Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
233
Views
1
Helpful
1
Replies

Migrate flows outside an IPSEC

uRLKuzE
Level 1
Level 1

‎04-04-2024 02:13 AM

Dear Community,

I have an ASA firewall connected to another firewall with:

  • One direct L2 connection between the 2 firewalls
  • One IPSEC VPN between the 2 firewalls with a few flow still passing through it

I’d like to take the flows outside of the IPSEC and migrate them to the L2 connection between the 2 firewalls to get rid of the VPN.

From the VPN point-of-view, I have a crypto MAP with an ACL like 172.16.0.0/24 10.10.0.0/24 Any. Then, a static route for 10.10.0.0/24 with next-hop being the peer IPSEC VPN.

From this documentation https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html#topic1 I assume that routing happens before any crypto-related operation.
Therefore, to take the flow out of the VPN, I had in mind to modify the static routes on both firewalls to route the flow to their L2 connection instead of the IPSEC Peer IP address, with of course the necessary ACL being added/modified accordingly, like below:

route outsideVPN 10.10.0.0/24 192.168.1.5 => route outside 10.10.0.0/24 10.1.1.5

A simple network diagram of the case I’m working on:

Diagram.JPG

Do you think this is relevant, or am I missing something ?

Thank you for your feedback.

Labels:
1 Reply 1

MHM Cisco World
VIP
VIP

‎04-04-2024 02:30 AM

You are correct, 

Since you remove VPN and connect both FW via same subnet, you need only routing to any subnet behind FW and sure ACL

MHM

0 Helpful
Customers Also Viewed These Support Documents