Site-to-site VPN. Additional routing needed?

robbhanMid · ‎07-15-2008

Hi,

After setting up a VPN-connection. Do I ened to set up some type of routing as well?

My first asa has the external ip of 10.10.10.2 and an internal IP of 192.168.100.1.

The second asa asa har the external ip of 10.10.10.1 and an internal IP of 192.168.1.1.

If I want traffic to travel through the VPN tunnel for communication between, let's say 192.168.100.22 to 192.168.10.3, do I need to specify additional routing other that the VPN configuration below?

I used the following configuration:

Asa 5505# 1

hostname(config)# isakmp policy 1 authentication pre-share

hostname(config)# isakmp policy 1 encryption 3des

hostname(config)# isakmp policy 1 hash sha

hostname(config)# isakmp policy 1 group 2

hostname(config)# isakmp policy 1 lifetime 43200

hostname(config)# isakmp enable outside

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

hostname(config)# access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

hostname(config)# tunnel-group 10.10.10.1 type ipsec-l2l

hostname(config)# tunnel-group 10.10.10.1 ipsec-attributes

hostname(config-ipsec)# pre-shared-key mideye

hostname(config)# exit

hostname(config)# crypto map abcmap 1 match address l2l_list

hostname(config)# crypto map abcmap 1 set peer 10.10.10.1

hostname(config)# crypto map abcmap 1 set transform-set FirstSet

hostname(config)# crypto map abcmap interface outside

hostname(config)# write memory

Asa 5505# 2

hostname(config)# isakmp policy 1 authentication pre-share

hostname(config)# isakmp policy 1 encryption 3des

hostname(config)# isakmp policy 1 hash sha

hostname(config)# isakmp policy 1 group 2

hostname(config)# isakmp policy 1 lifetime 43200

hostname(config)# isakmp enable outside

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

hostname(config)# access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

hostname(config)# tunnel-group 10.10.10.2 type ipsec-l2l

hostname(config)# tunnel-group 10.10.10.2 ipsec-attributes

hostname(config-ipsec)# pre-shared-key mideye

hostname(config)# exit

hostname(config)# crypto map abcmap 1 match address l2l_list

hostname(config)# crypto map abcmap 1 set peer 10.10.10.2

hostname(config)# crypto map abcmap 1 set transform-set FirstSet

hostname(config)# crypto map abcmap interface outside

hostname(config)# write memory

Thanx!

5220 · ‎07-15-2008

Hi,

Yes, you need routing.

Basically, in order for the traffic to be encapsulated in VPN, it needs to arrive on the interface where the VPN crypto map is applied.

However, 99% of the cases that interface is the outside one, and all the traffic by default is sent to outside interface by your 0.0.0.0 route to the ISP.

In the above case, you don't need a special route.

One more concern is the NAT. If you have the "nat-control" command on your ASA configuration, you need to allow the VPN traffic to the NAT0 (nat exempt).

Example:

access-list inside_NAT0 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list inside_NAT0

Please rate if this helped.

Regards,

Daniel

robbhanMid · ‎07-15-2008

Thanx for your reply

I've connected my two asa 5505 using a cross over cable. One has the external ip of 10.10.10.1 and the other one is 10.10.10.2. Using this setup, how can the two routers know what networks are behind the other firewall?

Is the access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0 ( and vice versa on the other side) enough information or do I need to specify anything else. I'm a bit confused at the moment.

robbhanMid · ‎07-15-2008

I needed to add some routing. I was pulling my hair until I came to the obvious conclusion.