cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

487
Views
0
Helpful
4
Replies
Highlighted
Beginner

VPN Routing issues

Hello to all,

 

So to start this off, I have a remote site in NY that we have a VPN connection to, and we had some DR servers setting behind this ASA, as of now this is how this location looks.

2018-01-27_19-10-45.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

We need to move the 10.90.19.0/24 to its own site behind its own ASA(NJ).

as such ...

2018-01-27_19-11-02.jpg

 

After doing this we noticed this sites VPN did not come up, and when pinging 10.90.19.1 traffic is being routing to the NY still. but on a traceroute behind our main asa we see 10.90.19.1 being hit all the way though to the 30th hop.

 

Any thoughts will be very much appritated.

 

I can add any addition information as needed. Thank you.

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: VPN Routing issues

1. Change the encryption domains so they are not overlapping.

2. Build a VPN between NY and NJ.

4 REPLIES 4
VIP Advisor

Re: VPN Routing issues

1. Change the encryption domains so they are not overlapping.

2. Build a VPN between NY and NJ.

Beginner

Re: VPN Routing issues

At the moment we are not able to change the encryption domains so they are not overlapping.

 

This network was made before I was in this position, I do relize this is a very bad design. We just need to correct this for the time being. 

In the future we will be able to move this to it's own seprate network witch would not be overlaping with the 10.90.0.0 network. 

Rising star

Re: VPN Routing issues

Hi,

You may be able to NAT 10.90.19.0/24 to another subnet (ex: 172.16.20.0/24) on NJ ASA and then setup vpn to 172.16.20.0/24. Not the clean way but will resolve the issue for now.

 

hth

MS

Beginner

Re: VPN Routing issues

May need to look into that to see if this is something we can do as well, also I might wanna see if changing the access-list on both our MAIN ASA and our NY ASA, exclude the 10.90.19.0 from that tunnel now since we now have a tunnel for that site over on the NJ tunnel. because as of right now the tunnel from MAIN to NY is responding to all of the 10.90.0.0/16 address space.