01-05-2015 02:38 PM - edited 03-05-2019 12:29 AM
I have a Cisco ASA 5505 which is the default router (as in the diagram) and a newer router which is being used for mobile VPN exclusively. Eventually the Cisco ASA 5505 will be decommissioned and the VPN router will be the sole router, but for the time being I do not want to remove it.
The issue I'm having is communicating between the subnet used by VPN clients and LAN clients. If I setup a static route on the client PC there are no issues. I.e. VPN and LAN client can communicate as expected. I would rather not have to setup static routes on each LAN clients so I thought the Cisco ASA 5505 could do the routing instead.
I thought static route on the ASA a below (configured via ASDM) would work.
Interface: LAN
IP Address and netmask: VPN Subnet
Gateway IP: LAN IP 2 (IP address of VPN router on the LAN)
I thought that would be sufficient, but it seems it isn't.
I added a NAT Exemption for the VPN subnet. Still no good. It seems there are some NAT issues, but I want it to be exempt... Not a Cisco expert, so I would rather use ASDM if possible.
Thanks,
LD
01-05-2015 03:07 PM
Just before I even look any further, i just thought i'd mention this: make sure you are not using the "log" keyword on your access-lists used for filtering NAT traffic - NAT doesn't like that and your ACLs won't work.
Furthermore, check your ACL counters - make sure they are being matched; once you start NAT-ing, your routing will also have to be adjusted accordingly.
For some reference on this, check my blog here:
http://blogbt.net/index.php/2014/01/nat-wont-work/
Let me know if this helps if not, we'll look further into it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide