Cisco ASA 5512 VPN Routing Issue

cchen · ‎11-17-2023

Hello Community,

I'm dealing with a routing problem on a Cisco ASA 5512 and I'm hoping to get some assistance.

I've set up a VPN connection between two sites. The local site has the IP address range 192.168.2.0/24, and the remote site has the IP address range 192.168.1.0/24. The local gateway address is 192.168.2.254, and the remote gateway address is 192.168.1.254.

The VPN tunnel is active, and I can send data between the sites. However, I want the traffic destined for the remote network (100.102.0.0/15) to be routed through 192.168.1.253 Host address.

I've attempted to achieve this with a static route, but it doesn't seem to work:
It seems to ignore the existing vpn tunnel and tries to find the 192.168.1.253 in the local network.

Can anyone help me configure the correct routing for this scenario? Is there something I might be overlooking or have done incorrectly?

Thanks in advance for your assistance!

balaji.bandi · ‎11-17-2023

as i undertand that should be done on the FW 192.168.1.254 - may be PBR and Route-map (have you tried this)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

cchen · ‎11-17-2023

the remote FW is a cisco RV042 it does not have PBR features. the static route 100.102.0.0/15 on remote FW works for the 192.168.1.0/24 network tho

MHM Cisco World · ‎11-17-2023

this is not relate to routing
your config of static route is correct
but do you add this subnet to ACL of VPN ? if not then the traffic will drop.

cchen · ‎11-19-2023

This is my ACL, im not sure how define the rule.
Do you mean interface modem_t from local network 192.168.2.0/24 to 100.102.0.0/15 network ?
and direction would be out ?

Result of the command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list modem_cryptomap; 1 elements; name hash: 0x2d4acfc6
access-list modem_cryptomap line 1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=5433) 0x4e6fa10e
access-list modem_t_cryptomap_65535; 1 elements; name hash: 0x1e69033d
access-list modem_t_cryptomap_65535 line 1 extended permit ip any4 any4 (hitcnt=0) 0x7f5269ab
access-list modem_t_cryptomap_1; 1 elements; name hash: 0xc115cc32
access-list modem_t_cryptomap_1 line 1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0xe42e35f9
access-list modem_t_access_in; 1 elements; name hash: 0x3516f436
access-list modem_t_access_in line 1 extended permit tcp any object TRMM eq https (hitcnt=0) 0xeb88364b
access-list modem_t_access_in line 1 extended permit tcp any host 192.168.2.142 eq https (hitcnt=0) 0xeb88364b
access-list modemt_access_in; 1 elements; name hash: 0x742f7b87
access-list modemt_access_in line 1 extended permit tcp any object TRMM eq https (hitcnt=0) 0x44edb35c
access-list modemt_access_in line 1 extended permit tcp any host 192.168.2.142 eq https (hitcnt=0) 0x44edb35c
access-list modem_access_in; 1 elements; name hash: 0xd9fbe0d0
access-list modem_access_in line 1 extended permit tcp any object TRMM eq https (hitcnt=0) 0x26288484
access-list modem_access_in line 1 extended permit tcp any host 192.168.2.142 eq https (hitcnt=0) 0x26288484
access-list OUT-IN; 1 elements; name hash: 0x456198c2
access-list OUT-IN line 1 extended permit tcp any object TRMM eq https (hitcnt=1105011) 0xbec1c7cc
access-list OUT-IN line 1 extended permit tcp any host 192.168.2.142 eq https (hitcnt=1105011) 0xbec1c7cc

MHM Cisco World · ‎11-20-2023

access-list modem_cryptomap line 1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Extended permit ip 100.102.0.0/15 192.168.1.0 255.255.255.0

This need to add in this device and mirror on peer

In peer you need 100.102.0.0/15 route toward your device.

cchen · ‎11-20-2023

So I added the ACL with this command
access-list VPN_ACL extended permit ip 192.168.2.0 255.255.255.0 100.102.0.0 255.254.0.0

But im not sure how to mirror it on my remote firewall, because its only a Cisco RV042

MHM Cisco World · ‎11-21-2023

@cchen wrote:

So I added the ACL with this command
access-list VPN_ACL extended permit ip 192.168.2.0 255.255.255.0 100.102.0.0 255.254.0.0

But im not sure how to mirror it on my remote firewall, because its only a Cisco RV042

How you config first line of acl confign second line

cchen · ‎11-22-2023

Which configuration do you mean ?

johnlloyd_13 · ‎11-17-2023

hi,

have you updated your ACL in the local FW for the "interesting" traffic between 192.168.2.0/24 and 100.102.0.0/15 and the "mirror"/reverse ACL on the remote FW?