08-25-2019 01:17 PM
Hi All,
I am having a problem is routing traffic towards my ASA VPN tunnel below is the requirement
Remote VPN Network: 192.168.66.0/24
Local Network: 172.20.30.0/23
Traffic from 172.20.30.17 host is set to go to default GW 172.20.30.1 which is Cisco2921 router. I need to route the traffic which is destined for 192.168.66.0 network towards my Firewall which is 172.20.30.5 while leaving the rest traffic (internet) to go out from the router. attach is my network topology. VPN tunnel between my public IP's is up but I am not sure how can i route below scenario
Scenario-1
Source IP: 172.20.30.17
Destination IP 192.168.66.0/24
Goes to VPN tunnel on the Firewall 172.20.30.5
Scenario-2
Source IP: 172.20.30.17
Destination IP: any other destination
Goes through my Cisco router 172.20.30.1
any help is appreciated
Solved! Go to Solution.
08-27-2019 09:11 AM
I am slightly confused. Part of the description of the requirements seems to indicate that any traffic from Lan A to Lan B should go through the vpn. But part of the description, especially both scenarios, focus on a particular host getting to that destination. Is the requirement for the entire Lan A or is the requirement only for that specific host? Please clarify.
Looking at the configuration of PBR on the router it seems appropriate if the requirement is that the entire Lan A should use the vpn to get to Lan B. I can not tell from the posting whether the PBR is working or not. The statement is that ping fails. But that could be because of issues with PBR or issues with the vpn. Can you clarify whether PBR is working?
In looking at the config of ASA at site A I see a major problem. The access list applied to the inside interface seems to permit icmp and to deny all other traffic. This would certainly prevent the vpn from working. Change the access list - or even better, at least for testing, would be to remove the access list from the interface.
HTH
Rick
08-25-2019 01:35 PM
You need Policy based routing here.. Hope you have default route setup to internet here i guess (since we do not have full configuraiton, if possible and not fixed below solution post the full config)
here is the example guide :
08-25-2019 02:09 PM
08-27-2019 09:11 AM
I am slightly confused. Part of the description of the requirements seems to indicate that any traffic from Lan A to Lan B should go through the vpn. But part of the description, especially both scenarios, focus on a particular host getting to that destination. Is the requirement for the entire Lan A or is the requirement only for that specific host? Please clarify.
Looking at the configuration of PBR on the router it seems appropriate if the requirement is that the entire Lan A should use the vpn to get to Lan B. I can not tell from the posting whether the PBR is working or not. The statement is that ping fails. But that could be because of issues with PBR or issues with the vpn. Can you clarify whether PBR is working?
In looking at the config of ASA at site A I see a major problem. The access list applied to the inside interface seems to permit icmp and to deny all other traffic. This would certainly prevent the vpn from working. Change the access list - or even better, at least for testing, would be to remove the access list from the interface.
HTH
Rick
08-27-2019 12:37 PM
Hi So i was able to resolve the issue. i defined a static route on router so all traffic from LOCAL LAN towards Remote lan to be forwarded to FW inside interface and in acl i allowed the traffic on the inside side. i am able to ping now and can rdp access other server from remote side using the IP address. One problem now i am having is resolving DNS. I want the DNS for internet traffic to be google dns and for my VPN tunnel traffic to be the server in the local lan side which is 172.20.30.115 so for e.g.
when i RDP TTLDC01 it should resolve it isn't right now. Also when i do TTLDC01.TTL.LOCAL (TTL.LOCAL is domain name) i am able to do it. is there anything missing on my Remote FW or Local FW with regards to DNS? I just want all my Remote LAN 192.168.xx.xx network to use my local dns server for tunnel traffic.
08-28-2019 06:41 AM
Thanks for the update. Glad to know that you have resolved the issue with PBR and now are able to access those resources. I am glad that our suggestions pointed you in the right direction. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information.
I am not clear about your issue with DNS and how to solve it.
This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.
HTH
Rick
08-25-2019 01:44 PM
Hello,
looking at your topology, the first layer 3 devices that your 172.20.30.17 host hits are the 2921 router and the firewall, is that right ? If that is the case, I don't see any other way of accomplishing this than adding a static route on the host itself. In Windows, you would use:
route ADD 192.168.66.0 MASK 255.255.255.0 172.20.30.5
Since there probably already is a default route, the route above is all you need.
08-25-2019 02:14 PM
Hi I hoped there is a way to keep everything existing while SiteB can connect to Site A via ASA and then access servers in 172.20.30.xx network.
08-25-2019 02:19 PM
yes correct you can have still connectivity and only route add will solve to send traffic destination to 192.168.66.0/24 will route to ASA, rest of the traffic go as normal to Router 2921
test and advise.
08-25-2019 05:34 PM
I did added but not sure which route is taking precedence its a windows 2016 default route has a metrics 281 this static route has 26. Any ideas
08-26-2019 01:24 PM
Can you post below output to understand what is configured.
netstat -r
route print
08-27-2019 08:36 AM
Please see below
===========================================================================
Interface List
16...00 50 56 8f 6c 8c ......Intel(R) 82574L Gigabit Network Connection
14...02 00 4c 4f 4f 50 ......Npcap Loopback Adapter
1...........................Software Loopback Interface 1
2...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.20.30.1 172.20.30.17 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
169.254.0.0 255.255.0.0 On-link 169.254.239.236 281
169.254.239.236 255.255.255.255 On-link 169.254.239.236 281
169.254.255.255 255.255.255.255 On-link 169.254.239.236 281
172.20.30.0 255.255.254.0 On-link 172.20.30.17 281
172.20.30.17 255.255.255.255 On-link 172.20.30.17 281
172.20.31.255 255.255.255.255 On-link 172.20.30.17 281
192.168.66.0 255.255.255.0 172.20.30.5 172.20.30.17 26
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 169.254.239.236 281
224.0.0.0 240.0.0.0 On-link 172.20.44.17 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 169.254.239.236 281
255.255.255.255 255.255.255.255 On-link 172.20.30.17 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.20.30.1 Default
192.168.66.0 255.255.255.0 172.20.30.5 1
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
14 281 fe80::/64 On-link
16 281 fe80::/64 On-link
16 281 fe80::5189:7624:2bd3:5f70/128
On-link
14 281 fe80::f069:ba0d:98c3:efec/128
On-link
1 331 ff00::/8 On-link
14 281 ff00::/8 On-link
16 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide