?
Solved

ASA 5505 site to site VPN static route how to or possible workarounds

Posted on 2009-07-08
8
Medium Priority
?
623 Views
Last Modified: 2012-05-07
Currently I have a site to site VPN setup between 2 ASA 5505's.  The local subnets are 192.168.1.0/24 for the main location and 192.168.2.0/24 for the remote location.  The last part of this equation is a vendor router(192.168.2.25) is located on remote subnet with a connection to a 10.0.0.0/24 network.

A server at the main location has an IP address of 192.168.1.20 and it will need to talk to the vendor router(192.168.2.25) in order to reach the 10.0.0.0/24 network.

How can I get 192.168.1.20 to communicate to the 10.0.0.0/24 network utilizing the VPN connection to get to 192.168.2.25?

Both ASAs are running 7.2

I know the ASA is cable of some some static routing - is it possible to have a static route traverse the VPN to the 192.168.2.25 router?  What configurations will I need to add to make this work?

If not, what possible workarounds are available to accomplish this easily?  Thanks.

Ideally I would have a static route for 10.0.0.0 255.255.255.0 via 192.168.2.25, but this does not appear to be an option with the ASA.  
0
Comment
Question by:salesandservice
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 1

Author Comment

by:salesandservice
ID: 24810062
Is it possible to do this without changing the default gateway of the server (currently set to the ASA at the main location)?
 http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
It seems possible to change the default gateway to a different router and configure that router to point 10.0.0.0/24 traffic to 192.168.2.25 and that way the ASA would only need to send traffic over to the remote subnet via VPN as it normally does.  Would this work or am I missing something?
Any other configurations/ideas? Thanks
0
 
LVL 1

Author Comment

by:salesandservice
ID: 24810112
The "same-security-traffic permit intra-interface " seems to indicate a similar setup to above except I could leave the default gateway as is.
So traffic going from the server at the main location to the 10.0.0.0/24 network would go to the pix and then go to the new router with an address of lets say  192.168.1.5.
So config would be changed to:
same-security-traffic permit intra-interface
route inside 10.0.0.0 255.255.255.0 192.168.1.5(new router)
-----
And then traffic would go to the router with a config of:
10.0.0.0 255.255.255.0 192.168.2.25
And traffic would travel over the VPN tunnel and out thru the Vendor router - will this configuration work?
 
 
0
 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 2000 total points
ID: 24822798
First, can I assume the ASA at the main location is also your Internet gateway for users at main? If you don't have a conflicting 10.0.0.0/24 network on your main site, and your default gateway leads you to this Internet gateway/VPN Firewall, then all you need to do is make sure that the 10.0.0.0 network is in your Crypto ACL and natural routing will get it across. Of course you still need the traffic acls at both end to allow the traffic. And at the remote ASA a static route statement:
Main ASA:
access-list VPN-Site2 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list VPN-Site2 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
crypto map mymap  11 match address VPN-Site2

Remote ASA:
route inside 10.0.0.0 255.255.255.0 192.168.2.25


If your VPN ASA is not the same as your Internet ASA at the main site, then at your core router at main site, you will need to have a static route (ip route 10.0.0.0 255.255.255.0 192.168.1.x) to tell your own network that the 10 network is reachable cia. the VPN ASA.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:salesandservice
ID: 24846079
would it be possible to set the default gateway of the server at the main location to point to the router at the remote location(Internet access will not be required for this server only access is needed to the vendor router).  
I would think the same crypto ACLs would need to be applied.
Is this a viable alternative?  What are implications of doing this?
0
 
LVL 7

Assisted Solution

by:Boilermaker85
Boilermaker85 earned 2000 total points
ID: 24848752
No. Your main location server cannot arp for the Mac of the remote router with the VPN in between.  A default gateway must have an address on the same subnet you are on, so that layer 2 arp can occur.
The implications of doing what you suggested are that you won't be able to bring up VPN.
The solution I gave is the only one I know will work. Why do you need an alternative?
0
 
LVL 1

Author Comment

by:salesandservice
ID: 24850460
As you mentioned earlier, the VPN ASA is also the internet connection at the mainsite.  

When the server goes to send data to the 10.0.0.0 network, how is this traffic able to go over the VPN tunnel to the remote site instead of being sent out to the outside interface(internet) via the default route on the ASA?
0
 
LVL 7

Assisted Solution

by:Boilermaker85
Boilermaker85 earned 2000 total points
ID: 24851353
access-list VPN-Site2 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list VPN-Site2 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
crypto map mymap 11 match address VPN-Site2
of course there are other crypto and isakmp statements for the VPN. I assume you can finish that on your own. The point is the ACL association to the crypto map.

The above tells the ASA that traffic to 10.0.0.0/24 is interesting traffic for encryption on a particular tunnel. THe ASA just encrypts it and passes it across the tunnel where it is decrypted, and then routed on its way. That remote ASA has the static route that tells the packet the next hop is through the inside Interface via the router.
 
0
 
LVL 1

Author Closing Comment

by:salesandservice
ID: 31601393
Thank you for the assistance.  This worked great and I appreciate the follow-up to the related questions.
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question