09-26-2022 01:28 AM
Hi,
As far as I know, routing doesn't need to be set when set up Site to Site VPN on ASA as there is source and destination info on interesting traffics. (please correct me if I am understanding wrong).
I set a new site to site VPN with interesting traffic(destinations 10.2.2.2/32 and 10.2.2.3/32).
Two hosts are used to use WAN link before the VPN setup. We want two hosts send traffic over the new site to site VPN now. But It seems FW_A sends traffics through WAN when try to ping between 10.1.1.10 and 10.2.2.2, not through the site to site VPN. I guess FW-A still takes the existing routing(10.2.2.0/24).
Is there anything that I need to set to direct traffics through the site to site VPN?
BTW, we should keep 10.2.2.0/24 routing for other host's transaction over the WAN link.
09-26-2022 01:37 AM
@kay.kang in a Policy Based VPN traffic must be routed to the correct egress interface, if the src/dst matches the interesting traffic in the crypto ACL, it is encrypted and routed over the tunnel. In this instance as you've a specific route via the WAN interface, it's sent going to go via the WAN and will not be routed via the VPN tunnel over the internet.
Setup a specific route via the internet interface with a lower priority than the WAN interface. You can then use IP SLA to failover to the WAN interface if the internet interface fails.
09-26-2022 01:39 AM
Hi there,
From your description it sounds as if you need to configure a NAT exemption rule for the 'interesting' traffic as it is leaving the WAN/ outside interface.
This will ensure the interesting traffic is not source NAT'd as it leaves the interface, it is therefore picked up by the VPN ACL and exits via the VPN.
cheers,
Seb.
09-26-2022 02:44 AM
Please check this link it may help
https://community.cisco.com/t5/network-security/asa-vpn-routing/m-p/1208160#M861478
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide