Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2562
Views
0
Helpful
2
Replies

Two Subnets to the Internet, VPN/Servers In, Clients Out...

Go to solution
stownsend
Level 2
Level 2

‎02-14-2011 06:39 AM - edited ‎03-11-2019 12:50 PM

So we have two Public Subnets to the internet. I have them both Terminated on the ASA5510.

     Subnet 10.1.0.0 Hosts Servers and VPN end Points

     Subnet 10.2.0.0 Is the Public Address space I want to use for Clients inside the firewall.

So I setup everything and have a

     route 0.0.0.0 0.0.0.0 10.2.0.1 outside-10-2 1

     route 0.0.0.0 0.0.0.0 10.1.0.1 outside-10-1 2

Setup the Static Translations for the Servers on the 10.1.0.0 netwotk

Setup SSL VPN on the 10.1.0.0 Network

And all is cool.

I setup my IPSec Lan to Lan VPN and when it tries to Connect I get the Following on the Headend:

%ASA-6-110003: Routing failed to locate next hop for udp from NP Identity Ifc:10.1.0.2/62465 to outside-10-1:<remote VPN Client IP>/62465 
%ASA-5-713202: IP = <remote VPN Client IP>, Duplicate first packet detected. Ignoring packet.

If I remove my

     route 0.0.0.0 0.0.0.0 10.2.0.1 outside-10-2 1

The VPN works fine, though now all of the Internal Clients have Public Addresses in 10.1.0.0 and not 10.2.0.0

Is there a way to make this work?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎02-14-2011 11:07 AM

the ASA is only able to have one active default gateway at the same time. For the IPSEC Lan to LAN you can create static routes and that way you can use one default gateway for internet traffic and the static routes for VPN.

I hope this helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎02-14-2011 11:07 AM

the ASA is only able to have one active default gateway at the same time. For the IPSEC Lan to LAN you can create static routes and that way you can use one default gateway for internet traffic and the static routes for VPN.

I hope this helps.

0 Helpful

Go to solution
stownsend
Level 2
Level 2
In response to PAUL GILBERT ARIAS

‎02-15-2011 07:00 AM 

pagilber wrote:
the ASA is only able to have one active default gateway at the same time. For the IPSEC Lan to LAN you can create static routes and that way you can use one default gateway for internet traffic and the static routes for VPN.
I hope this helps.

Unfortunatly, no. My Remote LANs are Home Offices and have DHCP address assigned to them, so I dont know who they are.  I guess it would not hurt to take the Subnet that the Address is in and use it as the remote LAN static Route. Hmmm...  I guess I'll have to Terminate the LAN-to-LAN VPNs on the 10.2 Subnet and just have the incoming Servers have the 10.1 Addresses.

Funny that the SSL VPNs work on the 10.1, just not the L2L.

Thanks!

  Scott<-

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card