06-03-2022 07:05 PM
I am having trouble configuring 2 Cisco ASA firewalls for a VPN tunnel that I am essentially trying to route subnet across.
If the equipment was not already deployed, and it wouldn't require travel to 2 different remote offices, I would simply use a GRE tunnel between 2 IOS routers. However, I thought I could use the ASA firewalls to achieve the same thing as I need 1 simple static route across the tunnel.
Essentially at site A, we have a BGP speaking router with connectivity to the internet. We are announcing a publicly assigned subnet via BGP on an external facing router and we have a cisco ASA firewall behind that. At remote site B, we have a cisco ASA firewall.
For this example, we will pretend the public IP space I am attempting to route across is 10.10.10.0/24.
I am statically routing the 10.10.10.0/24 subnet from the router to the ASA behind it. Traffic is getting to the ASA without issue. I then have configured a VPN tunnel between the firewall at Site A and the firewall at Site B. On the firewall at Site A in the crypto ACL, I included a rule:
access-list myACL extended permit ip any4 10.10.10.0 255.255.255.0
thinking this would therefore match any traffic destined to the subnet I was looking to route across and would bring up the VPN tunnel to the other side. However, it is not working. Enabling crypto debug doesn't even show it attempting to come up.
I then considered that NAT might be a problem even though I didn't expect it to be a problem as my only nat rule on the Site A is a dynamic object NAT for inside to outside traffic and this traffic should be hairpinned and be outside to outside (yes same-security-traffic permit intra-interface is configured). Anyway, I tried adding an explicit:
nat (any,outside) source static any any destination static obj-10_10_10_0_24 obj-10_10_10_0_24 route-lookup
to ensure that no NAT was taking place for any traffic destined to the subnet I was looking to route across the VPN.
The ASA still makes no attempt whatsoever to bring up the VPN tunnel.
What am I missing?
06-04-2022 03:06 AM
Asa support vti not support gre
06-04-2022 12:18 PM
I know it does not support GRE, that is why I mentioned if I had even site access, I would just add some routers and use a GRE tunnel.
However, I do not see why an IPSec tunnel shouldn't be able to accomplish the same thing in this use case. I do not need any fancy routing or routing protocols, I just need a subnet announced on 1 side to be able to used on the other side.
06-04-2022 12:33 PM
just to clear something here,
you have two ASA,
you using VTI in each ASA
you use BGP in each ASA to learn the LAN behind each other ?
06-05-2022 10:15 AM
No, that is where it becomes an unusual use case for an IPSec tunnel.
On one side, I am trying to pass across a "WAN" subnet to the other side. Done it 100+ times with GRE, and if the ASAs weren't already in place and/or the locations were easy to get to, that is how I would do it again. But, I cannot see why, the same thing couldn't be accomplished with an IPSec tunnel.
Site A:
ISP 1+2 <--> Router announcing 10.10.10.0/24 via BGP to the ISPs and statically routing it to ASA <--> ASA
Theoretical IPsec Tunnel between Sites ^
|
|
Site B:
ASA <--> 10.10.10.0/24 on "DMZ" interface
06-05-2022 04:10 PM
You use Policy VPN so the traffic must match ACL
in ASA-B the ACL will be
source 10.10.10.0/24 and destination will be ??
06-06-2022 01:14 AM
To get this work and in your given scenario your best bet is to configure your ASA as VTI (also know as route based VPN tunnel).
you mentioned you defined access-list
access-list myACL extended permit ip any4 10.10.10.0 255.255.255.0
this wont work in site-to-stie vpn tunnel know as policy based vpn.
Here see this document guide for VTI ASA have a look at it instead of BGP routes in the document you can put the static routes according to your needs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide