Rounting part of the trafic via site-to-site VPN

KMinev7171 · ‎02-11-2015

I have a two ASA 5505 version 9.1(5) with site-to-site VPN. Is it possible to force some traffic to go over the VPN and out?

For example, from Site A only 98.0.0.0 255.0.0.0 to be router via the VPN, ASA Site B and out to the internet. The rest of the traffic to take the default route for ASA Site A.

Richard Burts · ‎02-11-2015

Perhaps there is some part of your question that I am not understanding. But it seems to me that if you have VPN from ASA that there is a crypto map which uses an access list to identify traffic that should be encrypted and sent to the peer via VPN. And it seems to me that if you include an entry in that access list that says that traffic originating from 98.0.0.0 should be encrypted and sent via VPN that it would accomplish what you describe.

HTH

Rick

HTH

Rick

KMinev7171 · ‎02-12-2015

ASA(A) is 192.168.2.0 and ASA(B) is 192.168.5.0. Local traffic back and forth is fine. I've added 98.0.0.0/8 to the criptomap list but it made no difference. Still traffic to 98.x.x.x goes out from ASA(A). After I set a NAT on both ASA pings to 98.0.0.0/8 time-out. Am I missing something?

Jon Marshall · ‎02-12-2015

Did you add that network to both ends of the VPN ie. to both crypto maps ?

Not sure what you mean about NAT ?

Perhaps post the relevant configurations removing any sensitive information.

Jon

KMinev7171 · ‎02-13-2015

Yes, I did. I can ping any remote hosts but not 204.79.197.220 (bing.com). 204.0.0.0 is not part of my inside or remote network.

Ping packets are going over the tunnel but at VPN endpoint (192.168.5.x) I get an error: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src Outside:192.168.2.x/ dst Outside:204.y.y.y denied due to NAT reverse path failure