Solved: Re: Giving another VLAN access to a VTI tunnel on an ASA - Page 2

aligidpro · ‎02-21-2024

Hey Guys,

I have got a problem with a VTI site to site tunnel we created between two ASA's.

The VTI tunnel is up and running and we can use it to access the other site, however on site B we have an extra VLAN which also need access to the subnet on the other side but I can't seem to get it to work.

Site A:

interface Tunnel1
nameif PW-DC1
ip address 192.168.254.10 255.255.255.254
tunnel source interface OUTSIDE
tunnel destination 82.XXX.XXX.XX
tunnel mode ipsec ipv4
tunnel protection ipsec profile GP-UNIVERSAL-PROFILE

tunnel-group 82.XXX.XXX.XX type ipsec-l2l
tunnel-group 82.XXX.XXX.XX general-attributes
default-group-policy GP-GROUP-POLICY
tunnel-group 82.XXX.XXX.XX ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key XXXXX
ikev2 local-authentication pre-shared-key XXXXX

access-list PW-DC1-TUNNEL_access_in extended permit ip any any
access-list PW-DC1-TUNNEL_access_in extended deny ip any any

access-group PW-DC1-TUNNEL_access_in in interface PW-DC1


route PW-DC1 10.30.5.0 255.255.255.0 192.168.254.9 1

Site B:

interface Tunnel3005
nameif DC1-PW
ip address 192.168.254.9 255.255.255.254
tunnel source interface OUTSIDE
tunnel destination 185.XXX.XXX.X
tunnel mode ipsec ipv4
tunnel protection ipsec profile GP-UNIVERSAL-PROFILE

tunnel-group 185.XXX.XXX.X type ipsec-l2l
tunnel-group 185.XXX.XXX.X general-attributes
default-group-policy GP-GROUP-POLICY
tunnel-group 185.XXX.XXX.X ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key XXXX
ikev2 local-authentication pre-shared-key XXXX

access-list DC1-PW-TUNNEL_access_in extended permit ip any any
access-list DC1-PW-TUNNEL_access_in extended deny ip any any

access-group DC1-PW-TUNNEL_access_in in interface DC1-PW


route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

The tunnel works however I want to give VLAN3005 also access to the subnet 192.168.67.X. If I create a route on a windows server on vlan 3005) using: route -p add 192.168.67.0 mask 255.255.255.0 10.30.5.254 (this is the asa/gateway), the tunnel works but we have a lot of clients and I can't do this on every client. Is there a way to make this work?

MHM Cisco World · ‎02-21-2024

this route 10.30.5.0 is direct attach to site B and static route in site A this correct
Site A:

route PW-DC1 10.30.5.0 255.255.255.0 192.168.254.9 1

site B RIB

C        10.30.5.0 255.255.255.0 is directly connected, VLAN3005
L        10.30.5.254 255.255.255.255 is directly connected, VLAN3005

Site B:

route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1

site A RIB
the prefix is different between the "C" and what you add in site B static route

C        192.168.64.0 255.255.248.0 is directly connected, VLAN1
L        192.168.67.254 255.255.255.255 is directly connected, VLAN1

take cup of tea or coffee and check the route you need to add newly is it appear in both site RIB or not
it issue of conflict no more I think.

you also can use
show route ip_address [ mask ][ longer-prefixes

Rob Ingram · ‎02-21-2024

@aligidpro change the route:-

no route DC1-PW 192.168.67.0 255.255.255.0 192.168.254.10 1
route DC1-PW 192.168.64.0 255.255.248.0 192.168.254.10 1

Marius Gunnerud · ‎02-21-2024

The routing should be correct, that Site A has a route over VTI to 10.30.5.0/24 and Site B has a route to 192.168.67.0/24 also over VTI. Nothing more should be needed for the VPN part. What I am thinking is that this is being blocked in access rules. Have you verified that this traffic is permitted inbound on Site A PW-DC1 interface and also verify that it is permitted in on VLAN3005. interface

--
Please remember to select a correct answer and rate helpful posts

aligidpro · ‎02-26-2024

Thank you everyone for helping, a reboot of the asa fixed the problem somehow.

MHM Cisco World · ‎02-26-2024

thanks for update us
please close this post by select your comment as answer.
thanks a lot
have a nice day

MHM