cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
468
Views
0
Helpful
7
Replies
Highlighted
Participant

Static route over IPSec Tunnel

Hi, I need to reach a secondary router internal subnet which is at the end of an ASA ipsec tunnel (see attached)

For clients on Router A (172.16.2.1/24) to reach clients on Router B (172.16.1.1/24), would it just be a case of entering a static route eg 

Router A
ip route 172.16.1.0 255.255.255.0 192.168.1.2
Router B
ip route 172.16.2.0 255.255.255.0 192.168.2.2

 

assuming that Router A (192.168.2.1/30) can see Router B (192.168.1.2/30) and vice versa ie tunnel is up and running

VPN.PNG

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Your requirement was to access clients on Router A (172.16.2.1/24) to reach clients on Router B (172.16.1.1/24). In which case you'd need an ACL as such:-

access-list VPN extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

View solution in original post

7 REPLIES 7
Highlighted
VIP Mentor

yes it should work as expected to reach far end device, hope far end device has only 1 exit and static route towards .1

 

BB
*** Rate All Helpful Responses ***
Highlighted
VIP Advisor

Hi,
I assume the ASA's are using a crypto map rather than a VTI?

Router A would not have a next hop of 192.168.1.2, it's next hop IP address would be Firewall A's inside IP address of 192.168.2.1.
Router B would not have a next hop of 192.168.2.2, it's next hop IP address would be Firewall B's inside IP address of 192.168.1.1.

Both Firewall's would need to have a default route pointing to it's next hop IP address via the outside interface and an ACL defining the interesting traffic in order to establish the VPN.

HTH
Highlighted

Sorry, typo there.

Yes router A has a next hop address of Firewall A (192.168.2.1)

Firewall A also has a route like so:

ip route 172.16.2.0 255.255.255.0 192.168.2.2 (Router A)

 

The IPsec tunnel on has a security association like so:

192.168.2.0/30>1.1.1.1 ------ 2.2.2.2< 192.168.1.0/30

One side is an ASA, the other a Sophos UTM

Does the ASA have to have an ACL for the vpn interesting traffic or will it be sufficient to just put a route statement on it like:

ip route 172.16.1.0 255.255.255.0 192.168.1.1 if firewall B has a route statement like :

ip route 172.16.1.0 255.255.255.0 192.168.1.2

Highlighted

If you are using a crypto map on the ASA and Sophos UTM, you will need to modify the ACL on both devices to define the interesting traffic to include the 172.16.x.x networks. You could NAT the traffic, but I'd recommend not doing that. A crypto map requires a default route to send traffic to the outside interface in order for the traffic to match the ACL and be encrypted.

If you were using a VTI would you specify a static route, but via the tunnel interface rather than the outside interface.
Highlighted

So for the interesting traffic on Firewall A,

i would have to add an ACL like:

permit ip 172.16.2.0 0.0.0.255 192.168.1.0 0.0.0.3

Highlighted

Your requirement was to access clients on Router A (172.16.2.1/24) to reach clients on Router B (172.16.1.1/24). In which case you'd need an ACL as such:-

access-list VPN extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

View solution in original post

Highlighted

Brill thank you