Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
0
Helpful
9
Replies

Routing\Default Gateway issue

Ryan Thompson
Level 1
Level 1

‎01-05-2017 01:34 PM - last edited on ‎03-25-2019 04:41 PM by Community Manager

On my local network I have currently have 2 ASA's.  We are switching ISP's so we currently have both of them hooked up.  One internet connection is connected to an ASA 5510.  Our new Internet connection is connected to an ASA 5508.  We have 20+ remote offices that connect to our Corporate office via VPN. 

What I want to be able to do is leave both ASA's connected and be able to slowly move our remote offices over to the 5508 and the new internet connection.

Currently if I configure a remote location to use the VPN through the 5508 I can't see any devices that use the 5510 as a gateway.

At our remote offices that are connected to the VPN through the 5510 they can't see any devices that use the 5508 as a gateway.

Any ideas on how to configure the ASA's so I can take my time with this migration?

Thanks!

Labels:
0 Helpful
9 Replies 9

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-05-2017 02:04 PM

You really need something internally that can do layer 3 routing.  Do you have anything like this?

0 Helpful

Ryan Thompson
Level 1
Level 1
In response to Philip D'Ath

‎01-05-2017 02:12 PM

We do not.  Just a layer 2 switch and the two ASAs.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Ryan Thompson

‎01-05-2017 02:13 PM

A Cisco 2960-X switch by chance?  What kind of layer 2 switch?

0 Helpful

Ryan Thompson
Level 1
Level 1
In response to Philip D'Ath

‎01-05-2017 02:17 PM

It's an HP V1905 Switch.

0 Helpful

Abdul Hafidz Arifin
Cisco Employee
Cisco Employee
In response to Ryan Thompson

‎01-06-2017 09:51 PM

Hi Ryan

I would suggest you to check the routing table on both 5510 and 5508 ASAs. 

If remote offices GWed to 5508 can't see LAN behind 5510, does the 5508 know it should route the traffic to 5510 ?

Assuming that routes are in place, then have you allowed the connection on your security rules from remote offices to 5510's LAN on both ASAs ?

Hafidz

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-05-2017 02:15 PM

What sort of devices are at the remote branches?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Philip D'Ath

‎01-06-2017 01:47 PM

I would like to start by clarifying some things that are not clear to me. Am I correct in assuming that these remote offices are connected using site to site VPN (rather than using remote access VPN)? And if it is site to site VPN am I correct in assuming that when you configure a remote site to connect using the new 5508 that you have removed all references to that site on the 5510?

If those assumptions are correct then it seems to me that the solution would be as you configure a remote site to connect using the new 5508 that you configure a static route on the 5510 for the remote LAN subnet with the next hop being the inside address of the 5508. You also will need to allow same security level intra interface.

HTH

Rick

HTH

Rick
0 Helpful

Ryan Thompson
Level 1
Level 1
In response to Richard Burts

‎01-11-2017 09:58 AM

Rick - Here is what I've done.  From a PC in a remote office connected via VPN I can ping both the 5508 and the 5510.  I can now ping the PC in the remote office from the 5510.  But any PC or server in our main office that uses the 5510 for the gateway cannot ping the remote PC.  Am I still missing something?

Thanks!

Ryan

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Ryan Thompson

‎01-12-2017 12:14 PM

Ryan

It might be an issue about traffic needing to hairpin. Have you got the statement to permit traffic with same security level intra interface?

Other than this suggestion I am not clear what you have got. Can you supply some details about how these VPNs are configured?

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card