Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
0
Helpful
4
Replies

ASA\PIX lan-2-lan VPN and Routing

Go to solution
serotonin888
Level 1
Level 1

‎10-06-2008 10:20 AM - edited ‎03-11-2019 06:53 AM

Hi,

I wonder if anyone can explain why the following occurs and if there is a way around it.

Lets say i have a site with 2 outgoing connections. One is an IPSec lan-2-lan connection via an ASA\PIX firewall to 10.0.1.0/24. The other is an internal private WAN connection to every other 10.0.0.0/8 address.

If i specify a static route on the firewall directing 10.0.0.0/8 to our internal private WAN then this "breaks" the VPN to 10.0.1.0/24. Clearly this is because the firewall thinks 10.0.1.0/24 is now available by the internal private WAN. Even though it has an IPSec VPN configured for 10.0.1.0/24.

This means that i would need to add routes on the firewall for every 10.0.0.0/8 address with the exception of 10.0.1.0/24. This is quite "fiddly" to say the least.

Is there any easier way to do this?

Many Thanks

Andy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dominic.caron
Level 5
Level 5

‎10-06-2008 10:46 AM

Hi,

Can I assume that, from your asa perspective, your WAN link does not exit the asa from the outside interface...

Your cryto-map is apply to the outside interface, add a static route to your asa to force trafic destined to 10.0.1.0/24 to exit from that interface.

If this is not the case, please give us a idea of your network topology.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
dominic.caron
Level 5
Level 5

‎10-06-2008 10:46 AM

Hi,

Can I assume that, from your asa perspective, your WAN link does not exit the asa from the outside interface...

Your cryto-map is apply to the outside interface, add a static route to your asa to force trafic destined to 10.0.1.0/24 to exit from that interface.

If this is not the case, please give us a idea of your network topology.

0 Helpful

Go to solution
serotonin888
Level 1
Level 1
In response to dominic.caron

‎10-06-2008 11:03 AM

Hi Dominic,

Yes, You are correct. The WAN link to the other 10.0.0.0/8 networks is not connected to the firewall.

What would the static route look like?

route outside 10.0.1.0 255.255.255.0 ip_of _outside_iterface?

Appreciate your help,

Thanks

Andy

0 Helpful

Go to solution
dominic.caron
Level 5
Level 5
In response to serotonin888

‎10-06-2008 11:36 AM

yes, that should work. If now, will do some debug :)

0 Helpful

Go to solution
serotonin888
Level 1
Level 1
In response to dominic.caron

‎10-07-2008 12:13 AM

Excellent - that worked great.

Appreciate your help :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card