02-14-2011 06:39 AM - edited 03-11-2019 12:50 PM
So we have two Public Subnets to the internet. I have them both Terminated on the ASA5510.
Subnet 10.1.0.0 Hosts Servers and VPN end Points
Subnet 10.2.0.0 Is the Public Address space I want to use for Clients inside the firewall.
So I setup everything and have a
route 0.0.0.0 0.0.0.0 10.2.0.1 outside-10-2 1
route 0.0.0.0 0.0.0.0 10.1.0.1 outside-10-1 2
Setup the Static Translations for the Servers on the 10.1.0.0 netwotk
Setup SSL VPN on the 10.1.0.0 Network
And all is cool.
I setup my IPSec Lan to Lan VPN and when it tries to Connect I get the Following on the Headend:
%ASA-6-110003: Routing failed to locate next hop for udp from NP Identity Ifc:10.1.0.2/62465 to outside-10-1:<remote VPN Client IP>/62465
%ASA-5-713202: IP = <remote VPN Client IP>, Duplicate first packet detected. Ignoring packet.
If I remove my
route 0.0.0.0 0.0.0.0 10.2.0.1 outside-10-2 1
The VPN works fine, though now all of the Internal Clients have Public Addresses in 10.1.0.0 and not 10.2.0.0
Is there a way to make this work?
Thanks!
Solved! Go to Solution.
02-14-2011 11:07 AM
the ASA is only able to have one active default gateway at the same time. For the IPSEC Lan to LAN you can create static routes and that way you can use one default gateway for internet traffic and the static routes for VPN.
I hope this helps.
02-14-2011 11:07 AM
the ASA is only able to have one active default gateway at the same time. For the IPSEC Lan to LAN you can create static routes and that way you can use one default gateway for internet traffic and the static routes for VPN.
I hope this helps.
02-15-2011 07:00 AM
pagilber wrote:
the ASA is only able to have one active default gateway at the same time. For the IPSEC Lan to LAN you can create static routes and that way you can use one default gateway for internet traffic and the static routes for VPN.
I hope this helps.
Unfortunatly, no. My Remote LANs are Home Offices and have DHCP address assigned to them, so I dont know who they are. I guess it would not hurt to take the Subnet that the Address is in and use it as the remote LAN static Route. Hmmm... I guess I'll have to Terminate the LAN-to-LAN VPNs on the 10.2 Subnet and just have the incoming Servers have the 10.1 Addresses.
Funny that the SSL VPNs work on the 10.1, just not the L2L.
Thanks!
Scott<-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide