Solved: how to use the ASA interface to be included into S2S VPN ?

Qays · ‎06-02-2021

Hi,

I have two sites that connected using the site to site VPN, in site number one I have ISE

I need the ASA in site number two to connect with ISE in site number one

is there any way to make the ASA WAN interface to be included in the tunnel to connect to the ISE?

Rob Ingram · ‎06-02-2021

You need to include the WAN IP address of Site2 in the crypto ACL on both ends. Try this example configuration below, where WAN IP address = 1.1.1.1 and 192.168.10.10 is ISE IP address:

SITE2

access-list VPN_TO_SITE1 permit ip host 1.1.1.1 host 192.168.10.10

SITE1

access-list VPN_TO_SITE2 permit ip host 192.168.10.10 host 1.1.1.1

This will establish a tunnel between those host IP addresses only, if you want the Site 2 ASA to access the rest of the network replace host with a subnet.

View solution in original post

Rob Ingram · ‎06-02-2021

@Qays

You need to include the WAN IP address of Site2 in the crypto ACL on both ends. Try this example configuration below, where WAN IP address = 1.1.1.1 and 192.168.10.10 is ISE IP address:

SITE2

access-list VPN_TO_SITE1 permit ip host 1.1.1.1 host 192.168.10.10

SITE1

access-list VPN_TO_SITE2 permit ip host 192.168.10.10 host 1.1.1.1

This will establish a tunnel between those host IP addresses only, if you want the Site 2 ASA to access the rest of the network replace host with a subnet.

Qays · ‎06-03-2021

Hi

I tried it, it didn't work

MHM Cisco World · ‎06-02-2021

The IP address use as NAS in ISE must be allow by ACL of S2S, so what is the IP address you enter in ISE for Other ASA?

Qays · ‎06-03-2021

I used the other ASA WAN interface

MHM Cisco World · ‎06-03-2021

so As understand you use one ISP interface for RA VPN and other ISP interface for S2S to go to ISE?

Qays · ‎06-04-2021

Yes as you said the ASA has outside interface connected to the Internet for RA VPN and WAN interface connected to MPLS for S2S VPN

MHM Cisco World · ‎06-05-2021

Friend I think you need VTI instead of IPSec S2S,
where IPSec S2S is not useful here since the Packet Source is same IPSec IP address and hence the Policy VPN can not use.
Where we can use VTI and change from Policy VPN to Route VPN and all traffic in Route VPN is encrypt by IPSec and protect.

Qays · ‎06-07-2021

first, thank you for your support.

it does not work for me because I used the wrong interface for no NAT configuration, but it worked for me when I used the correct one.

by inattention, I was using the management interface for NAT and I thought I use the WAN interface

the correct command

nat (WAN, WAN) source static ISE ISE destination static ASA ASA

what I used

nat (MNG, WAN) source static ISE ISE destination static ASA ASA

Thanks,

MHM Cisco World · ‎06-07-2021

You are so so welcome,

so by change the IP source toward ISE from ISP to Management interface and allow management IP address in S2S ACL then everything is OK.

Qays · ‎06-07-2021

In the first I used the management interface it does not work for me

But when I used the WAN interface (lSP) it worked

Thanks