Re: Two Firewalls and Anyconnect VPNs - How to route?

ringsidecreative · ‎08-21-2018

So, we are in the process of transitioning away from a Cisco ASA to a Fortigate Firewall. However, as we test the new Fortigate Firewall, we must keep the ASA (and its associated AnyConnect clients) up and running.

Here is how things are currently connected:

Internet (5.5.5.5) --> Cisco ASA 5510 (10.1.2.10) --> Cisco 4506 (10.1.2.254) --> Rest of network

Internet (5.5.5.6) --> Fortigate 200E (10.1.2.12) --> Cisco 4506 (10.1.2.254) --> Rest of network

Generally for testing, I have been switching back and forth between the two firewalls on the Cisco 4506 using an IP route:

ip route 0.0.0.0 0.0.0.0 10.1.2.12 (or 10.1.2.10 if I want to switch back to the ASA).

I would like to leave the routing flowing through the Fortigate for our company's Internet. However, when I do this, the Cisco ASA's VPN ceases to function. The Cisco ASA's VPN address space is 172.16.205.0/24.

Is there a way that I can leave the our Internet traffic flowing through the Fortigate firewall, while still allowing the Cisco ASA's AnyConnect clients to be functional? I have tried some route mapping with ACL's on the Cisco 4506, but I'm not sure if that's the correct way of doing things. Either way, the ACLs that I've been using aren't working. I would appreciate any suggestions. Thanks.

ilay · ‎08-21-2018

you can just wirte two static route on cat4506
ip route 172.16.205.0 255.255.255.0 10.1.2.10 // inside user can use this route communication with sslvpn user ,vice versa.
ip route 0.0.0.0 0.0.0.0 10.1.2.12 //other traffic use defaut route visit Internet

Regards