Re: Tracking an IP address through the IPSEC VPN Tunnel

SHABEEB KUNHIPOCKER · ‎10-31-2023

Hello,

I have built an IPSEC site to site VPN tunnel from one of our Cisco ASA to Fortigate firewall. The tunnel is up and running and traffic is passing though the tunnel as expected. Now I have a requirement to track the tunnel status via SLA monitor in the ASA and the track destination I want to use an IP address at the other site. The setup is as shown below.

The IPSEC tunnel is built between 10.3.1.1 and 1.1.1.1. I need to track the IP address 192.168.10.1. Since the track destination is a protected network, what will be source interface that I can put in the sla monitor configuration?. If it is not possible, can I use the management interface in the SLA monitor configuration to source ICMP packets?.

Thanks

Shabeeb

Rob Ingram · ‎10-31-2023

@SHABEEB KUNHIPOCKER you cannot specify the source interface using SLA. You could amend the crypto ACL to include the outside interface IP address as a source for interesting traffic.

Why do you need to track the IP address 192.168.10.1 from the ASA?

SHABEEB KUNHIPOCKER · ‎10-31-2023

Hi Rob,

We have two data centers, I need to track the protected network from the DC ASA and remove the routes from DC1 ASA when the tracker goes down. Then the routes will be injected from DC2 and the traffic will pass through DC2 ASA.

Rob Ingram · ‎11-01-2023

@SHABEEB KUNHIPOCKER amend the crypto ACL (as previously suggested) will work or migrate to a route based VPN using VTI's with a routing protocol, which would be a better design.