Solved: Confirm VPN L2L return routing understanding?

jmaxwellUSAF · ‎08-03-2023

Hello.

May you please confirm my understanding?...

GIVEN: an ASA5525 has a site-to-site

VPN erected. The remote vendor subnet defined in this local ASA

route-map ACL is 172.16.0.1

The Inside interface of this local ASA is

192.168.0.1/24

A local LAN server 10.0.0.1 has successful EIGRP communication with the above local ASA through

192.168.0.1/24

and also an adjacent EIGRP routing L-3 switch.

QUESTIONS:

1. Is it true that in order for the 10.0.0.1 server to send return traffic back to remote vendor tunneled subnet, there must be configured a return route; for example, an EIGRP

redistributed static route ip route 172.16.0.1 255.255.255.255 192.168.0.1 ?

2. If this above static

redistributed route

lives on the adjacent L-3 switch, and the ASA receives the EIGRP

redistributed routes

must the ASA have any additional routing configured on its configuration for the remote server to have successful return traffic communication, such as a static route to the remote server (or does the

route-map

ACL handle this final routing activity?)?

Thank you.

Giuseppe Larosa · ‎08-04-2023

Hello @jmaxwellUSAF ,

>> Is it true that the

Crypto map

only needs the subnets of the ENDPOINT server subnets, NOT any other subnets in between?

Yes, your understanding is correct the

crypto map

specifies only the local and remote subnets that need to communicate over the IPSEC site to site tunnel.

The local subnets can be directly connected to the VPN termination device or they can be behind one ore more L3 devices. The topology of the site is not important. What is needed is to specify local subnets and remote subnets as they become the criteria for encryption of tx traffic and of decryption of received encrypted packets.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎08-04-2023

Hello @jmaxwellUSAF ,

1) a

default route

pointing to ASA LAN interface on the L3 switch is enough.

To be noted if you want to enable communication between

10.0.0.0/24 and remote 172.16.0.0/24

you need to edit the ACL used in the

crypto map

that has to provide all the possible combinations of local subnets and remote subnets.

The remote site ACL has to be a mirror of the local one with all combinations of remote subnets to local subnets.

2) if using a

default route

on the L3 switch as described above the

crypto map

policy will

route/encrypt

packets to remote destination

172.16.0.0/24

To be noted an ASA firewall by default would perfrom NAT between interfaces for the VPN traffic to work NAT exemption or specific NAT rules (identity NAT) have to be configured to avoid this.

Hope to help

Giuseppe

jmaxwellUSAF · ‎08-04-2023

Thank you for your reply, Giuseppe.

"the

crypto map

that has to provide all the possible combinations of local subnets and remote subnets. The remote site ACL has to be a mirror of the local one with all combinations of remote subnets to local subnets."

-- Is it true that the

Crypto map

only needs the subnets of the ENDPOINT server subnets, NOT any other subnets in between?

Giuseppe Larosa · ‎08-04-2023

Hello @jmaxwellUSAF ,

>> Is it true that the

Crypto map

only needs the subnets of the ENDPOINT server subnets, NOT any other subnets in between?

Yes, your understanding is correct the

crypto map

specifies only the local and remote subnets that need to communicate over the IPSEC site to site tunnel.

The local subnets can be directly connected to the VPN termination device or they can be behind one ore more L3 devices. The topology of the site is not important. What is needed is to specify local subnets and remote subnets as they become the criteria for encryption of tx traffic and of decryption of received encrypted packets.

Hope to help

Giuseppe