Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1552
Views
0
Helpful
5
Replies

Routing between 2 VLANs ASA 5505 with site-to-site VPN already configured

Go to solution
digichipnyc
Level 1
Level 1

‎07-16-2014 07:36 PM - edited ‎03-11-2019 09:28 PM

I inherited an ASA 5505 which is already connecting to the Internet. There is also a sit-to-site VPN up and running between me and another ASA 5505 in the UK.

I need to connect my current inside network to another internal network on a different subnet. I've tried different suggestions that I've come across in the forums but none have worked. I may very well be doing something wrong but I have to wonder if the site-to-site VPN is somehow making my configuration requirements more complex then if it wasn't configured?

My OUTSIDE interface connect to a cable modem.

My INSIDE interface connects to a network of 192.168.2.0/24

My IPC_PHONE interface connects to a network of 192.168.4.0/27

I have security plus license.

All I really need is to hit one specific machine ( 192.168.4.8 ) on the IPC_PHONE network from my INSIDE network.

My understanding is that I need NAT rules but nothing I've tried seems to work.

I'm new at this and use ASDM for config although the CLI would be fine if I needed to use that.

I'm attaching the current router config - there are entries I know I no longer need that were prior to configuring the local VPN access I just haven't removed them yet. I don't think they should affect my problem though.

I have tried over and over with advice from these forums and can't seem to make any headway.

Can anyone point me in the right direction?

Thank You

 

Chip Pursell

Labels:
Preview file
13 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Laura Zamora
Level 1
Level 1

‎07-16-2014 08:28 PM

 

Hello Chip,

Could you run a packet tracer on the command line in the following way:

packet-tracer input inside tcp 192.168.2.25 2525 192.168.4.8 80

Go ahead and change the actual source ip from the 192.168.2.0 network.

Create the object networks for both ip addresses you can either use the ip or a name:

object network obj-192.168.2.0

subnet 192.168.2.0

object network 192.168.4.8

host 192.168.4.8

You can try the following nat:

nat (inside,IPC_PHONE) source dynamic 192.168.2.0 interface destination static 192.168.4.8 192.168.4.8 

This way you will make sure it will only work when going to this destination and wont affect the vpn traffic is you are concerned about that.

If this works for you can either do it for one computer, a group of ips or the whole subnet.

 

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Laura Zamora
Level 1
Level 1

‎07-16-2014 08:28 PM

 

Hello Chip,

Could you run a packet tracer on the command line in the following way:

packet-tracer input inside tcp 192.168.2.25 2525 192.168.4.8 80

Go ahead and change the actual source ip from the 192.168.2.0 network.

Create the object networks for both ip addresses you can either use the ip or a name:

object network obj-192.168.2.0

subnet 192.168.2.0

object network 192.168.4.8

host 192.168.4.8

You can try the following nat:

nat (inside,IPC_PHONE) source dynamic 192.168.2.0 interface destination static 192.168.4.8 192.168.4.8 

This way you will make sure it will only work when going to this destination and wont affect the vpn traffic is you are concerned about that.

If this works for you can either do it for one computer, a group of ips or the whole subnet.

 

 

0 Helpful

Go to solution
digichipnyc
Level 1
Level 1
In response to Laura Zamora

‎07-16-2014 09:46 PM

That was it! You F-in rock. I can't even begin to tell you how happy this makes me.

If you're ever in NYC I owe you a beer ( at least ).

 

Thanks again

 

0 Helpful

Go to solution
hyperdrive
Level 1
Level 1

‎08-18-2018 02:14 AM - edited ‎08-18-2018 03:05 AM

Hi All.
I have a site to site vpn between 1x asa 5506 (HQ) & 1x asa 5505 (remote). I cannot test the config until remote f/w is deployed on site (remote).

Setup HQ
x.x.x x - outside
10.221.31.0 - inside
10.221.2.0 - Server group 1
10.221.4.0 - Server group 2
10.221.6.0 - Server group 3
route 0.0.0.0 0.0.0.0 x.x.x.x outside
VPN Tunnel configured

 

My HQ question: do i need to create vlans for .2.0 - .4.0 - .6.0 servers and route the vlans to 10.221.31.1 inside gateway address for remote site to reach them ?

 

Remote Site
x.x x x - outside
192.168.33.0 - inside
192.168.33.50-200 dhcp pool configured working assigns dhcp + dns
route - 0.0.0.0 0.0.0.0 x.x.x.x outside
route - 192.168.33.0 255.255.255.0 192.168.33.1 inside - route already there message when trying to add manually, but can't see it in routing table.
VPN Tunnel configured

My REMOTE question: do i need to setup any additional routing/access list/natting at HQ f/w to reach HQ servers from REMOTE site.

Many Thanks in advance.

This is my first post and new to Cisco.

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to hyperdrive

‎08-18-2018 05:45 AM

If you are patting internet on the ASA, you need to configure twice-nat to
exlcude lan to lan traffic from patting
0 Helpful

Go to solution
hyperdrive
Level 1
Level 1
In response to Mohammed al Baqari

‎08-19-2018 05:50 AM

Hi and thanks for your reply.  

No patting in vpn.

 

HQ question.

 

Is the server range 10.221.2.0 and.4.0 and .6.0 able to communicate with 10.221.31.0 network without adding a static route or should i use EIGRP to update routes dynamically.

 

physical connectivity:

layer 2 switch

asa 5506 f/w

 

Thanks.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card