0

I have a pair of ASA's on my network,

Both ASA's have their own Static WAN IP's

Internal Interface IP of ASA 1 is 10.7.0.1 (its a /24 subnet)

Internal Interface IP of ASA 2 is 10.7.0.2 (same subnet)

ASA 1 is running DHCP (scope is 10.7.0.40-100) and hands out the addresses to the servers/computers, it also has Site to Site VPN's configured and functioning between 2 of our offices.

ASA 2 has been setup for IPSEC VPN, and external clients can connect, authenticate to ASA 2, receive an IP address from the 10.7.50.0 vpn pool that I created but can't ping the 10.7.0.0 subnet or access any devices on it. The VPN was setup using the ASDM Wizard and i've done this a few times in the past with no issues, so I can't figure out what's wrong in this case. Its too hard to mess up the IPSEC VPN config so I don't think I did anything wrong there, I suspect the problem is on the other ASA

Do I need to add a route on ASA 1 in order for traffic to route back out through ASA 2 ?? Does ASA 1 not recognize the 10.7.50.0 subnet since its setup on ASA 2 ? Its become a frustrating setup

For more info...the WAN ports of the ASA's plug into the same modem to get out to the internet. ASA 2 has a LAN port plugged directly into one of ASA 1's LAN ports, that's how it can see devices on the LAN.

user72593
  • 423
  • 2
  • 6
  • 14

1 Answers1

0

Do I need to add a route on ASA 1 in order for traffic to route back out through ASA 2 ??

Yes. You can add static route to ASA1. By example:

ip route 10.7.50.0 255.255.255.0 10.7.0.2

Does ASA 1 not recognize the 10.7.50.0 subnet since its setup on ASA 2 ?

Yes. If you want to make automatic route updates between two routers you must assign on both routers one of dynamically routes update protocol (OSPF, BGP, ISIS, RIP).

Its become a frustrating setup.

Yes.

Mikhail Khirgiy
  • 2,073
  • 11
  • 7
  • Hi Mikhail, so I tried the command but it seems the ASA doesn't like that syntax, so I went with " route inside 10.70.50.0 255.255.255.0 10.70.0.2 " on ASA 1, then tried connecting and still nothing. – user72593 Dec 15 '16 at 19:33
  • Update....my fault for copy/pasting the command, there was a zero added to the ip address 10.7.50.0 vs 10.70.50.0 So now I can ping 10.7.0.1 which is ASA 1 but I can't ping anything else on that subnet, do I also need some ACL rule to allow traffic from the 10.7.50.0 subnet? – user72593 Dec 15 '16 at 19:59
  • Is 10.7.0.1 the default rote on hosts from 10.7.0.0/24 network? – Mikhail Khirgiy Dec 16 '16 at 04:07
  • Yes. You need in ACL allow traffic between these networks 10.7.0.0/24 and 10.7.50 on both routers – Mikhail Khirgiy Dec 16 '16 at 04:12
  • Yes, 10.7.0.1 is the default route on hosts from the 10.7.0.0/24 network. I'm not exactly sure how to setup that ACL, i've done all of my previous setups using the ASDM and never been faced with this kind of scenario in the past. I can create a static route but i'm not sure how ACL's are supposed to be as far as syntax – user72593 Dec 18 '16 at 18:33
  • Sorry, this just got too complicated when all attempts wouldn't work so we wiped out ASA 1, rebuilt the site-to-site vpn's and then setup AnyConnect on the same ASA...now things are working. Thanks for trying to help – user72593 Dec 20 '16 at 08:16