I have question regarding routing with S2S VPN.
In your post we had to configure routing between 2 directly connected ASA FW. But in a case when you add (for example) in between one Router ( so ASA - R - ASA) you only have to specify default routes pointing to R. In the R configuration I do not use any route towards inside interfaces on both ASA Firewalls.
Why is that?
This is a very good question and is important to understand the role of routers in various locations throughout a topology. That router R doesn’t need to know how to reach the inside subnets of the ASAs. It will never receive packets with a destination IP of 192.168.1.X or 192.168.2.X.
Remember, the ASAs have created a site-to-site tunnel, so all traffic with such destination addresses will be encapsulated within tunneling packets. This means that the R router will only receive packets with destination IP addresses of the outside interfaces of the ASAs.
Thank you for the reply.
This all makes sense ( when using router ), but what I do not understand is why you have to specify routing when you have directly connected ASA FW. Directly connected ASA FW share same subnet (outside interfaces) and when we encapsulate packets in IPSEC, we know how to get to our peer, we then de encapsulate IPSEC headers ( we are left with source of inside IP and destination of inside IP) and forward in inside interface.
Let’s take it step by step. Let’s say you don’t have any routing configured in either ASA. Let’s say you have a host (H1) behind ASA1 with an IP address of 192.168.1.20 and another host (H2) behind ASA2 with an IP address of 192.168.2.40.
Now if H1 sends a ping to H2, that ping…
The ping will go to the default gateway, which is ASA 1 at 192.168.1.254.
The ASA will look at the destination IP of 192.168.2.40 but it doesn’t have any information about this network in the routing table. There is also no default route. So the packet is dropped.
The ASAs are directly connected, therefore they know about the 10.10.10.0/24 network to which they are both connected. However, ASA1 does not have any info about 192.168.2.0/24.
The solution is to either use the static route as shown in the lesson or introduce a default route in the routing table. That way if a destination doesn’t match anything, in the routing table, it will be sent to the default route. Once that is done, such packets will be sent to ASA2. ASA2 knows the 192.168.2.0/24 network as it is directly connected, and will forward the packet correctly.
I would like to ask a little help.
I am a beginer network engeener.
My question is:
If i created a s2S Ipsec Ikev1 vpn between 2 asa or 2 router and the interesting traffic are the same on both site. What should i have to do excatly?
I think i should do a NAT but i do not know how?
What kind of NAT do i have to use and how do i have to create NAT in this situation? What network do i have to translate for?
I see, thank you for the clarification. It depends on what you want to achieve. There are two possibilities here:
You are creating a single subnet of 192.168.1.0/24 that you want to span across two remote sites. Each host in the subnet is unique, in other words, you may have 192.168.1.10 at site 1 but not at site 2, and similarly 192.168.1.11 at site 2 but not at site 1. This essentially means you have a single subnet that is shared across the VPN tunnel, with a total of 254 unique hosts among the two sites.
The other case involves two separate subnets, each at each remote location, where you have the same network. So you may have 192.168.1.10 at both locations. This situation would arise if you have two separate branch offices, which happen to use the same IP address ranges, and you want to interconnect them.
If your case is the first, then you can easily do this by creating a Layer 2 tunnel between the two sites using the Layer 2 Tunnel Protocol (L2TP) as described in the lesson. Here you must ensure that each host has a unique IP address across both sites.
If your case is the second, then you must find a way to make those addresses unique. There are several ways to do this:
Maybe the easiest is to actually change the network addressing on that subnet and make it unique. It’s not always possible, but if it is, it is the cleanest solution. You can then set up a site-to-site VPN with the appropriate routing.
If that’s not possible, you should be able to NAT the addresses of one of the sites, as you suggested using static one-to-one NAT between the 192.168.1.0/24 subnet and another subnet that is not in use, such as 192.168.10.0/24. This NATing should be done either on the VPN router at the remote site that contains the subnet to be NATted, or on a router internal to that network, before the traffic reaches the VPN router. For one-to-one static NAT, take a look at this lesson.
Although this is probably not a viable solution for your case, it may be worth mentioning that MPLS is a technology that is designed to be able to discern between multiple remote networks that may be using the same subnets.
Let us know which is your case so that we can help you further.
Could you explain the differences between the attributes part for the tunnel-group? What are the differences between ipsec-attributes and general-attributes? How do we decide to choose one
over another?
I would like to do this in my ASA what you suggested:
If that’s not possible, you should be able to NAT the addresses of one of the sites, as you suggested using static one-to-one NAT between the 192.168.1.0/24 subnet and another subnet that is not in use, such as 192.168.10.0/24. This NATing should be done either on the VPN router at the remote site that contains the subnet to be NATted, or on a router internal to that network, before the traffic reaches the VPN router. For one-to-one static NAT
I do the ASA S2S VPN is the same than in lession: Cisco ASA Site-to-Site IKEv1 IPsec VPN
I do a Static NAT 192.168.1.0/24 → 192.168.1.11/24 network, this network not in use, and it should be a existing working network (192.168.1.11/24)?
I look at static NAT but there i can translate one ip address to one ip address.
How can i translate the internal 192.168.1.0/24 network to the 192.168.11.0/24 internal network?
I don not understand.
I think you have a typo there, I think you meant “existing working network (192.168.11.0/24)?”
The you translate to can be anything you like but it should not exist on any other internal network that you want to be able to reach, nor should it use any public IP addresses as this could result in incorrect routing to particular destinations on the Internet.
In order to achieve one to one NAT address translation for a whole range of addresses, you can use the range keyword like so:
object network Internal
range 192.168.1.2 192.168.1.254
object network Internal2
range 192.168.11.2 192.168.11.254
You can see more detailed information about such configurations here:
I had forgotten that we have a lesson on how to achieve static NAT on a whole subnet on the ASA. Although the range keyword will work, take a look at this lesson which shows the process step by step. It’s section 2 of the lesson:
