01-11-2017 07:17 AM
I have a question regarding telling a static route to go over a VPN tunnel between two ASA's. I have a client who uses a public IP address range as their internal LAN for one of their sites. This site is connected via a VPN tunnel back to their main location. We are looking to move one of their servers to a new location but this server acts as the SQL back end for a few other servers so they need to communicate with each other. My question is can I add a static route at site A to point to site B using the VPN tunnel as its next hop? Information below
Site A (internal public IPs):
Server A - 52.52.52.52
Server B - 52.52.52.53
ASA inside - 10.254.253.1
ASA outside - 60.60.60.60
Site B:
SQL Server - 52.52.52.54
ASA inside - 192.168.202.1
ASA outside - 80.80.80.80
The VPN tunnel is working and I can communicate from A - B - A. I think I would add a route like this to achieve what I want.
Site A Routes:
route inside 52.52.52.54 255.255.255.255 192.168.202.1
Site B Routes:
route inside 52.52.52.52 255.255.255.255 10.254.253.1
route inside 52.52.52.53 255.255.255.255. 10.254.253.1
Thoughts on this would be great. I know we would ideally want to change the internal IP scheme of site A but it's a web hosting company and they have all their code set this way currently so we can't change it.
Solved! Go to Solution.
01-11-2017 09:10 AM
Hi Douglas,
Neither of the proposed static routes will work because you can't set the next hop of the route to be the ASA itself, it always needs to be a L3 device in the same subnet or in some special cases handled via a route recursion but that's a different topic.
If I got this right then you just need to take care of 2 specific things on each firewall:
1 - Assuming the crypto map is applied to the outside interface then you will add a static route like this: route outside 52.52.52.52 255.255.255.255 <Next hop> where the next hop is usually your default gateway.
2 - Make sure the encryption ACL is modified to account for this new change on both ASAs.
One more concerning point is the internal routing, you need a more specific route injected in the 52.52.52.0 network on each side for all the servers, maybe RRI and a static route on the 52.X gateway.
Let me know if you have any doubt.
HTH
Pablo
01-11-2017 09:10 AM
Hi Douglas,
Neither of the proposed static routes will work because you can't set the next hop of the route to be the ASA itself, it always needs to be a L3 device in the same subnet or in some special cases handled via a route recursion but that's a different topic.
If I got this right then you just need to take care of 2 specific things on each firewall:
1 - Assuming the crypto map is applied to the outside interface then you will add a static route like this: route outside 52.52.52.52 255.255.255.255 <Next hop> where the next hop is usually your default gateway.
2 - Make sure the encryption ACL is modified to account for this new change on both ASAs.
One more concerning point is the internal routing, you need a more specific route injected in the 52.52.52.0 network on each side for all the servers, maybe RRI and a static route on the 52.X gateway.
Let me know if you have any doubt.
HTH
Pablo
01-11-2017 09:26 AM
Pablo,
Thanks for the quick follow up. I have a question regarding your route, specifically the next hop. The default gateway for these servers is the inside IP of the ASA at site B. That being said would I then set the static route on site B to be
route outside 52.52.52.52 255.255.255.255 192.168.202.1? I believe both sites have a catch all route of route outside 0.0.0.0 0.0.0.0 <next hop> and this would conflict itself correct?
Let me know if I can provide more information to assist on this.
Thanks.
01-11-2017 09:48 AM
Douglas,
Nope, that won't work because you're still using the ASA itself as the next hop which is not a valid command.
Can you share a sanitized configuration of your ASAs so I can take a look and propose a tailored solution?
__ __
Pablo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide