09-30-2014 11:03 PM - edited 03-11-2019 09:50 PM
Hi....
We have a ASA5512 (version 8.6). I have set up the remote access vpn and it works great to reach our internal systems inside of the firewall.
But we also have systems/subnets that we reach over static VPN from out internal network, the static VPN is configured on another firewall than the ASA firewall, but is on the sama subnet as the ASA. I been trying to make a static route in the asa for the traffic that is aimed for the other subnet that we access through the static vpn tunnel, but I dont get it to work...any hints how to get this to work would be greatly appriaciated....
09-30-2014 11:58 PM
Are the RA VPN users able to ping the second firewall inside interface (assuming that ping is allowed to that interface)?
in the site2site VPN on the second firewall, is the RA VPN subnet configured as source interesting traffic that is to be encrypted to the remote site?
Is the remote site Firewall/Router configured the the RA VPN subnet as destination interesting traffic to be encrypted back to your local network?
Do both local and remote sites exempt the RA VPN subnet from being NATed (if applicable)?
--
Please remember to select a correct answer and rate helpful posts
10-01-2014 02:13 AM
Hi Marius...
Thanks for your reply.
yes the RA VPN users can ping the second firewall inteface.
The second firewall is a Watchguard firewall and i have done this with our old vpn firewall (also wathcguard) just added the route and then it worked. I have on the site2site vpn firewall added the route for the RAVPN users network so it is routed back correctly, but it doesnt work....
The traffic is not NATed...
10-01-2014 03:14 AM
How are you implementing the route on the ASA? (I mean the command you are using)
If you put the route in the ASA and then try to ping the remote site, do you see drop messages in the Watchguard firewall log? Or does the firewall encrypt and pass the traffic?
--
Please remember to select a correct answer and rate helpful posts
10-01-2014 06:33 AM
Hi ...
I used the command:
route inside 192.168.15.0 255.255.255.0 10.1.2.2 1
Now i see that traffic gets to the watchguard FW, and it is allowed, but I think it is not routing the traffic through the vpn tunnel...will troubleshoot it, thanks for the hint.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide