cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4033
Views
20
Helpful
17
Replies

Site-to-Site Tunnels between two ASA firewalls but different routes

dhau
Level 1
Level 1

In our environment we have two sites, each site is behind an ASA firewall. The sites are connected through a lower-speed WAN link (e.g. 10.70.0.1, 10.71.0.1) and a higher-speed leased line. I'd like to encrypt the traffic between the two sites but with the option of directing particular traffic through the lower-speed WAN link and directing other traffic through the higher-speed leased line.

 

The description of transport mode seemed like it would help me since I'd like to retain the original IP headers for routing purposes, but after setting up the VPN tunnel to be transport mode, the encryption has not been successful.

 

My current approach is to connect an additional physical interface (e.g. 10.20.0.1, 10.21.0.1) on each firewall to the WAN and have a different ACL for each interface to mark interesting traffic for encryption. This would allow me to leverage routing on the WAN to have one VPN tunnel take the leased line path and the other take the default routing path. However, after setting up a different crypto map and assigning it to the new interface, it seems the traffic does not go through the leased line interface.

 

I have also tried configuring a route-map with 2 different access-lists so that regular WAN traffic would be forwarded out the usual WAN interface and other Leased Line traffic would be forwarded out the new interface. However this doesn't seem to trigger the VPN tunnel to be established.

 

Am I missing some configuration or should I approach the problem in a different way?

There are a lot of configuration portions to it so I didn't want to make this question more bloated.

To clarify, I have successfully set up a single regular site-to-site tunnel between the two firewalls and was successful in creating an IKEv2 SA between them for interesting traffic. So I know the crypto, tunnel-group, NAT configurations started off correct.

3 Accepted Solutions

Accepted Solutions

use VTI instead of Policy VPN.

View solution in original post

@dhau if there is no route via a tunnel interface, traffic will be routed via the outside interface (assuming there is a route) and will be translated (assuming there is a NAT rule).

 

For your VPN traffic, yes, you will need a default route via the WAN interface and a static route via the tunnel interface IP address of the remote peer.

 

As you've the leased-line-vpn interfaces you'd normally need a more specific route via the 2nd outside interface, but in your lab they are directly connected.

View solution in original post

@dhau create the route-maps with a next hop of the remote peer tunnel IP address. Refer to this example of ASA PBR here

View solution in original post

17 Replies 17

use VTI instead of Policy VPN.

I have configured two VTIs in my test environment between two ASAs. To make route checking easier later, I have two separate physical interfaces, each with one of the VTIs.

I have a couple more questions:

 - How does NAT interact with traffic that gets routed to the VTI? Do the existing NAT rules still apply since NAT is dependent on the physical ingress and egress interfaces? So VTI is just encapsulating, encrypting, decrypting, de-encapsulating packets and the packet still goes through the inside of ASA1, wan interface of ASA1, to wan interface of ASA2, to inside interface of ASA2?

 - I tried some simple routing setups to direct traffic and return traffic through the tunnel on both ends, but the pings seem to be dropped. Are there some other commands I should enter that would allow ICMP?

 - If I'd like some traffic to be routed through VTI1 and others to be routed through VTI2, would I set up a route-map and apply it on the ingress physical interface of the ASA?

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212478-configure-asa-virtual-tunnel-interfaces.pdf

 

take look for this doc. 

for NAT you can apply NAT over VTI if you don't want run any protocol between two ASA over VTI.
for ICMP you need ICMP inspection in global mode.

I looked through the link you provided and I noticed something confusing. There is another link (https://tayam-infra.net/asa-route-based-ipsec-vpn-with-ikev2/) that points out that particular routes need to be directed towards the named tunnel interface instead, whereas the Cisco link provided seems to imply that so long as the static route uses the same egress interface as the VTI, then traffic will be encrypted and passed through the tunnel.

Currently, using the Cisco link method, I see that the tunnel is negotiated and in a READY status (show crypto ikev2 sa), but no traffic is being encrypted or decrypted (show crypto ipsec sa).

@dhau please provide the output of "show crypto ipsec sa" and "show route"

Do you have any NAT rules with a source/destination interface as "any"?

Provide your configuration for review.

Run packet-tracer from the CLI and provide the full output for review.

I've attached the "show crypto ipsec sa" and "show route" outputs of the two firewalls that I am testing on. They both in actuality just connect to one switch with different VLAN ports, but the established tunnel should show that there isn't any issue with that intermediate switch.

I initially did have NAT rules for the particular packet-tracer test case, but I removed it (same results) to hopefully simplify the troubleshooting process.

I provided the tunnel interfaces and the particular ethernet interfaces related to the configuration.

 

Currently pings and SSH attempts across from the inside interface of TEST-FW to the inside interface of B-TEST-FW are all successful. It's just that the traffic doesn't go through the VTI.

@dhau if you want to send the traffic via a tunnel interface, why are you running packet-tracer to a destination 192.168.205.11 that doesn't have a route via a tunnel interface? It's also in the WAN subnet of the remote peer, not an inside network.

 

You source 10.152.115.25 of the packet-tracer isn't even directly connected nor a route on the local ASA.

 

TEST-FW# packet-tracer input inside tcp 10.152.115.25 8888 192.168.205.11 22

 

You need to define static routes to the remote peers inside interfaces via the correct tunnel interface. You may also need routes for your local networks.

 

@Rob Ingram I'm running packet-tracer to the destination 192.168.205.11 because I'm trying to figure out how the NAT works in relation to VTI. One of the questions earlier in the chain mentioned whether the packets encrypted by TEST-FW exit the wan interface and enter the wan interface of B-TEST-FW, or whether the tunnel just directly puts the encrypted packet into the inside network of B-TEST-FW.

The other question mentioned earlier is how I can route packets through the tunnel and what the next hop IP address should be. The Cisco link provided and the tayam-infra.net link seem to be contradicting as to how packets are routed through the tunnel interface to the other firewall.

It seems I need at least two routes, one wan route to establish the tunnel, and another route to route traffic into the tunnel.

route wan 0.0.0.0 0.0.0.0 <next-hop-ip>

route tun2 <inside subnet> <subnet mask> <tun2 IP on remote ASA>

Is that correct?

@dhau if there is no route via a tunnel interface, traffic will be routed via the outside interface (assuming there is a route) and will be translated (assuming there is a NAT rule).

 

For your VPN traffic, yes, you will need a default route via the WAN interface and a static route via the tunnel interface IP address of the remote peer.

 

As you've the leased-line-vpn interfaces you'd normally need a more specific route via the 2nd outside interface, but in your lab they are directly connected.

@Rob Ingram I was able to get traffic through the tunnel interface now so it's working.

I have one last question that will complete the whole setup: How do I set up policy routing to route to one VTI or the other VTI depending on the destination? I know I would need to create ACLs and create a route-map. But when I try to create the route-map, there doesn't seem to be an option to set the interface to the tunnel. Do you have any suggestions?

@dhau create the route-maps with a next hop of the remote peer tunnel IP address. Refer to this example of ASA PBR here

VTI-ASA1 
tunnel IP
tunnel source 
tunnel destination 

VT1-ASA2
tunnel IP
tunnel source 
tunnel destination 

how many static route ?
two in each ASA 
1- static route for tunnel destination of remote ASA toward ISP 
2- static route for Subnet behind remote ASA toward VTI tunnel IP

this to forward traffic through VTI and hence encrypt.

 

with VTI NAT 
all traffic from ASA-1 LAN will NAT to VTI tunnel IP and hence the remote ASA see only VTI tunnel IP not full LAN subnet. 

alirafaleiro
Level 1
Level 1

The Cisco ASA Family of security devices protects corporate networks and data centers of all sizes. It provides users with highly secure access to data and network resources - anytime, anywhere, using any device.
https://www.cisco.com/c/en_in/products/security/adaptive-security-appliance-asa-software/index.html