I am having trouble configuring 2 Cisco ASA firewalls for a VPN tunnel that I am essentially trying to route subnet across.
If the equipment was not already deployed, and it wouldn’t require travel to 2 different remote offices, I would simply use a GRE tunnel between 2 IOS routers. However, I thought I could use the ASA firewalls to achieve the same thing as I need 1 simple static route across the tunnel.
Essentially at site A, we have a BGP speaking router with connectivity to the internet. We are announcing a publicly assigned subnet via BGP on an external facing router and we have a cisco ASA firewall behind that. At remote site B, we have a cisco ASA firewall.
For this example, we will pretend the public IP space I am attempting to route across is 10.10.10.0/24.
I am statically routing the 10.10.10.0/24 subnet from the router to the ASA behind it. Traffic is getting to the ASA without issue. I then have configured a VPN tunnel between the firewall at Site A and the firewall at Site B. On the firewall at Site A in the crypto ACL, I included a rule:
access-list myACL extended permit ip any4 10.10.10.0 255.255.255.0
thinking this would therefore match any traffic destined to the subnet I was looking to route across and would bring up the VPN tunnel to the other side. However, it is not working. Enabling crypto debug doesn’t even show it attempting to come up.
I then considered that NAT might be a problem even though I didn’t expect it to be a problem as my only nat rule on the Site A is a dynamic object NAT for inside to outside traffic and this traffic should be hairpinned and be outside to outside (yes same-security-traffic permit intra-interface is configured). Anyway, I tried adding an explicit:
nat (any,outside) source static any any destination static obj-10_10_10_0_24 obj-10_10_10_0_24 route-lookup
to ensure that no NAT was taking place for any traffic destined to the subnet I was looking to route across the VPN.
The ASA still makes no attempt whatsoever to bring up the VPN tunnel.
What am I missing? I feel liek this should be possible and work.