Cisco ASA VPN routing issue

jayturish · ‎08-17-2013

I am having an interesting routing issue.

I have 4 ASA 5520 firewalls. The inside interface for each ASA is on 192.168.1.x/24. FW1 has .1 FW2 has.2 and so on.

FW4 is setup to provide VPN access into this 192.168.1.x/24 network.

There are many servers in this 192.168.1.x network. Server 1 has a default gw of .1 server 2 has a gw of .2 server3 has a gw of .3 and server 4 has a default gw of.4

The VPN network in FW4 is 192.168.2.x/24

The vpn works fine. I connect and can ping the server that has 192.168.1.4 FW4 as its default gateway.

THE PROBLEM:

I can't ping or see server 1,2 or 3

I can ping the servers from the command line on FW4 leading me to believe this is a routing issuse..

I have put that allow intra interface traffic command in to no avail.

Has anybody ever made this work?

Marvin Rhoads · ‎08-17-2013

From FW4 you are pinging on same subnet. Servers know about the local address (FW4 inside address which the ping comes from) via ARP - no routing involved.

When you try to reach other than server 4 via VPN, the servers see remote traffic form a non-connected network (192.168.2.0/24) and reply via their default gateway (FW 1/2/3). Those FWs need a static route inside to FW4 for the VPN pool otherwise they will send return traffic out their default gateway (normally outside).

Try this:

route inside 192.168.2.0 255.255.255.0 192.168.1.4

on the other firewalls.

Marius Gunnerud · ‎08-18-2013

Another option would be to configure static routes to the 192.168.2.0/24 network pointing to FW4 on the servers themselves.

--
Please remember to select a correct answer and rate helpful posts

Marvin Rhoads · ‎08-18-2013

That's correct Marius - host routes are also an option.

I tend not to recommend them except as a last resort since they don't sacle as well. Many sys admins ae unfamiliar with them and they're not immediately apparent to anyone who comes along later and tries to troubleshoot.

jayturish · ‎08-18-2013

All the other 3 firewall now have the static route.. I am still dead in the water..

Its interesting to note that my VPN client will get 192.168.2.2 every time and when I am at the cli on say FW1, I cant ping 192.168.2.2, but I can ping 192.168.1.4

When I try to ping 192.168.2.2 I get ?????

The route is in place as well.

Marvin Rhoads · ‎08-18-2013

You cannot ping VPN clients from the firewall itself because the clients are seen as on the outside interface routing-wise and thus the fw will originate traffic to them using the outside interface address which won't work with the VPN encapsulation.

Can you share the configs from FW4 and one of the others for us to look over? You can also try a host route as Marius suggested.

Marius Gunnerud · ‎08-18-2013

If your firewalls have only one link to the local LAN (which I am assuming they do) you would need to add a line of config to allow the ASA to send traffic out the same interface it was received on:

same-security-traffic permit intra-interface

--
Please remember to select a correct answer and rate helpful posts

jayturish · ‎08-18-2013

fw1,2,3 all have this comand in place..

I think I am going to try the host route option next.