Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7662
Views
0
Helpful
3
Replies

Static route over a VPN tunnel

Go to solution
douglas.shupe
Level 1
Level 1

‎01-11-2017 07:17 AM

I have a question regarding telling a static route to go over a VPN tunnel between two ASA's.  I have a client who uses a public IP address range as their internal LAN for one of their sites.  This site is connected via a VPN tunnel back to their main location.  We are looking to move one of their servers to a new location but this server acts as the SQL back end for a few other servers so they need to communicate with each other.  My question is can I add a static route at site A to point to site B using the VPN tunnel as its next hop?  Information below

Site A (internal public IPs):

Server A - 52.52.52.52

Server B - 52.52.52.53

ASA inside - 10.254.253.1

ASA outside - 60.60.60.60

Site B:

SQL Server - 52.52.52.54

ASA inside - 192.168.202.1

ASA outside - 80.80.80.80

The VPN tunnel is working and I can communicate from A - B - A.  I think I would add a route like this to achieve what I want.

Site A Routes:

route inside 52.52.52.54 255.255.255.255 192.168.202.1

Site B Routes:

route inside 52.52.52.52 255.255.255.255 10.254.253.1

route inside 52.52.52.53 255.255.255.255. 10.254.253.1

Thoughts on this would be great.  I know we would ideally want to change the internal IP scheme of site A but it's a web hosting company and they have all their code set this way currently so we can't change it.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎01-11-2017 09:10 AM

Hi Douglas,

Neither of the proposed static routes will work because you can't set the next hop of the route to be the ASA itself, it always needs to be a L3 device in the same subnet or in some special cases handled via a route recursion but that's a different topic.

If I got this right then you just need to take care of 2 specific things on each firewall:

1 - Assuming the crypto map is applied to the outside interface then you will add a static route like this: route outside 52.52.52.52 255.255.255.255 <Next hop> where the next hop is usually your default gateway.

2 - Make sure the encryption ACL is modified to account for this new change on both ASAs.

One more concerning point is the internal routing, you need a more specific route injected in the 52.52.52.0 network on each side for all the servers, maybe RRI and a static route on the 52.X gateway.

Let me know if you have any doubt.

HTH

Pablo

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎01-11-2017 09:10 AM

Hi Douglas,

Neither of the proposed static routes will work because you can't set the next hop of the route to be the ASA itself, it always needs to be a L3 device in the same subnet or in some special cases handled via a route recursion but that's a different topic.

If I got this right then you just need to take care of 2 specific things on each firewall:

1 - Assuming the crypto map is applied to the outside interface then you will add a static route like this: route outside 52.52.52.52 255.255.255.255 <Next hop> where the next hop is usually your default gateway.

2 - Make sure the encryption ACL is modified to account for this new change on both ASAs.

One more concerning point is the internal routing, you need a more specific route injected in the 52.52.52.0 network on each side for all the servers, maybe RRI and a static route on the 52.X gateway.

Let me know if you have any doubt.

HTH

Pablo

0 Helpful

Go to solution
douglas.shupe
Level 1
Level 1
In response to Pablo

‎01-11-2017 09:26 AM

Pablo,

Thanks for the quick follow up.  I have a question regarding your route, specifically the next hop.  The default gateway for these servers is the inside IP of the ASA at site B.  That being said would I then set the static route on site B to be 

route outside 52.52.52.52 255.255.255.255 192.168.202.1?  I believe both sites have a catch all route of route outside 0.0.0.0 0.0.0.0 <next hop> and this would conflict itself correct?  

Let me know if I can provide more information to assist on this.

Thanks.

0 Helpful

Go to solution
Pablo
Cisco Employee
Cisco Employee
In response to douglas.shupe

‎01-11-2017 09:48 AM

Douglas,

Nope, that won't work because you're still using the ASA itself as the next hop which is not a valid command.

Can you share a sanitized configuration of your ASAs so I can take a look and propose a tailored solution?

__ __

Pablo

0 Helpful
Customers Also Viewed These Support Documents