I have a layer 3 switch with several vlans.
On vlan 5 (184.108.40.206/24) there is a router that has ipsec l2l with a remote site.
The problem is that, my users, have as default gateway the interface vlan 5 ip address (220.127.116.11./24) so the cannot access the remote sites through the ipsec router.
If i change the default gateway to the router's internal if (18.104.22.168/24) everything is working as expected.
Is there a way to trick this so the users wont have to change their default gw ?
There is a default route pointing to my asa firewall.
I have also inserted a route for the remote site to point to the ipsec router
e.g 22.214.171.124 255.255.255.0 126.96.36.199
where 188.8.131.52/24 is the lan subnet of my remote site and 184.108.40.206 the ipsec router.
From a user if you traceroute to the remote VPN subnet, where does it stop? Are your users in the same vlan as your IPSec router and your ASA?
Yes my users and the ipsec router are on the same vlan.
traceroute to 220.127.116.11 (remote lan)
1 -> 18.104.22.168 (ipsec router)
and then i get a destination unreachable..although my vpn tunnel is up and running...
From the other site, 22.214.171.124/24 i can ping 126.96.36.199 (ipsec router's internal if) but not any other host on 188.8.131.52/24.
Thanks for your help.
Can any users that are connected to your switch, but not in the same subnet as the IPSec router and the ASA get across the VPN tunnel?
The ASA is connected to the L3 Switch through a routed port.
At the moment the crypto access list permits pc's that are on the same vlan with the ipsec router. So unfortunately i can't test your scenario.
Does your ASA have a route for the remote VPN subnet pointing to the router? What do the logs on the router say when you try and go across the tunnel?
When users choose the VPN router as their default GW the connection works, so I don't think the ASA is involved. Is 184.108.40.206 the inside or outside interface of the VPN router? or does it only have 1?
|LAYER 3 SWITCH| ------- (internal if - ip address 220.127.116.11/24)IPSec Router Part of Vlan5 (ext if 10.10.10.1) = vpn tunnel = Remote Router.
| | |
vlan3 vlan4 vlan5(18.104.22.168/24)
Users on vlan 5 have as default gw the 22.214.171.124. If i change the default gw to my ipsec router's internal ip 126.96.36.199 i have connectivity.
On my layer 3 Switch i have an ip route command like ip route 188.8.131.52 255.255.255.0 184.108.40.206 where 220.127.116.11 is the remote router's lan.
The ipsec router has 2 interfaces as shown above.
ok, i have some new feedback on this.
When the users change their default gateway to 18.104.22.168 (ipsec router's internal if) i have connectivity but only from the remote site.
Meaning,users on the remote lan 22.214.171.124/24 can access user pc's on 126.96.36.199/24 but not vice versa.
It seems that even changing the default gateway for my users to 188.8.131.52 they cannot access 184.108.40.206/24...
Seems like some ACL in the ASA is blocking the traffic
Could you please share the routing table of the gateway routers at both sites.