Solved: Re: Giving another VLAN access to a VTI tunnel on an ASA

aligidpro · ‎02-21-2024

Hey Guys,

I have got a problem with a VTI site to site tunnel we created between two ASA's.

The VTI tunnel is up and running and we can use it to access the other site, however on site B we have an extra VLAN which also need access to the subnet on the other side but I can't seem to get it to work.

Site A:

interface Tunnel1
nameif PW-DC1
ip address 192.168.254.10 255.255.255.254
tunnel source interface OUTSIDE
tunnel destination 82.XXX.XXX.XX
tunnel mode ipsec ipv4
tunnel protection ipsec profile GP-UNIVERSAL-PROFILE

tunnel-group 82.XXX.XXX.XX type ipsec-l2l
tunnel-group 82.XXX.XXX.XX general-attributes
default-group-policy GP-GROUP-POLICY
tunnel-group 82.XXX.XXX.XX ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key XXXXX
ikev2 local-authentication pre-shared-key XXXXX

access-list PW-DC1-TUNNEL_access_in extended permit ip any any
access-list PW-DC1-TUNNEL_access_in extended deny ip any any

access-group PW-DC1-TUNNEL_access_in in interface PW-DC1


route PW-DC1 10.30.5.0 255.255.255.0 192.168.254.9 1

Site B:

interface Tunnel3005
nameif DC1-PW
ip address 192.168.254.9 255.255.255.254
tunnel source interface OUTSIDE
tunnel destination 185.XXX.XXX.X
tunnel mode ipsec ipv4
tunnel protection ipsec profile GP-UNIVERSAL-PROFILE

tunnel-group 185.XXX.XXX.X type ipsec-l2l
tunnel-group 185.XXX.XXX.X general-attributes
default-group-policy GP-GROUP-POLICY
tunnel-group 185.XXX.XXX.X ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key XXXX
ikev2 local-authentication pre-shared-key XXXX

access-list DC1-PW-TUNNEL_access_in extended permit ip any any
access-list DC1-PW-TUNNEL_access_in extended deny ip any any

access-group DC1-PW-TUNNEL_access_in in interface DC1-PW


route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

The tunnel works however I want to give VLAN3005 also access to the subnet 192.168.67.X. If I create a route on a windows server on vlan 3005) using: route -p add 192.168.67.0 mask 255.255.255.0 10.30.5.254 (this is the asa/gateway), the tunnel works but we have a lot of clients and I can't do this on every client. Is there a way to make this work?

aligidpro · ‎02-26-2024

Thank you everyone for helping, a reboot of the asa fixed the problem somehow.

View solution in original post

Rob Ingram · ‎02-21-2024

@aligidpro do the windows clients use the ASA as the default gateway? How is the routing setup on the LAN?

aligidpro · ‎02-21-2024

Hi Rob,

The clients use the ASA as gateway. We only have 1 route to the outside

route OUTSIDE 0.0.0.0 0.0.0.0 XXX.XXX.XXX.X 1

And a few other routes for all the vti tunnels we have set up

Rob Ingram · ‎02-21-2024

@aligidpro so if the ASA is the default gateway for the clients you need to add static routes to the next hop tunnel interface, do this on both ASAs. Or just enable a routing protocol and redistribute the routes.

aligidpro · ‎02-21-2024

Hi Rob,

We have tried the following but with no succes:

route VLAN3005 192.168.67.0 255.255.255.0 10.30.5.254 1

We get the error:

ERROR: Invalid next hop address 10.30.5.254, it matches our IP address

We also tried

route VLAN3005 192.168.67.0 255.255.255.0 192.168.254.10 1

But this doesn't work, the clients still have no access to the other subnet.

Rob Ingram · ‎02-21-2024

@aligidpro the next hop would be the remote tunnel interface, which is either 192.168.254.10 or .9 depending on which ASA the route is being configured on.

You are using the incorrect nameif aswell, example:

Site A
route PW-DC1 <subnet> <mask> 192.168.254.9

Site B
route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

aligidpro · ‎02-21-2024

I got the following:

route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

But with this I will need to add a static route on the client itself

What do you mean incorrect nameif? I have chosen to not give it the same nameif on both sites so others can see which site is which or do you mean something else?

Rob Ingram · ‎02-21-2024

@aligidpro you said the clients use the ASA as the default gateway. So the clients should route all traffic to the ASA and then the ASA needs routes in place to route the traffic over the VPN.

The nameif is configured under the ASA interface:

interface Tunnel3005
 nameif DC1-PW

aligidpro · ‎02-21-2024

Aah I see what you mean, the ASA has a route, for example: route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

But this isn't enough for VLAN3005 because clients on that vlan can not contact devices on 192.168.67.x/24 and if I try adding other routes, it either doesn't work anymore or gives me an error that I can't use it or its the ip of the asa etc

MHM Cisco World · ‎02-21-2024

Can i see show route in both sites

MHM

aligidpro · ‎02-21-2024

Hi MHM,

Here are the routes:

SITE A:

Gateway of last resort is 82.XXX.XXX.6 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 185.XX.XX.5, OUTSIDE
C        10.11.0.0 255.255.0.0 is directly connected, VLAN2
L        10.11.254.254 255.255.255.255 is directly connected, VLAN2
S        10.30.5.0 255.255.255.0 [1/0] via 192.168.254.9, PW-DC1
C        10.67.10.0 255.255.255.0 is directly connected, VLAN10
L        10.67.10.254 255.255.255.255 is directly connected, VLAN10
C        10.68.10.0 255.255.255.0 is directly connected, VLAN11
L        10.68.10.253 255.255.255.255 is directly connected, VLAN11
C        10.194.194.14 255.255.255.254 is directly connected, PW-DC2
L        10.194.194.15 255.255.255.255 is directly connected, PW-DC2
C        82.XX.XX.4 255.255.255.252 is directly connected, OUTSIDE
L        82.XX.XX.6 255.255.255.255 is directly connected, OUTSIDE
S        192.168.8.0 255.255.252.0 [1/0] via 10.194.194.16, PW-DC2
C        192.168.16.0 255.255.255.0 is directly connected, VLAN200
L        192.168.16.254 255.255.255.255 is directly connected, VLAN200
C        192.168.64.0 255.255.248.0 is directly connected, VLAN1
L        192.168.67.254 255.255.255.255 is directly connected, VLAN1
C        192.168.254.10 255.255.255.254 is directly connected, PW-DC1
L        192.168.254.10 255.255.255.255 is directly connected, PW-DC1

SITE B: (i have removed some vlans that to make it shorter but kept all the important vlans)

S*       0.0.0.0 0.0.0.0 [1/0] via 185.XXX.XXX.1, OUTSIDE
C        10.0.1.0 255.255.255.0 is directly connected, MNGT
L        10.0.1.1 255.255.255.255 is directly connected, MNGT
C        10.0.2.0 255.255.255.0 is directly connected, OOB
L        10.0.2.1 255.255.255.255 is directly connected, OOB
C        10.16.255.0 255.255.255.252
           is directly connected, vti-DC1-ASA-20.XXX.XXX.54
L        10.16.255.1 255.255.255.255
           is directly connected, vti-DC1-ASA-20.XXX.XXX.54
C        10.29.99.0 255.255.255.0 is directly connected, VLAN2999
L        10.29.99.254 255.255.255.255 is directly connected, VLAN2999
C        10.30.2.0 255.255.255.0 is directly connected, VLAN3002
L        10.30.2.254 255.255.255.255 is directly connected, VLAN3002
C        10.30.5.0 255.255.255.0 is directly connected, VLAN3005
L        10.30.5.254 255.255.255.255 is directly connected, VLAN3005
C        10.30.7.0 255.255.255.0 is directly connected, VLAN3007
L        10.30.7.254 255.255.255.255 is directly connected, VLAN3007
B        10.255.0.0 255.255.240.0 [20/0] via 10.255.1.254, 2d10h
S        10.255.1.254 255.255.255.255
           [1/0] via 10.16.255.2, vti-DC1-ASA-20.XXX.XXX.54
S        20.XXX.XXX.54 255.255.255.255 [1/0] via 185.XXX.XXX.1, OUTSIDE
B        172.16.0.0 255.255.0.0 [20/0] via 10.255.1.254, 2d10h
C        172.16.0.0 255.255.255.0 is directly connected, VLAN1
L        172.16.0.1 255.255.255.255 is directly connected, VLAN1
S        172.16.80.0 255.255.252.0 [1/0] via 192.168.254.6, DC1-DC2
C        185.XXX.XXX.0 255.255.255.0 is directly connected, OUTSIDE
L        185.XXX.XXX.4 255.255.255.255 is directly connected, OUTSIDE
S        192.168.8.0 255.255.252.0 [1/0] via 192.168.254.6, DC1-DC2
S        192.168.64.0 255.255.248.0 [1/0] via 192.168.254.10, DC1-PW
S        192.168.114.0 255.255.254.0 [1/0] via 192.168.254.2, DC1-OFFICE
C        192.168.254.0 255.255.255.254 is directly connected, DC1-OFFICE
L        192.168.254.1 255.255.255.255 is directly connected, DC1-OFFICE
C        192.168.254.4 255.255.255.254 is directly connected, DC1-DC2
L        192.168.254.5 255.255.255.255 is directly connected, DC1-DC2
C        192.168.254.8 255.255.255.254 is directly connected, DC1-PW
L        192.168.254.9 255.255.255.255 is directly connected, DC1-PW

MHM Cisco World · ‎02-21-2024

S        192.168.64.0 255.255.248.0 [1/0] via 192.168.254.10, DC1-PW <<- this I think overlapping with prefix you need to add

aligidpro · ‎02-21-2024

Hi MHM,

Sorry this was me testing, the subnet is actually 192.168.64.0/21 but we only need the 192.168.67.0/24. I have removed this and put in the correct one now:

S        192.168.67.0 255.255.255.0 [1/0] via 192.168.254.10, DC1-PW
C        192.168.254.8 255.255.255.254 is directly connected, DC1-PW
L        192.168.254.9 255.255.255.255 is directly connected, DC1-PW

MHM Cisco World · ‎02-21-2024

-friend share the last show route
check if there is overlapping

-also you need static route for new subnet only in one side not both
i.e.

you add it to PW-DC1

then you need to add static route in other side
route DC1-PW <subnet> tunnel IP

MHM

aligidpro · ‎02-21-2024

Hi MHM,

This is the show route:

SITE A

Gateway of last resort is 82.XXX.XXX.5 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 82.XXX.XXX.5, OUTSIDE
C        10.11.0.0 255.255.0.0 is directly connected, VLAN2
L        10.11.254.254 255.255.255.255 is directly connected, VLAN2
S        10.30.5.0 255.255.255.0 [1/0] via 192.168.254.9, PW-DC1
C        10.67.10.0 255.255.255.0 is directly connected, VLAN10
L        10.67.10.254 255.255.255.255 is directly connected, VLAN10
C        10.68.10.0 255.255.255.0 is directly connected, VLAN11
L        10.68.10.253 255.255.255.255 is directly connected, VLAN11
C        10.194.194.14 255.255.255.254 is directly connected, PW-DC2
L        10.194.194.15 255.255.255.255 is directly connected, PW-DC2
C        82.XXX.XXX.4 255.255.255.252 is directly connected, OUTSIDE
L        82.XXX.XXX.6 255.255.255.255 is directly connected, OUTSIDE
S        192.168.8.0 255.255.252.0 [1/0] via 10.194.194.16, PW-DC2
C        192.168.16.0 255.255.255.0 is directly connected, VLAN200
L        192.168.16.254 255.255.255.255 is directly connected, VLAN200
C        192.168.64.0 255.255.248.0 is directly connected, VLAN1
L        192.168.67.254 255.255.255.255 is directly connected, VLAN1
C        192.168.254.10 255.255.255.254 is directly connected, PW-DC1
L        192.168.254.10 255.255.255.255 is directly connected, PW-DC1

SITE B:

S*       0.0.0.0 0.0.0.0 [1/0] via 185.XXX.XXX.1, OUTSIDE
C        10.0.1.0 255.255.255.0 is directly connected, MNGT
L        10.0.1.1 255.255.255.255 is directly connected, MNGT
C        10.0.2.0 255.255.255.0 is directly connected, OOB
L        10.0.2.1 255.255.255.255 is directly connected, OOB
C        10.1.0.0 255.255.255.0 is directly connected, ESXI-MNGT
L        10.1.0.1 255.255.255.255 is directly connected, ESXI-MNGT
C        10.2.0.0 255.255.255.0 is directly connected, AD
L        10.2.0.254 255.255.255.255 is directly connected, AD
C        10.2.1.0 255.255.255.0 is directly connected, Exchange
L        10.2.1.254 255.255.255.255 is directly connected, Exchange
C        10.2.2.0 255.255.255.0 is directly connected, Exchange-Sync
L        10.2.2.254 255.255.255.255 is directly connected, Exchange-Sync
C        10.3.0.0 255.255.255.0 is directly connected, VLAN300
L        10.3.0.1 255.255.255.255 is directly connected, VLAN300
C        10.4.0.0 255.255.255.0 is directly connected, VLAN400
L        10.4.0.254 255.255.255.255 is directly connected, VLAN400
C        10.4.1.0 255.255.255.0 is directly connected, VLAN401
L        10.4.1.254 255.255.255.255 is directly connected, VLAN401
C        10.10.1.0 255.255.255.0 is directly connected, VLAN1001
L        10.10.1.254 255.255.255.255 is directly connected, VLAN1001
C        10.10.2.0 255.255.255.0 is directly connected, VLAN1002
L        10.10.2.254 255.255.255.255 is directly connected, VLAN1002
C        10.10.3.0 255.255.255.0 is directly connected, VLAN1003
L        10.10.3.254 255.255.255.255 is directly connected, VLAN1003
C        10.10.4.0 255.255.255.0 is directly connected, VLAN1004
L        10.10.4.254 255.255.255.255 is directly connected, VLAN1004
C        10.10.5.0 255.255.255.0 is directly connected, VLAN1005
L        10.10.5.254 255.255.255.255 is directly connected, VLAN1005
C        10.10.6.0 255.255.255.0 is directly connected, VLAN1006
L        10.10.6.254 255.255.255.255 is directly connected, VLAN1006
C        10.10.7.0 255.255.255.0 is directly connected, VLAN1007
L        10.10.7.254 255.255.255.255 is directly connected, VLAN1007
C        10.10.8.0 255.255.255.0 is directly connected, VLAN1008
L        10.10.8.254 255.255.255.255 is directly connected, VLAN1008
C        10.10.9.0 255.255.255.0 is directly connected, VLAN1009
L        10.10.9.254 255.255.255.255 is directly connected, VLAN1009
C        10.10.10.0 255.255.255.0 is directly connected, VLAN1010
L        10.10.10.254 255.255.255.255 is directly connected, VLAN1010
C        10.16.255.0 255.255.255.252
           is directly connected, vti-DC1-ASA-20.XXX.XXX.54
L        10.16.255.1 255.255.255.255
           is directly connected, vti-DC1-ASA-20.XXX.XXX.54
C        10.20.0.0 255.255.255.0 is directly connected, VLAN2000
L        10.20.0.1 255.255.255.255 is directly connected, VLAN2000
C        10.20.1.0 255.255.255.0 is directly connected, VLAN2001
L        10.20.1.1 255.255.255.255 is directly connected, VLAN2001
C        10.20.2.0 255.255.255.0 is directly connected, VLAN2002
L        10.20.2.1 255.255.255.255 is directly connected, VLAN2002
C        10.20.3.0 255.255.255.0 is directly connected, VLAN2003
L        10.20.3.1 255.255.255.255 is directly connected, VLAN2003
C        10.20.4.0 255.255.255.0 is directly connected, VLAN2004
L        10.20.4.1 255.255.255.255 is directly connected, VLAN2004
C        10.20.5.0 255.255.255.0 is directly connected, VLAN2005
L        10.20.5.1 255.255.255.255 is directly connected, VLAN2005
C        10.20.6.0 255.255.255.0 is directly connected, VLAN2006
L        10.20.6.1 255.255.255.255 is directly connected, VLAN2006
C        10.20.7.0 255.255.255.0 is directly connected, VLAN2007
L        10.20.7.1 255.255.255.255 is directly connected, VLAN2007
C        10.20.8.0 255.255.255.0 is directly connected, VLAN2008
L        10.20.8.1 255.255.255.255 is directly connected, VLAN2008
C        10.20.9.0 255.255.255.0 is directly connected, VLAN2009
L        10.20.9.1 255.255.255.255 is directly connected, VLAN2009
C        10.20.10.0 255.255.255.0 is directly connected, VLAN2010
L        10.20.10.1 255.255.255.255 is directly connected, VLAN2010
C        10.29.99.0 255.255.255.0 is directly connected, VLAN2999
L        10.29.99.254 255.255.255.255 is directly connected, VLAN2999
C        10.30.2.0 255.255.255.0 is directly connected, VLAN3002
L        10.30.2.254 255.255.255.255 is directly connected, VLAN3002
C        10.30.5.0 255.255.255.0 is directly connected, VLAN3005
L        10.30.5.254 255.255.255.255 is directly connected, VLAN3005
C        10.30.7.0 255.255.255.0 is directly connected, VLAN3007
L        10.30.7.254 255.255.255.255 is directly connected, VLAN3007
C        10.40.89.0 255.255.255.0 is directly connected, VLAN4089
L        10.40.89.1 255.255.255.255 is directly connected, VLAN4089
C        10.40.90.0 255.255.255.0 is directly connected, VLAN4090
L        10.40.90.1 255.255.255.255 is directly connected, VLAN4090
B        10.255.0.0 255.255.240.0 [20/0] via 10.255.1.254, 2d11h
S        10.255.1.254 255.255.255.255
           [1/0] via 10.16.255.2, vti-DC1-ASA-20.XXX.XXX.54
S        20.XXX.XXX.54 255.255.255.255 [1/0] via 185.XXX.XXX.1, OUTSIDE
B        172.16.0.0 255.255.0.0 [20/0] via 10.255.1.254, 2d11h
C        172.16.0.0 255.255.255.0 is directly connected, VLAN1
L        172.16.0.1 255.255.255.255 is directly connected, VLAN1
S        172.16.80.0 255.255.252.0 [1/0] via 192.168.254.6, DC1-DC2
C        185.XXX.XXX.0 255.255.255.0 is directly connected, OUTSIDE
L        185.XXX.XXX.4 255.255.255.255 is directly connected, OUTSIDE
S        192.168.8.0 255.255.252.0 [1/0] via 192.168.254.6, DC1-DC2
S        192.168.67.0 255.255.255.0 [1/0] via 192.168.254.10, DC1-PW
S        192.168.92.0 255.255.252.0 [1/0] via 192.168.254.8, DC1-BLOSH
S        192.168.114.0 255.255.254.0 [1/0] via 192.168.254.2, DC1-OFFICE
C        192.168.254.0 255.255.255.254 is directly connected, DC1-OFFICE
L        192.168.254.1 255.255.255.255 is directly connected, DC1-OFFICE
C        192.168.254.4 255.255.255.254 is directly connected, DC1-DC2
L        192.168.254.5 255.255.255.255 is directly connected, DC1-DC2
C        192.168.254.6 255.255.255.254 is directly connected, DC1-BLOSH
L        192.168.254.7 255.255.255.255 is directly connected, DC1-BLOSH
C        192.168.254.8 255.255.255.254 is directly connected, DC1-PW
L        192.168.254.9 255.255.255.255 is directly connected, DC1-PW

The only route I have added is:

Site A:

route PW-DC1 10.30.5.0 255.255.255.0 192.168.254.9 1

Site B:

route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

But this doesn't work unfortunately