topic Cisco ASA VPN routing issue in Network Security

Cisco ASA VPN routing issue

jayturish — Tue, 12 Mar 2019 02:27:05 GMT

I am having an interesting routing issue.

I have 4 ASA 5520 firewalls. The inside interface for each ASA is on 192.168.1.x/24. FW1 has .1 FW2 has.2 and so on.

FW4 is setup to provide VPN access into this 192.168.1.x/24 network.

There are many servers in this 192.168.1.x network. Server 1 has a default gw of .1 server 2 has a gw of .2 server3 has a gw of .3 and server 4 has a default gw of.4

The VPN network in FW4 is 192.168.2.x/24

The vpn works fine. I connect and can ping the server that has 192.168.1.4 FW4 as its default gateway.

THE PROBLEM:

I can't ping or see server 1,2 or 3

I can ping the servers from the command line on FW4 leading me to believe this is a routing issuse..

I have put that allow intra interface traffic command in to no avail.

Has anybody ever made this work?

Cisco ASA VPN routing issue

Marvin Rhoads — Sun, 18 Aug 2013 04:20:07 GMT

From FW4 you are pinging on same subnet. Servers know about the local address (FW4 inside address which the ping comes from) via ARP - no routing involved.

When you try to reach other than server 4 via VPN, the servers see remote traffic form a non-connected network (192.168.2.0/24) and reply via their default gateway (FW 1/2/3). Those FWs need a static route inside to FW4 for the VPN pool otherwise they will send return traffic out their default gateway (normally outside).

Try this:

route inside 192.168.2.0 255.255.255.0 192.168.1.4

on the other firewalls.

Cisco ASA VPN routing issue

Marius Gunnerud — Sun, 18 Aug 2013 08:16:15 GMT

Another option would be to configure static routes to the 192.168.2.0/24 network pointing to FW4 on the servers themselves.

Cisco ASA VPN routing issue

Marvin Rhoads — Sun, 18 Aug 2013 14:03:54 GMT

That's correct Marius - host routes are also an option.

I tend not to recommend them except as a last resort since they don't sacle as well. Many sys admins ae unfamiliar with them and they're not immediately apparent to anyone who comes along later and tries to troubleshoot.

Cisco ASA VPN routing issue

jayturish — Sun, 18 Aug 2013 16:17:25 GMT

All the other 3 firewall now have the static route.. I am still dead in the water..

Its interesting to note that my VPN client will get 192.168.2.2 every time and when I am at the cli on say FW1, I cant ping 192.168.2.2, but I can ping 192.168.1.4

When I try to ping 192.168.2.2 I get ?????

The route is in place as well.

Cisco ASA VPN routing issue

Marvin Rhoads — Sun, 18 Aug 2013 16:22:43 GMT

You cannot ping VPN clients from the firewall itself because the clients are seen as on the outside interface routing-wise and thus the fw will originate traffic to them using the outside interface address which won't work with the VPN encapsulation.

Can you share the configs from FW4 and one of the others for us to look over? You can also try a host route as Marius suggested.

Cisco ASA VPN routing issue

Marius Gunnerud — Sun, 18 Aug 2013 16:26:40 GMT

If your firewalls have only one link to the local LAN (which I am assuming they do) you would need to add a line of config to allow the ASA to send traffic out the same interface it was received on:

same-security-traffic permit intra-interface

Cisco ASA VPN routing issue

jayturish — Sun, 18 Aug 2013 16:28:37 GMT

fw1,2,3 all have this comand in place..

I think I am going to try the host route option next.