We have an ASA 5540. Here are the route statements. The inside interface is 18.104.22.168. If I have a server on subnet 66.102.150 and this subnet is not in the route statement, when the user logins to VPN client, will he be able to get to the server 22.214.171.124? What would be the default route when I do not have the static route statement?
route Outside 0.0.0.0 0.0.0.0 126.96.36.199 1
route Inside 188.8.131.52 255.255.255.0 184.108.40.206 1
route Inside 220.127.116.11 255.255.255.255 18.104.22.168 1
route Inside 22.214.171.124 255.255.255.255 126.96.36.199 1
route Inside 188.8.131.52 255.255.255.255 184.108.40.206 1
route Inside 220.127.116.11 255.255.255.255 18.104.22.168 1
route Inside 22.214.171.124 255.255.255.0 126.96.36.199 1
route Inside 188.8.131.52 255.255.255.0 184.108.40.206 1
route Inside 220.127.116.11 255.255.255.0 18.104.22.168 1
route Inside 22.214.171.124 255.255.255.0 126.96.36.199 1
route Inside 188.8.131.52 255.255.255.0 184.108.40.206 1
route Inside 220.127.116.11 255.255.255.0 18.104.22.168 1
route Inside 22.214.171.124 255.255.255.0 126.96.36.199 1
Laura, if 66.102.150.x/? network is in your inside network somewhere being routed by another gateway , the FW will not know how to get to it so even if you allow in your VPN acl this network vpn users will not get to it, just like your other route statemens , how is 188.8.131.52/24 network reachable ? it is reachable via 184.108.40.206 gateway on your inside . same thing for 66.102.150 if it is in your inside network you need to tell fw how to get to it, and the other way around which ever gateway knows about 66.102.150 net needs route to get back to fw.
If 66.102.150.x/? network is somewhere on the internet outside of your realm the fw send the traffic using your default route via fw outside interface .
Thanks for your prompt response and information. The 220.127.116.11 is my inside network. The 18.104.22.168/24 is my inside network also. The network 22.214.171.124 is reachable through gateway 126.96.36.199.
Even though I do not have a route statement on subnet 188.8.131.52, I can get to the server on 184.108.40.206 through VPN client. So, I guess it is not necessary to put in the route statement??? I always assume that you have to have a route statement for each subnet inside your network so that the users can get to those subnets when they VPN in. How do I know when to put in the route statement? Can I just don't put anything until someone complains then put in the route statement? Thanks.
Hi Laura, are you sure you don't have a route for that network or host in fw. perhaps a 220.127.116.11/16 statement that covers 150 net , you can from the fw see output of all routes by issuing "show route " or " show run | inc route" , you can always confirm host reachability by pinging the host form the firewall itself.
Sorry for the late reply. I tried both "show route " or " show run | inc route" and do not see a route statement for 66.102.150 network. I can ping a server 18.104.22.168 from the firewall. Do you have any other suggestions? Thanks.