cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1417
Views
0
Helpful
11
Replies

Routing between Default GW (2921) and Cisco ASA for VPN tunnel traffic

FJ1986
Level 1
Level 1

Hi All, 

 

I am having a problem is routing traffic towards my ASA VPN tunnel below is the requirement

 

Remote VPN Network: 192.168.66.0/24

Local Network: 172.20.30.0/23

Traffic from 172.20.30.17 host is set to go to default GW 172.20.30.1 which is Cisco2921 router. I need to route the traffic which is destined for 192.168.66.0 network towards my Firewall which is 172.20.30.5 while leaving the rest traffic (internet) to go out from the router. attach is my network topology. VPN tunnel between my public IP's is up but I am not sure how can i route below scenario

Scenario-1

Source IP: 172.20.30.17 

Destination IP 192.168.66.0/24 

Goes to VPN tunnel on the Firewall 172.20.30.5

Scenario-2

Source IP: 172.20.30.17 

Destination IP: any other destination  

Goes through my Cisco router 172.20.30.1

 

any help is appreciated 

 

 

1 Accepted Solution

Accepted Solutions

I am slightly confused. Part of the description of the requirements seems to indicate that any traffic from Lan A to Lan B should go through the vpn. But part of the description, especially both scenarios, focus on a particular host getting to that destination. Is the requirement for the entire Lan A or is the requirement only for that specific host? Please clarify.

 

Looking at the configuration of PBR on the router it seems appropriate if the requirement is that the entire Lan A should use the vpn to get to Lan B. I can not tell from the posting whether the PBR is working or not. The statement is that ping fails. But that could be because of issues with PBR or issues with the vpn. Can you clarify whether PBR is working?

 

In looking at the config of ASA at site A I see a major problem. The access list applied to the inside interface seems to permit icmp and to deny all other traffic. This would certainly prevent the vpn from working. Change the access list - or even better, at least for testing, would be to remove the access list from the interface.

 

HTH

 

Rick

HTH

Rick

View solution in original post

11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

You need Policy based routing here.. Hope you have default route setup to internet here i guess (since we do not have full configuraiton, if possible and not fixed below solution post the full config)

 

here is the example guide :

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/policy_based_routing_pbr.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Attached are all the configurations. I did applied PBR on Router as you can see the configs still when i try to ping 192.168.66.0/24 network i dont see pings going through. any help is much appreciated 

I am slightly confused. Part of the description of the requirements seems to indicate that any traffic from Lan A to Lan B should go through the vpn. But part of the description, especially both scenarios, focus on a particular host getting to that destination. Is the requirement for the entire Lan A or is the requirement only for that specific host? Please clarify.

 

Looking at the configuration of PBR on the router it seems appropriate if the requirement is that the entire Lan A should use the vpn to get to Lan B. I can not tell from the posting whether the PBR is working or not. The statement is that ping fails. But that could be because of issues with PBR or issues with the vpn. Can you clarify whether PBR is working?

 

In looking at the config of ASA at site A I see a major problem. The access list applied to the inside interface seems to permit icmp and to deny all other traffic. This would certainly prevent the vpn from working. Change the access list - or even better, at least for testing, would be to remove the access list from the interface.

 

HTH

 

Rick

HTH

Rick

Hi So i was able to resolve the issue. i defined a static route on router so all traffic from LOCAL LAN towards Remote lan to be forwarded to FW inside interface and in acl i allowed the traffic on the inside side. i am able to ping now and can rdp access other server from remote side using the IP address. One problem now i am having is resolving DNS. I want the DNS for internet traffic to be google dns and for my VPN tunnel traffic to be the server in the local lan side which is 172.20.30.115 so for e.g. 

when i RDP TTLDC01 it should resolve it isn't right now. Also when i do TTLDC01.TTL.LOCAL (TTL.LOCAL is domain name) i am able to do it. is there anything missing on my Remote FW or Local FW with regards to DNS? I just want all my Remote LAN 192.168.xx.xx network to use my local dns server for tunnel traffic.    

Thanks for the update. Glad to know that you have resolved the issue with PBR and now are able to access those resources. I am glad that our suggestions pointed you in the right direction. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. 

 

I am not clear about your issue with DNS and how to solve it.

 

This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

 

HTH

 

Rick

HTH

Rick

Hello,

 

looking at your topology, the first layer 3 devices that your 172.20.30.17 host hits are the 2921 router and the firewall, is that right ? If that is the case, I don't see any other way of accomplishing this than adding a static route on the host itself. In Windows, you would use:

 

route ADD 192.168.66.0 MASK 255.255.255.0 172.20.30.5

 

Since there probably already is a default route, the route above is all you need.

Hi I hoped there is a way to keep everything existing while SiteB can connect to Site A via ASA and then access servers in 172.20.30.xx network. 

yes correct you can have still connectivity and only route add will solve to send traffic destination to 192.168.66.0/24 will route to ASA, rest of the traffic go as normal to Router 2921

 

test and advise.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I did added but not sure which route is taking precedence its a windows 2016 default route has a metrics 281 this static route has 26. Any ideas 

Can you post below output to understand what is configured.

 

netstat -r

route print

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Please see below 

 

 

===========================================================================
Interface List
16...00 50 56 8f 6c 8c ......Intel(R) 82574L Gigabit Network Connection
14...02 00 4c 4f 4f 50 ......Npcap Loopback Adapter
1...........................Software Loopback Interface 1
2...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.20.30.1 172.20.30.17 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
169.254.0.0 255.255.0.0 On-link 169.254.239.236 281
169.254.239.236 255.255.255.255 On-link 169.254.239.236 281
169.254.255.255 255.255.255.255 On-link 169.254.239.236 281
172.20.30.0 255.255.254.0 On-link 172.20.30.17 281
172.20.30.17 255.255.255.255 On-link 172.20.30.17 281
172.20.31.255 255.255.255.255 On-link 172.20.30.17 281
192.168.66.0 255.255.255.0 172.20.30.5 172.20.30.17 26
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 169.254.239.236 281
224.0.0.0 240.0.0.0 On-link 172.20.44.17 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 169.254.239.236 281
255.255.255.255 255.255.255.255 On-link 172.20.30.17 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.20.30.1 Default
192.168.66.0 255.255.255.0 172.20.30.5 1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
14 281 fe80::/64 On-link
16 281 fe80::/64 On-link
16 281 fe80::5189:7624:2bd3:5f70/128
On-link
14 281 fe80::f069:ba0d:98c3:efec/128
On-link
1 331 ff00::/8 On-link
14 281 ff00::/8 On-link
16 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: