Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
268
Views
0
Helpful
4
Replies

Remote VPN routing to other net

Kenneth Bergholm
Level 1
Level 1

‎09-30-2014 11:03 PM - edited ‎03-11-2019 09:50 PM

Hi....

 

We have a ASA5512 (version 8.6). I have set up the remote access vpn and it works great to reach our internal systems inside of the firewall.

But we also have systems/subnets that we reach over static VPN from out internal network, the static VPN is configured on another firewall than the ASA firewall, but is on the sama subnet as the ASA. I been trying to make a static route in the asa for the traffic that is aimed for the other subnet that we access through the static vpn tunnel, but I dont get it to work...any hints how to get this to work would be greatly appriaciated.... 

Labels:
0 Helpful
4 Replies 4

Marius Gunnerud
VIP
VIP

‎09-30-2014 11:58 PM

Are the RA VPN users able to ping the second firewall inside interface (assuming that ping is allowed to that interface)?

in the site2site VPN on the second firewall, is the RA VPN subnet configured as source interesting traffic that is to be encrypted to the remote site?

Is the remote site Firewall/Router configured the the RA VPN subnet as destination interesting traffic to be encrypted back to your local network?

Do both local and remote sites exempt the RA VPN subnet from being NATed (if applicable)?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Kenneth Bergholm
Level 1
Level 1
In response to Marius Gunnerud

‎10-01-2014 02:13 AM

Hi Marius...

 

Thanks for your reply.

 

yes the RA VPN users can ping the second firewall inteface.

The second firewall is a Watchguard firewall and i have done this with our old vpn firewall (also wathcguard) just added the route and then it worked. I have on the site2site vpn firewall added the route for the RAVPN users network so it is routed back correctly,  but it doesnt work....

The traffic is not NATed...

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Kenneth Bergholm

‎10-01-2014 03:14 AM

How are you implementing the route on the ASA? (I mean the command you are using)

If you put the route in the ASA and then try to ping the remote site, do you see drop messages in the Watchguard firewall log?  Or does the firewall encrypt and pass the traffic?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Kenneth Bergholm
Level 1
Level 1
In response to Marius Gunnerud

‎10-01-2014 06:33 AM

Hi ...

 

I used the command:

 

route inside 192.168.15.0 255.255.255.0 10.1.2.2 1

Now i see that traffic gets to the watchguard FW, and it is allowed, but I think it is not routing the traffic through the vpn tunnel...will troubleshoot it, thanks for the hint.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card