Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

2 Gateway in LAN, But the VPN Gateway can't be routed

Dear guys, can you give me an idea pls?

Big thanks in advance.








Here's the topo, A LAN has two gateway, one for Internet web access, another for VPN connection.

The VPN connection is connected via the Wizard in a small Checkpoint box, a IPSec VPN, one side is LAN, another is WAN.

When Client PC's gateway point to ASA5510, it can't access the VPN resource, but if the gateway changed to CheckPoint, it works. But the related route(route inside 172.x.x.0 is added on the ASA5510.


ASA Version 7.0(4)


hostname ciscoasa

domain-name default.domain.invalid

enable password xxx



interface Ethernet0/0

nameif Inside

security-level 100

ip address


interface Ethernet0/1

nameif DMZ

security-level 90

no ip address


interface Ethernet0/2

nameif Outside

security-level 0

ip address 158.146.x.x.255.255.x


interface Management0/0

nameif management

security-level 100

ip address



passwd xxx

ftp mode passive

access-list Inside_access_in extended permit ip inactive

access-list Inside_access_in extended permit ip interface Outside inactive

access-list Inside_access_in extended permit ip any any

pager lines 24

logging asdm informational

mtu Inside 1500

mtu DMZ 1500

mtu management 1500

mtu Outside 1500

ERROR: Command requires failover license

ERROR: Command requires failover license

asdm image disk0:/asdm-504.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (Inside) 1

access-group Inside_access_in in interface Inside

route Inside 1

route Outside 1

timeout xlate 0:20:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username xxx password xxx encrypted privilege 15

http server enable

http Inside

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management


: end


Re: 2 Gateway in LAN, But the VPN Gateway can't be routed


Unlike a router, an ASA/PIX will discard any traffic that tries to exit the same interface it entered (good security reasons).

Since you are using all 3 interfaces, i suggest creating VLANS on the inside interface.

One VLAN will be between LAN and ASA (subnet 192.168.2.x) and the other between ASA and the CheckPoint (e.g. 192.168.3.x/30).








interface Ethernet0/0.100

nameif VPN

security-level 95

ip address

vlan 100

no shut

no route Inside

route VPN

static (inside,VPN) netmask

I used static instead of NAT 0 so that the VPN remote end can initiate connections.

You need to specify the same VLAN on the Checkpoint or use a VLAN able SW.

Please rate if this helped.



Re: 2 Gateway in LAN, But the VPN Gateway can't be routed


Just found a better solution for you:

"The same-security-traffic command permits traffic to enter and exit the same interface when you use it with the intra-interface keyword which enables spoke-to-spoke VPN support"

command: same-security-traffic intra-interface

Check for more details.

Please rate if this helped.