.30.5.0 255.255.255.0 192.168.254.9 1

Site B:

route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

 But this doesn't work unfortunately

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card