Routing through an IPSEC tunnel

ianmoroney · ‎05-21-2013

Hi guys,

I'll try to explain this as simply as I can and I hope someone can tell me if this is possible, and how to do it.

I have an ASA 5510 configuration that I'd like to add to.

In this configuration there is a site to site IPSEC VPN tunnel to a remote location.

It is tunneling a particular subnet for me and everything is working.

In the remote subnet, there is an ASA 5525-x connected on the outside interface. Let's say for argument's sake, the outside IP is 210.0.0.1

On the Inside interface, i've configured 10.240.32.0/24 network.

The only static route I have configured on the 5510 is the default gateway that goes to the ISP.

I assumed that I have to add: route Outside 10.240.32.0 255.255.255.0 210.0.0.1 1

I did this, but i'm not able to reach the destination 10.240.32.0/24 network. I can't see anything hitting the 5525-x and the only thing I see on the 5510 is the building outbound ICMP and the teardown for the ICMP.

Do I need to add a nat rule?

SlevinKelevra · ‎05-21-2013

So to draw it out we have the following

Site A (ASA 5510) IP SEC ========= CLOUD ======== IP SEC (ASA 5525) Site B 210.0.0.1 and 10.240.32.0/24

- Add a static route from Site A to the outside interface of Site B to reach 10.240.32.0/24

- Add a static route from Site B to the outside interface of Sita A to reach

- Can you ping the outside interface of site B?

- Does the ASA5510 has a routing entry for 10.240.32.0/24?

- Does the ASA5510 has a routing entry for the the source adres?

- Does the ASA5525 has a routing entry for 10.240.32.0/24?

- Does the ASA5525 know how to get back to the source adres?

NAT shouldnt really make a difference here, routing stays the same, unless i overlooked something.

I think you just forgot to route the traffic back, just my 2 cents.

Manouchehr Omari · ‎05-21-2013

Please paset your config here.

ianmoroney · ‎05-21-2013

Well,

The IPSEC tunnel doesn't terminate at the 5525. The 5525 just happens to be sitting on the network that is terminated.

I've done a small diagram to illustrate.

SlevinKelevra · ‎05-21-2013

If 210.0.0.1 is reachable that is good!, i presume you are not using NAT.

- Since your directing your traffic to 210.0.0.1 does he know how to reach 10.240.32.0?

- Does your network nodes 10.240.32.0 know how to get back to 10.240.24.0? (should make a default to 210.0.0.1)

To be fair, you should point your traffic to the point where the IP sec tunnel is ending, can still work otherwise, but i think it is cleaner.

PS: Is it possible to use a routing protocol for this like EIGRP, OSPF, evn RIPv2 would work, saves you a lot of hazzle with the statics

ianmoroney · ‎05-21-2013

10.240.32.0 is the inside interface of the 5525. 210.0.0.1 is the outside of the 5525 so yep they can contact each other.

The problem i have is that 10.240.24.0 won't talk to 10.240.32.0

I may not be able to enable those routing protocols, and I'm happy to have static routes set for now.

SlevinKelevra · ‎05-21-2013

Do a traceroute back from one of your nodes (PC?) to 10.240.24.0, where it stops there you can find the missing static route.