Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3757
Views
0
Helpful
30
Replies

Cisco ASA 5525x - IPSEC Tunnel - Allow other networks across the tunnel

brandon2320
Level 1
Level 1

‎03-13-2015 07:20 AM - edited ‎02-21-2020 08:07 PM

Hello,

 

I have an ASA set up with an IPSec tunnel to another host site on our network. The ASA peers with a Fortinet device at our corporate office. The IPSEC tunnel is up and I can get traffic from the subnet 10.2.0.0/16 on the inside interface just fine. However, I have other subnets that get routed to the ASA and need to go through the tunnel. Trying to get traffic sourced from the 10.10.7.0/24 subnet routed to the ASA and through the tunnel to corporate. The routing is good to the ASA as I can ping the inside interface of the ASA but just cannot get to the 192.168.8.0/24 LAN from the 10.10.7.0/24.

 

There are other posts I found that say you just need a NAT rule and to adjust the crypto map ACL, which I have done and the traffic is still not going over the tunnel. When I use packet tracer in ASDM it shows my traffic dying at the VPN process, so I am stumped as to what the issue would be.

Also, I have verifed the routing between the networks

 

Any help would be greatly appreciated.

 

See below for pertaining config:

-The 10.2.0.0/16 is the inside interface subnet that is working

-The 192.168.8.0 is the subnet on the other side of the IPsec

-The 10.10.7.0/24 is the subnet that stops at the ASA

 

object network NETWORK_OBJECT_192.168.8.0
 subnet 192.168.8.0 255.255.255.0
object network NETWORK_OBJECT_10.2.0.0
 subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJECT_10.10.7.0
 subnet 10.10.7.0 255.255.255.0

nat (inside,outside) source static any any destination static NETWORK_OBJECT_10.10.7.0 NETWORK_OBJECT_10.10.7.0
nat (inside,outside) source static NETWORK_OBJECT_10.2.0.0 NETWORK_OBJECT_10.2.0.0 destination static NETWORK_OBJECT_192.168.8.0 NETWORK_OBJECT_192.168.8.0 route-lookup
!
access-list CRYPTO_ACL extended permit ip 10.2.0.0 255.255.0.0 192.168.8.0 255.255.255.0 log
access-list CRYPTO_ACL extended permit ip 10.10.7.0 255.255.255.0 192.168.8.0 255.255.255.0 log
!
crypto map OUTSIDE_MAP 1 match address CRYPTO_ACL

 

Thanks,
Brandon

1 person had this problem
Labels:
0 Helpful
30 Replies 30

brandon2320
Level 1
Level 1

‎03-18-2015 07:10 AM

As of today, this working. There were a couple of issues that was causing this to fail.

 

1. The 10.10.7.0/24 site needed a static route to force traffic over a secondary link to the 192.168.8.96/32 host.

 

2. On the MPLS router that routes to the inside interface on the ASA, the default route was incorrect and was pointing out another interface.

 

3. Added phase 2 on the Fortinet. I thought I had accomplished this by setting the policy. However in the manager, you add a phase 2 specifying the subnets and this I believe acts  like the crypto ACL on the ASA side.

 

Thanks for all the help by all who responded. Having very little experience with the security appliances, this community thread helped me learn a lot.

 

Thanks,

Brandon

0 Helpful
Customers Also Viewed These Support Documents