cisco ASA 5510′s setup two firewalls, one for VPN only the other for VPN tunnel and internet

30 pts.
Tags:
ASA
VPN
I have a question that I have been working and can not seem to figure out. I have 2 ASA 5510's. Both have Internet service's from two different providers. On one I want to use for VPN access for remote users to connect through, the other I have a VPN tunnel built and I want to have the corporate Internet access setup because it has a much higher bandwidth. I need the remote users to have access to all the subnet's in our network, I need the VPN tunnel to have access to all the subnet's in our network as well. For the record, I am in the process of going through some on-line training for the ASA, however, I need this to work before I can finish the training, provided this would even be covered in this training and I don't have the time to wait for a vendor to come in and work with me on this so I am in kind of a pinch to get this working. I have 2 subnet's in our corporate site. I have other sites connected via a MPLS with their own subnet's. Currently I have a default route setup to route Internet out the ASA with the slower Internet port. If I change that route to the other ASA the VPN users can not access the subnet's. I am not sure where I need to add a route with the ASA not capable of routing traffic or am I wrong? Thank you for looking and your assistance.

Software/Hardware used:
Cisco ASA 5510
ASKED: January 14, 2013  6:39 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

I suspect that all you need to do is add a route into your network for
the subnet allocated to the VPN users. You can do this on the fast
Internet ASA, but will also need to put this on the MPLS router, and/or
other routers in your network or via a routing protocol if you use one. On the fast ASA you will also need to add the gobal command

same-security-traffic permit intra-interface

This allows it to route traffic back out of the same interface it received it from. and allow the ASA to act as a router.
This is to ensure that all locations ‘know’ about this subnet. The default route was effectively doing this job before, but now you have changed that to point to the fast ASA, there is no route to the VPN users subnet.

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Skeletor68
    I should point out that the remote VPN users, when logged are issued a different IP setup for VPN only not one from the other LAN IP addresses.
    30 pointsBadges:
    report
  • BlankReg
    I suspect that all you need to do is add a route into your network for the subnet allocated to the VPN users. You can do this on the fast Internet ASA, but will also need to put this on the MPLS router, and/or other routers in your network or via a routing protocol if you use one. This is to ensure that all locations 'know' about this subnet. The default route was effectively doing this job before, but now you have changed that to point to the fast ASA, there is no route to the VPN users subnet.
    12,325 pointsBadges:
    report
  • BlankReg
    Sorry, forgot to add that if you put the orute on the fast ASA you will also need to add the gobal command same-security-traffic permit intra-interface This allows it to route traffic back out of the same interface it received it from.
    12,325 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following