Re: How to route the LAN to the remote server across the L2L VPN?

jmaxwellUSAF · ‎08-25-2023

Hello.

On an ASA 5525 there is a site to site tunnel...

L2L local int = g0/0 . outside ,

L2L local public IP address = 1.1.1.1

L2L remote public IP address = 2.2.2.2

L2L remote server = 172.16.1.1

---

What is my EIGRP configuration to advertise the remote server to my LAN?

Thank you!

Joseph W. Doherty · ‎08-25-2023

You're using a L2 tunnel?

Unless I misunderstand, the tunnel extends L2 between sites. Each site would treat that link's network locally, basically much as if you had two switches extending the L2 network. I.e. you don't route across the tunnel, as you might with a L3 tunnel.

Richard Burts · ‎08-26-2023

Perhaps we need clarification from the original poster, but I do not believe this is a layer 2 tunnel. It is described as a site to site tunnel which I understand to be layer 3.

It would help if we had more information about how this is set up. I am assuming that the ASA has a crypto map associated with the outside interface identifying traffic to be encrypted. And I assume that in conjunction with this that there would be a static route for the remote subnet sending traffic to the outside interface. If that is true then redistribute static into EIGRP should advertise the remote server to your LAN.

HTH

Rick

Joseph W. Doherty · ‎08-26-2023

"Perhaps we need clarification from the original poster"

Agreed.

"I do not believe this is a layer 2 tunnel. It is described as a site to site tunnel which I understand to be layer 3."

Which is why my prior reply starts with "You're using a L2 tunnel?"

I'm just not sure what to make of "L2L", and, I believe, L2 tunnels (e.g. L2TPv3) are "site to site" using IPs as tunnel end points. I.e. from what's in OP, don't believe a L2 tunnel is excluded.

However, I also don't know, though, what an ASA might support. Certainly, a L3 tunnel would be much more common.

Richard Burts · ‎08-26-2023

I have seen references to L2L where it was clear that it referred to Lan To Lan and believe that is the case here. But it would be good to have clarification from OP.

HTH

Rick

Joseph W. Doherty · ‎08-26-2023

Thanks Rick! Your noting "L2L" might mean "LAN to LAN" was extremely helpful!! (Surprisingly, I don't recall bumping into this term before.)

Doing a quick review, it appears, generically, "LAN to LAN" seems to denote it might be a L2 (e.g. L2TP) or L3 (e.g. GRE) bearing tunnel over L3, but possibly most relevant to OP's question, Cisco uses "LAN to LAN" in their ASA documentation.

As I noted earlier, I'm not at all familiar with all the features an ASA supports. That being so, whether tunnel is bearing L2 or L3, if a router was being used for the tunnel, I would expect setting up routing across the tunnel might be similar to how you would configure router(s), but again, I'm without much expertise with all ASA features.

@jmaxwellUSAF I can say, Rick is very knowledgeable about EIGRP, so for EIGRP questions, he should be able to easily assist with those.

jmaxwellUSAF · ‎08-28-2023

"there would be a static route for the remote subnet sending traffic to the outside interface."--This is the essence of my question.

(L2L local public IP address = 1.1.1.1 , L2L remote public IP address = 2.2.2.2 , L2L remote server = 172.16.1.1)

May you please show the correct route command to achieve this functionality? Is it...

ASA5525# ip route outside 172.16.1.1 255.255.255.255 2.2.2.2

?

jmaxwellUSAF · ‎08-28-2023

"L2L" means ipsec site to site. (layer 3)

"ASA5525# tunnel-group 2.2.2.2 type ipsec-l2l"

Richard Burts · ‎08-28-2023

Thanks for confirming that this is a layer 3tunnel. Are my assumptions about crypto map and static route correct? If so then I would think that redistribute static into EIGRP should accomplish what you want.

HTH

Rick

jmaxwellUSAF · ‎08-28-2023

"there would be a static route for the remote subnet sending traffic to the outside interface."--This is the essence of my question.

(L2L local public IP address = 1.1.1.1 , L2L remote public IP address = 2.2.2.2 , L2L remote server = 172.16.1.1)

May you please show the correct route command to achieve this functionality? Is it...

ASA5525# ip route outside 172.16.1.1 255.255.255.255 2.2.2.2

?

Giuseppe Larosa · ‎08-28-2023

Hello @jmaxwellUSAF ,

I would configure the static route pointing to the default gateway used on the outside interface

ASA5525# ip route outside 172.16.1.1 255.255.255.255 1.1.1.2

The reason is that the ASA may consider the remote address not adjacent ( not directly connected resolved by ARP)

then you need to redistribute it in EIGRP, but you need it only if you are not already injecting a default route in EIGRP domain on the ASA itself as I have noted in a previous thread of yours.

Hope to help

Giuseppe

Joseph W. Doherty · ‎08-28-2023

@jmaxwellUSAF wrote:

"L2L" means ipsec site to site. (layer 3)

"ASA5525# tunnel-group 2.2.2.2 type ipsec-l2l"

Thanks, for the clarification.

I see you've and Rick are working out how to do this using static routes, which may indeed be the only possible way. But, if the ASA supports EIGRP, and the other side is also an ASA, you might also be able to dynamically route across the tunnel, too.

BTW, in theory, a L2 tunnel might also use IPSec. Basically the difference is, in a L3 tunnel, you treat the tunnel like if you had a L2 media which you route across. With a L2 tunnel, the tunnel will carry transport the original L2 frames, so then you pass L2 across it, much as you would having the same VLAN across ports on a switch, or same VLAN across switches.

With you L3 tunnel, if the ASA supports L3, you would configure it much (logically) as you would a router. Perhaps static routes, perhaps dynamic routing protocol routes, perhaps some combination.

Remember, one purpose of using tunnels, it so make something on the other side of the Internet, logically be part of your interior network.