09-14-2023 10:46 AM - last edited on 10-11-2023 01:28 AM by Translator
Hello.
Regarding a site-to-site tunnel with local ASA 5525, how do I advertise the tunnel remote
subnet 172.16.10.0/24
to my EIGRP local LAN?
1. (there are no interfaces with this subnet so Vanilla EIGRP doesnt work.)
2. Redistributing static route gives error...
ASA config)# route inside 172.16.10.0 255.255.255.0 172.16.99.1
ERROR: Invalid next hop address 172.16.99.1
it matches our IP address
---
Thank you!
Solved! Go to Solution.
09-15-2023 08:16 AM - last edited on 10-11-2023 03:09 AM by Translator
Hello @jmaxwellUSAF ,
>> Essential fact-- Right now I am trying to get return traffic back through a tunnel sourced at a remote branch. The local endpoint server has a
default route
not through the remote branch, but asymmetrically through a different ASA local to the endpoint server. I need to tell this traffic to route to the remote branch, because that's the return path through the VPN, the only way to reach remote vendor
subnet 10.0.20.0/24
try to configure a static route on the outside of the ASA that handles the site to site policy based VPN like
route ouside 10.0.20.0 255.255.255.0 2.2.2.2
note if remote
peer 2.2.2.2
is not accepted use as next-hop the
default gateway IP address
and then try to redistribute it into EIGRP, but EIGRP has to be spoken by both ASA for this to make effect.
if I understand correctly the local server connects to an ASA that is not the one that manages the site to site VPN, so you need a L3 routed/routing path between the two ASAs ( and any device on the path like multilayer switches if any ) and also appropriate changes to NAT and to access-list as needed.
The use of EIGRP or static routes is a secondary aspect.
Hope to help
Giuseppe
09-14-2023 11:06 AM
What is 172.16.99.1? Is it perhaps the address of your outside interface? If so then change the static route to use the address of the connected device on the outside interface (perhaps 172.16.99.2?).
09-14-2023 11:28 AM - last edited on 10-11-2023 01:35 AM by Translator
172.16.99.1 is the private IP
of the remote server at the other end of the L2L tunnel. The policy-based tunnel ACL has this 172.16.99.1 server in its config.
(The L2L tunnel local source interface is 1.1.1.1 , The L2L tunnel remote source interface is 2.2.2.2)
The return L2L traffic needs to know how to route to this
172.16.99.0/24 subnet
How do I propagate this routing intent?
09-14-2023 12:17 PM - last edited on 10-11-2023 02:01 AM by Translator
Thanks for additional information. But I am confused about the error
Invalid next hop address 172.16.99.1
it matches our IP address. If that is the address of a remote server how does it match an ASA address?
My second thought is to wonder why you want to advertise this subnet to your Lan? Doesn't the ASA advertise a
default route
to the Lan?
My third thought is that if you do need to advertise that subnet then change the next hop in the static route to be the next hop device connected to the outside interface.
And that leads me to wonder why you are using route inside? Would it not be better to do route outside (for a remote destination)?
09-14-2023 12:48 PM - last edited on 10-11-2023 02:14 AM by Translator
Let's keep this simple...
The remote site to site LAN is 10.0.20.0 /24
The local LAN server is 10.0.10.0/24
There is no NAT config through the tunnel (there is an identity NAT statement).
Public IP sources of the
tunnel endpoints are 1.1.1.1, and 2.2.2.2.
INTENT: to tell
local LAN
how to get to
remote site subnet10.0.20.0/24
What is ASA5525, L2L endpoint config here to accomplish intent?
Thank you.
09-14-2023 12:38 PM - last edited on 10-11-2023 02:05 AM by Translator
Use redistrubte static into eigrp.
Use route-map to filter the peer lan subnet.
09-14-2023 12:53 PM - last edited on 10-11-2023 02:08 AM by Translator
(i try to enter this direct command, it fails--
ASA config)# route inside 172.16.10.0 255.255.255.0 172.16.99.1
ERROR: Invalid next hop address 172.16.99.1
it matches our IP address)
how shall i construct the
rout map
What does it point to?
09-14-2023 12:58 PM - last edited on 10-11-2023 02:17 AM by Translator
I see you have route based vpn not policy based.
Then try
Static route to remote lan toward peer tunnel IP and redistrubte it into eigrp
Redistrubte the vti tunnel subnet into eigrp
Through this all l3 device behind asa know how to reach remote lan and tunnel subnet.
09-14-2023 01:14 PM - last edited on 10-11-2023 02:57 AM by Translator
This is policy based VPN. Clearly I'm confused.
There does exist on the ASA5525 tunnel endpoint, an ACL that only tunnels the explicitly permitted endpoint traffic.
Essential fact-- Right now I am trying to get return traffic back through a tunnel sourced at a remote branch. The local endpoint server has a
default route
not through the remote branch, but asymmetrically through a different ASA local to the endpoint server. I need to tell this traffic to route to the remote branch, because that's the return path through the VPN, the only way to reach remote vendor
subnet 10.0.20.0/24
How does the Local server know how to reach the endpoint server?...
09-14-2023 01:26 PM
This is policy based VPN. Clearly I'm confused.
If yes what is local and remote lan subnet
09-14-2023 01:42 PM - last edited on 10-11-2023 02:57 AM by Translator
local lan subnet= 10.0.10.0/24
remote lan subnet= 10.0.20.0/24
09-15-2023 08:16 AM - last edited on 10-11-2023 03:09 AM by Translator
Hello @jmaxwellUSAF ,
>> Essential fact-- Right now I am trying to get return traffic back through a tunnel sourced at a remote branch. The local endpoint server has a
default route
not through the remote branch, but asymmetrically through a different ASA local to the endpoint server. I need to tell this traffic to route to the remote branch, because that's the return path through the VPN, the only way to reach remote vendor
subnet 10.0.20.0/24
try to configure a static route on the outside of the ASA that handles the site to site policy based VPN like
route ouside 10.0.20.0 255.255.255.0 2.2.2.2
note if remote
peer 2.2.2.2
is not accepted use as next-hop the
default gateway IP address
and then try to redistribute it into EIGRP, but EIGRP has to be spoken by both ASA for this to make effect.
if I understand correctly the local server connects to an ASA that is not the one that manages the site to site VPN, so you need a L3 routed/routing path between the two ASAs ( and any device on the path like multilayer switches if any ) and also appropriate changes to NAT and to access-list as needed.
The use of EIGRP or static routes is a secondary aspect.
Hope to help
Giuseppe
09-15-2023 12:10 PM - last edited on 10-11-2023 02:58 AM by Translator
Giuseppe solved it!...
route ouside 10.0.20.0 255.255.255.0 2.2.2.2
Great work! Thank you Giuseppe!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide