Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
700
Views
0
Helpful
3
Replies

User VPN through secondary internet

1StopBloke
Level 1
Level 1

‎12-19-2011 03:53 PM - edited ‎03-04-2019 02:41 PM

Hello,

I've got a problem that I'm hoping is simple for someone out there!

We have an ASA 5520 in production with a brand new internet feed we've just finished installing. We connect to our corporate office via a VPLS. In our corporate office we have a Cisco 1841 (I think that was the year it's made! ) with an ADSL feed with a static IP address plugged in directly.

We have a user VPN that we integrate with our user directory on the router, which connects via the ADSL. The users get an IP addres at the tail end of the 172.31.14.0/24 range, which is the same as one of our corporate subnets (we just reserver a few address, we don't have many VPN users).

Both the ASA and the router connect to each other (via the VPLS) on the internal subnet 10.255.255.0/24.

The ASA is 10.255.255.1

The router is 10.255.255.100

Currently the default route for the corporate office goes out the Dialer interface for the ADSL, which means that's where our internet goes out there (all proxying aside, we'll leave that out of this one).

ip route 0.0.0.0 0.0.0.0 Dialer1

We'd like to change that default route to go via the VPLS to the ASA, and then out to the internet using the new feed. All the ACLs and rules are in place at both ends for this to work. If I change the default route on the router to:

ip route 0.0.0.0 0.0.0.0 10.255.255.1

Then it works as expected.

The problem is that then the user VPN breaks. I had hoped I wouldn't have to do any configuration on this but it looks to be so. I'm guessing that the VPN packets are coming in via the ADSL and back out via the new internet. It would be simple if the remote client had a static IP address as I could put in a static route for each user, but it's always going to be dynamic.

What do I need to put in place to get this working? I thought maybe I could leave the default route via the ADSL and put in a next hop rule to go via the VPLS for the specific subnets that need the new internet, i.e. have a subnet specific default gateway, is this possible? (I gave it a go but it didn't seem to work, I think I didn't implement it properly though as it still went via the ADSL, maybe because there is a nat route-map as well?).

Any ideas?

Labels:
0 Helpful
3 Replies 3

Latchum Naidu
VIP Alumni
VIP Alumni

‎12-19-2011 11:13 PM

Hi,

It seems problem with the reverse route for the client vpn subnet.
Did you change the default route in pointing to your new internet (I guess your ASA) something like below.

ip route 192.168.200.0 255.255.255.0 10.255.255.1


Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful

1StopBloke
Level 1
Level 1
In response to Latchum Naidu

‎12-20-2011 04:18 PM

Hello,

I'm not entirely sure I understand what you're saying. Do you mean did I put a route into the office router saying to use the new internet for the VPN subnet?

No I didn't because we want the VPN to use the old internet still.

If that's not what you meant can you elabourate please?

I don't think there's a problem with the 172.31.14.0 route, or any internal routes. It's the internet routing that's wrong.

0 Helpful

1StopBloke
Level 1
Level 1
In response to 1StopBloke

‎02-14-2012 06:07 PM

I think the general concensus with this is that it's not possible without a proxy, so we just bought a simple router to run our ADSL and VPN from.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card