Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3424
Views
20
Helpful
17
Replies

Site-to-Site Tunnels between two ASA firewalls but different routes

Go to solution
dhau
Level 1
Level 1

‎05-18-2022 04:14 PM

In our environment we have two sites, each site is behind an ASA firewall. The sites are connected through a lower-speed WAN link (e.g. 10.70.0.1, 10.71.0.1) and a higher-speed leased line. I'd like to encrypt the traffic between the two sites but with the option of directing particular traffic through the lower-speed WAN link and directing other traffic through the higher-speed leased line.

 

The description of transport mode seemed like it would help me since I'd like to retain the original IP headers for routing purposes, but after setting up the VPN tunnel to be transport mode, the encryption has not been successful.

 

My current approach is to connect an additional physical interface (e.g. 10.20.0.1, 10.21.0.1) on each firewall to the WAN and have a different ACL for each interface to mark interesting traffic for encryption. This would allow me to leverage routing on the WAN to have one VPN tunnel take the leased line path and the other take the default routing path. However, after setting up a different crypto map and assigning it to the new interface, it seems the traffic does not go through the leased line interface.

 

I have also tried configuring a route-map with 2 different access-lists so that regular WAN traffic would be forwarded out the usual WAN interface and other Leased Line traffic would be forwarded out the new interface. However this doesn't seem to trigger the VPN tunnel to be established.

 

Am I missing some configuration or should I approach the problem in a different way?

There are a lot of configuration portions to it so I didn't want to make this question more bloated.

To clarify, I have successfully set up a single regular site-to-site tunnel between the two firewalls and was successful in creating an IKEv2 SA between them for interesting traffic. So I know the crypto, tunnel-group, NAT configurations started off correct.

0 Helpful
17 Replies 17

Go to solution
MHM Cisco World
VIP
VIP

‎05-23-2022 02:05 PM

sorry for my Q If we finally will use PBR why then we use VTI ??

0 Helpful

Go to solution
dhau
Level 1
Level 1
In response to MHM Cisco World

‎05-23-2022 02:21 PM - edited ‎05-23-2022 02:27 PM

It's a weird situation that I found myself in. The reason I need 2 VTIs is because I have 2 paths between Site A and Site B:

  • Path 1: Internal network path, lower bandwidth
  • Path 2: Leased line network path, significantly more bandwidth, considered less secure

For my purposes, I need to set up encryption for all traffic between Site A and Site B, but if I were to only use regular VPN tunnels, then the tunnel would take the default internal network path (Path 1) and all traffic would end up going through that tunnel and cause issues since it has lower bandwidth. This led me to using VTIs, so I can have a separate tunnel, with separate IP addresses, so that I can leverage routing and have the tunnel take the leased line path (Path 2).

With the 2 tunnels set up, now I need PBR to decide what traffic I am comfortable encrypting and sending through the leased line (Path 2) and what traffic I'd like to encrypt and send through Path 1.

It could be that in my approach to solve the issue I made it more complicated.

Go to solution
MHM Cisco World
VIP
VIP
In response to dhau

‎05-23-2022 02:33 PM

Thanks for your answer.

Glad that your issue solved.

0 Helpful
Customers Also Viewed These Support Documents