11-17-2023 02:10 AM
Hello Community,
I'm dealing with a routing problem on a Cisco ASA 5512 and I'm hoping to get some assistance.
I've set up a VPN connection between two sites. The local site has the IP address range 192.168.2.0/24, and the remote site has the IP address range 192.168.1.0/24. The local gateway address is 192.168.2.254, and the remote gateway address is 192.168.1.254.
The VPN tunnel is active, and I can send data between the sites. However, I want the traffic destined for the remote network (100.102.0.0/15) to be routed through 192.168.1.253 Host address.
I've attempted to achieve this with a static route, but it doesn't seem to work:
It seems to ignore the existing vpn tunnel and tries to find the 192.168.1.253 in the local network.
Can anyone help me configure the correct routing for this scenario? Is there something I might be overlooking or have done incorrectly?
Thanks in advance for your assistance!
11-17-2023 02:38 AM
as i undertand that should be done on the FW 192.168.1.254 - may be PBR and Route-map (have you tried this)
11-17-2023 03:05 AM
the remote FW is a cisco RV042 it does not have PBR features. the static route 100.102.0.0/15 on remote FW works for the 192.168.1.0/24 network tho
11-17-2023 05:52 AM
this is not relate to routing
your config of static route is correct
but do you add this subnet to ACL of VPN ? if not then the traffic will drop.
11-19-2023 11:29 PM
This is my ACL, im not sure how define the rule.
Do you mean interface modem_t from local network 192.168.2.0/24 to 100.102.0.0/15 network ?
and direction would be out ?
Result of the command: "show access-list"
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list modem_cryptomap; 1 elements; name hash: 0x2d4acfc6
access-list modem_cryptomap line 1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=5433) 0x4e6fa10e
access-list modem_t_cryptomap_65535; 1 elements; name hash: 0x1e69033d
access-list modem_t_cryptomap_65535 line 1 extended permit ip any4 any4 (hitcnt=0) 0x7f5269ab
access-list modem_t_cryptomap_1; 1 elements; name hash: 0xc115cc32
access-list modem_t_cryptomap_1 line 1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0xe42e35f9
access-list modem_t_access_in; 1 elements; name hash: 0x3516f436
access-list modem_t_access_in line 1 extended permit tcp any object TRMM eq https (hitcnt=0) 0xeb88364b
access-list modem_t_access_in line 1 extended permit tcp any host 192.168.2.142 eq https (hitcnt=0) 0xeb88364b
access-list modemt_access_in; 1 elements; name hash: 0x742f7b87
access-list modemt_access_in line 1 extended permit tcp any object TRMM eq https (hitcnt=0) 0x44edb35c
access-list modemt_access_in line 1 extended permit tcp any host 192.168.2.142 eq https (hitcnt=0) 0x44edb35c
access-list modem_access_in; 1 elements; name hash: 0xd9fbe0d0
access-list modem_access_in line 1 extended permit tcp any object TRMM eq https (hitcnt=0) 0x26288484
access-list modem_access_in line 1 extended permit tcp any host 192.168.2.142 eq https (hitcnt=0) 0x26288484
access-list OUT-IN; 1 elements; name hash: 0x456198c2
access-list OUT-IN line 1 extended permit tcp any object TRMM eq https (hitcnt=1105011) 0xbec1c7cc
access-list OUT-IN line 1 extended permit tcp any host 192.168.2.142 eq https (hitcnt=1105011) 0xbec1c7cc
11-20-2023 02:42 AM
access-list modem_cryptomap line 1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
Extended permit ip 100.102.0.0/15 192.168.1.0 255.255.255.0
This need to add in this device and mirror on peer
In peer you need 100.102.0.0/15 route toward your device.
11-20-2023 11:59 PM
So I added the ACL with this command
access-list VPN_ACL extended permit ip 192.168.2.0 255.255.255.0 100.102.0.0 255.254.0.0
But im not sure how to mirror it on my remote firewall, because its only a Cisco RV042
11-21-2023 01:30 AM
@cchen wrote:
So I added the ACL with this command
access-list VPN_ACL extended permit ip 192.168.2.0 255.255.255.0 100.102.0.0 255.254.0.0
But im not sure how to mirror it on my remote firewall, because its only a Cisco RV042
How you config first line of acl confign second line
11-22-2023 02:22 AM
Which configuration do you mean ?
11-17-2023 04:40 PM
hi,
have you updated your ACL in the local FW for the "interesting" traffic between 192.168.2.0/24 and 100.102.0.0/15 and the "mirror"/reverse ACL on the remote FW?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide