Using ASA IPSec tunnel like a GRE tunnel to route subnet

I am having trouble configuring 2 Cisco ASA firewalls for a VPN tunnel that I am essentially trying to route subnet across.

If the equipment was not already deployed, and it wouldn’t require travel to 2 different remote offices, I would simply use a GRE tunnel between 2 IOS routers. However, I thought I could use the ASA firewalls to achieve the same thing as I need 1 simple static route across the tunnel.

Essentially at site A, we have a BGP speaking router with connectivity to the internet. We are announcing a publicly assigned subnet via BGP on an external facing router and we have a cisco ASA firewall behind that. At remote site B, we have a cisco ASA firewall.

For this example, we will pretend the public IP space I am attempting to route across is

I am statically routing the subnet from the router to the ASA behind it. Traffic is getting to the ASA without issue. I then have configured a VPN tunnel between the firewall at Site A and the firewall at Site B. On the firewall at Site A in the crypto ACL, I included a rule:

access-list myACL extended permit ip any4

thinking this would therefore match any traffic destined to the subnet I was looking to route across and would bring up the VPN tunnel to the other side. However, it is not working. Enabling crypto debug doesn’t even show it attempting to come up.

I then considered that NAT might be a problem even though I didn’t expect it to be a problem as my only nat rule on the Site A is a dynamic object NAT for inside to outside traffic and this traffic should be hairpinned and be outside to outside (yes same-security-traffic permit intra-interface is configured). Anyway, I tried adding an explicit:

nat (any,outside) source static any any destination static obj-10_10_10_0_24 obj-10_10_10_0_24 route-lookup

to ensure that no NAT was taking place for any traffic destined to the subnet I was looking to route across the VPN.

The ASA still makes no attempt whatsoever to bring up the VPN tunnel.

What am I missing? I feel liek this should be possible and work.

Hello David

Thanks for the detailed description of your topology and situation. First, I suggest you take a look at Unit 5 of the ASA course which includes many lessons that contain much of the configuration needed to create what you are attempting.

Now having said that, there are a few things to consider here, and a few questions that I have about your topology:

  1. It would be helpful if you included a simple diagram so we understand where your BGP router is in relation to the firewall.
  2. The ASA at site A has an external-facing interface with an IP address in the BGP-advertised subnet? Is it reachable from site B?
  3. Does the ASA at site B have a public IP address on an internet-facing interface? Is it static or dynamic?

Hopefully, the lessons will include information that will help you along the way. If you still have difficulty, consider the above questions and let us know your responses so that we can help you further…

I hope this has been helpful!