05-21-2013 09:17 AM - edited 03-04-2019 07:57 PM
Hi guys,
I'll try to explain this as simply as I can and I hope someone can tell me if this is possible, and how to do it.
I have an ASA 5510 configuration that I'd like to add to.
In this configuration there is a site to site IPSEC VPN tunnel to a remote location.
It is tunneling a particular subnet for me and everything is working.
In the remote subnet, there is an ASA 5525-x connected on the outside interface. Let's say for argument's sake, the outside IP is 210.0.0.1
On the Inside interface, i've configured 10.240.32.0/24 network.
The only static route I have configured on the 5510 is the default gateway that goes to the ISP.
I assumed that I have to add: route Outside 10.240.32.0 255.255.255.0 210.0.0.1 1
I did this, but i'm not able to reach the destination 10.240.32.0/24 network. I can't see anything hitting the 5525-x and the only thing I see on the 5510 is the building outbound ICMP and the teardown for the ICMP.
Do I need to add a nat rule?
05-21-2013 09:30 AM
So to draw it out we have the following
Site A (ASA 5510) IP SEC ========= CLOUD ======== IP SEC (ASA 5525) Site B 210.0.0.1 and 10.240.32.0/24
- Add a static route from Site A to the outside interface of Site B to reach 10.240.32.0/24
- Add a static route from Site B to the outside interface of Sita A to reach
- Can you ping the outside interface of site B?
- Does the ASA5510 has a routing entry for 10.240.32.0/24?
- Does the ASA5510 has a routing entry for the the source adres?
- Does the ASA5525 has a routing entry for 10.240.32.0/24?
- Does the ASA5525 know how to get back to the source adres?
NAT shouldnt really make a difference here, routing stays the same, unless i overlooked something.
I think you just forgot to route the traffic back, just my 2 cents.
05-21-2013 09:36 AM
Please paset your config here.
05-21-2013 09:38 AM
Well,
The IPSEC tunnel doesn't terminate at the 5525. The 5525 just happens to be sitting on the network that is terminated.
I've done a small diagram to illustrate.
05-21-2013 09:47 AM
If 210.0.0.1 is reachable that is good!, i presume you are not using NAT.
- Since your directing your traffic to 210.0.0.1 does he know how to reach 10.240.32.0?
- Does your network nodes 10.240.32.0 know how to get back to 10.240.24.0? (should make a default to 210.0.0.1)
To be fair, you should point your traffic to the point where the IP sec tunnel is ending, can still work otherwise, but i think it is cleaner.
PS: Is it possible to use a routing protocol for this like EIGRP, OSPF, evn RIPv2 would work, saves you a lot of hazzle with the statics
05-21-2013 10:17 AM
10.240.32.0 is the inside interface of the 5525. 210.0.0.1 is the outside of the 5525 so yep they can contact each other.
The problem i have is that 10.240.24.0 won't talk to 10.240.32.0
I may not be able to enable those routing protocols, and I'm happy to have static routes set for now.
05-21-2013 10:22 AM
Do a traceroute back from one of your nodes (PC?) to 10.240.24.0, where it stops there you can find the missing static route.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide