Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

2 Gateway in LAN, But the VPN Gateway can't be routed

Dear guys, can you give me an idea pls?

Big thanks in advance.

(Internet)-------(ASA5510)------(192.168.2.2)------LAN-------PC

``````````````````````````````````````````````````````````````|

``````````````````````````````````````````````````````````````|

```````````````````````````````````````````````````````(192.168.2.1)

``````````````````````````````````````````````````````````````|

``````````````````````````````````````````````````````````````|

(Internet_IPSec-VPN)-(172.x.x.0)-----------CheckPoint

Here's the topo, A LAN has two gateway, one for Internet web access, another for VPN connection.

The VPN connection is connected via the Wizard in a small Checkpoint box, a IPSec VPN, one side is LAN, another is WAN.

When Client PC's gateway point to ASA5510, it can't access the VPN resource, but if the gateway changed to CheckPoint, it works. But the related route(route inside 172.x.x.0 255.255.255.0 192.168.2.1) is added on the ASA5510.

============================

ASA Version 7.0(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

!

interface Ethernet0/0

nameif Inside

security-level 100

ip address 192.168.2.2 255.255.255.0

!

interface Ethernet0/1

nameif DMZ

security-level 90

no ip address

!

interface Ethernet0/2

nameif Outside

security-level 0

ip address 158.146.x.x.255.255.x

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.2.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

access-list Inside_access_in extended permit ip 192.168.2.0 255.255.255.0 10.10.0.0 255.255.0.0 inactive

access-list Inside_access_in extended permit ip 192.168.2.0 255.255.255.0 interface Outside inactive

access-list Inside_access_in extended permit ip any any

pager lines 24

logging asdm informational

mtu Inside 1500

mtu DMZ 1500

mtu management 1500

mtu Outside 1500

ERROR: Command requires failover license

ERROR: Command requires failover license

asdm image disk0:/asdm-504.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (Inside) 1 192.168.2.0 255.255.255.0

access-group Inside_access_in in interface Inside

route Inside 172.28.0.0 255.255.0.0 192.168.2.1 1

route Outside 0.0.0.0 0.0.0.0 158.146.0.43 1

timeout xlate 0:20:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username xxx password xxx encrypted privilege 15

http server enable

http 192.168.2.0 255.255.255.0 Inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

Cryptochecksum:xxx

: end

2 REPLIES

Re: 2 Gateway in LAN, But the VPN Gateway can't be routed

Hi,

Unlike a router, an ASA/PIX will discard any traffic that tries to exit the same interface it entered (good security reasons).

Since you are using all 3 interfaces, i suggest creating VLANS on the inside interface.

One VLAN will be between LAN and ASA (subnet 192.168.2.x) and the other between ASA and the CheckPoint (e.g. 192.168.3.x/30).

(Internet)-------(ASA5510)------(192.168.2.2)------LAN-------PC

`````````````````````| 192.168.3.1/30

`````````````````````|

`````````````````````|

`````````````````````|

`````````````````````| 192.168.3.2/30

(172.1.1.0)--------CheckPoint

interface Ethernet0/0.100

nameif VPN

security-level 95

ip address 192.168.3.1 255.255.255.0

vlan 100

no shut

no route Inside 172.28.0.0 255.255.0.0 192.168.2.1

route VPN 172.28.0.0 255.255.0.0 192.168.3.2

static (inside,VPN) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

I used static instead of NAT 0 so that the VPN remote end can initiate connections.

You need to specify the same VLAN on the Checkpoint or use a VLAN able SW.

Please rate if this helped.

Regards,

Daniel

Re: 2 Gateway in LAN, But the VPN Gateway can't be routed

Hi,

Just found a better solution for you:

"The same-security-traffic command permits traffic to enter and exit the same interface when you use it with the intra-interface keyword which enables spoke-to-spoke VPN support"

command: same-security-traffic intra-interface

Check http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml for more details.

Please rate if this helped.

Regards,

Daniel

117
Views
0
Helpful
2
Replies