We have an ASA 5540. Here are the route statements. The inside interface is 184.108.40.206. If I have a server on subnet 66.102.150 and this subnet is not in the route statement, when the user logins to VPN client, will he be able to get to the server 220.127.116.11? What would be the default route when I do not have the static route statement?
Laura, if 66.102.150.x/? network is in your inside network somewhere being routed by another gateway , the FW will not know how to get to it so even if you allow in your VPN acl this network vpn users will not get to it, just like your other route statemens , how is 18.104.22.168/24 network reachable ? it is reachable via 22.214.171.124 gateway on your inside . same thing for 66.102.150 if it is in your inside network you need to tell fw how to get to it, and the other way around which ever gateway knows about 66.102.150 net needs route to get back to fw.
If 66.102.150.x/? network is somewhere on the internet outside of your realm the fw send the traffic using your default route via fw outside interface .
Thanks for your prompt response and information. The 126.96.36.199 is my inside network. The 188.8.131.52/24 is my inside network also. The network 184.108.40.206 is reachable through gateway 220.127.116.11.
Even though I do not have a route statement on subnet 18.104.22.168, I can get to the server on 22.214.171.124 through VPN client. So, I guess it is not necessary to put in the route statement??? I always assume that you have to have a route statement for each subnet inside your network so that the users can get to those subnets when they VPN in. How do I know when to put in the route statement? Can I just don't put anything until someone complains then put in the route statement? Thanks.
Hi Laura, are you sure you don't have a route for that network or host in fw. perhaps a 126.96.36.199/16 statement that covers 150 net , you can from the fw see output of all routes by issuing "show route " or " show run | inc route" , you can always confirm host reachability by pinging the host form the firewall itself.
Sorry for the late reply. I tried both "show route " or " show run | inc route" and do not see a route statement for 66.102.150 network. I can ping a server 188.8.131.52 from the firewall. Do you have any other suggestions? Thanks.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :