0

Have successfully connected to my ASA via VPN client.

Setup: ASA >> Switch >> 2 CentOS Linux Servers

When I open a local terminal (OSX), I can ping inside interface on (192.168.0.1) but not inside servers listening on 192.168.0.2~254

Inside servers can ping each other as well as 192.168.0.1

Seems that VPN ping requests to server-on-inside-IP are getting sent back out on Linux box's public interface (gateway is set on public, not private)

Not by any means an expert sysadmin, I tried to set gateway on server private interface and did a "service network restart" -- no dice, looks like Linux does not like multiple gateways?

Anyway, would be nice to VPN connect and have access to internal network; then I could block all traffic except web services and only SSH over VPN.

Must be a way to do this, ideas appreciated

virtualeyes
  • 675
  • 3
  • 12
  • 28

1 Answers1

1

Am I understanding that the Linux machines have two NICs-- one connected to the Internet and using a public IP address and another connected to the LAN with the ASA?

Assuming that's the case, it sounds like you just need a static route on all your Linux machines to route traffic sourced from the VPN subnet back to the ASA rather than to the default gateway. Depending on your Linux distro the method to add a static route and make it persistent across boots will vary, but you can test it out fairly easily by just adding the route "by hand" and see how it works. Something like route add -net a.a.a.a netmask b.b.b.b gw c.c.c.c where a.a.a.a is the network id of the VPN subnet, b.b.b.b is the subnet mask of the VPN subnet, and c.c.c.c is the address of the ASA. Assuming the ASA is in the same subnet as one of the NICs on the Linux machines, responses to VPN IP addresses would be sent out, by the Linux boxes, on the NIC attached to the ASA subnet.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • I will give this a shot, Evan, Cisco SMARTnet support suggested the same. Of course, now Cisco VPN client on OSX can't even ping on vlan inside interface 192.168.0.1, while VPN client in Windows VM can ping it just fine, groan, lol. Going to reboot OSX and then try out the route suggestion in Linux boxes behind the ASA Thanks! – virtualeyes Aug 05 '10 at 23:56
  • Evan, route add did the trick, but only after I changed inside vlan to a 10.1.1.1 range -- most home modem/routers use 192.168.x.x and that seems to have been conflicting with VPN network which was on the same subnet. Now, I can lock down my servers and actually make use of the VPN ;--) Thanks!! – virtualeyes Aug 06 '10 at 18:30