Return route through VPN- Don't I need to know endpoint subnet?

jmaxwellUSAF · ‎02-10-2023

GIVEN:
LOCAL server subnet = 172.16.1.0/24
LOCAL_ROUTER inside interface = 172.16.2.1/24
LOCAL_ROUTER site-to-site tunnel outside interface = 1.1.1.1/30

VENDOR_ROUTER site-to-site tunnel outside interface= 2.2.2.2/30
VENDOR_ROUTER inside interface= 172.16.8.1/24
VENDOR server subnet= <<UNKNOWN>>

QUESTIONS:

1. Can I still configure routing so that LOCAL servers' return traffic (at least), will reach VENDOR servers in UNKNOWN subnet?

2. What would one possible successful config look like? (such as #crypto map <CRYPTO MAP NAME> <SEQ NO> set reverse-route) (ASA Reverse Route Injection (RRI) – integrating IT (wordpress.com) ))

(It seems to me that a route only to the first after-tunnel VENDOR remote subnet= 172.16.8.0/24 is inadequate.
It seems to me that I absolutely need to know the VENDOR endpoint subnet.)

Situation-- My vendor is refusing to give me "Vendor server subnet". I need response to questions above before I again contact him.

Thank you.

Milos_Jovanovic · ‎02-13-2023

Hi @jmaxwellUSAF,

For sure you'd need to know what is the subnet that you'd need to encrypt traffic for. This is a must from policy-based VPN standpoint. Both sides need to align on crypto domain - which subnets will be used from your end, and which subnets will be used from remote end. If your vendor is concerned about privacy issues, they can chose to do NAT of their traffic, but still, they would need to tell you what traffic you would nedd to route towards tunnel.

You can find a configuration S2S policy-based VPN example here.

Kind regards,

Milos