Solved: Re: VPN Routing issues

Jordan Taylor · ‎01-27-2018

Hello to all,

So to start this off, I have a remote site in NY that we have a VPN connection to, and we had some DR servers setting behind this ASA, as of now this is how this location looks.

We need to move the 10.90.19.0/24 to its own site behind its own ASA(NJ).

as such ...

After doing this we noticed this sites VPN did not come up, and when pinging 10.90.19.1 traffic is being routing to the NY still. but on a traceroute behind our main asa we see 10.90.19.1 being hit all the way though to the 30th hop.

Any thoughts will be very much appritated.

I can add any addition information as needed. Thank you.

Philip D'Ath · ‎01-27-2018

1. Change the encryption domains so they are not overlapping.

2. Build a VPN between NY and NJ.

View solution in original post

Philip D'Ath · ‎01-27-2018

1. Change the encryption domains so they are not overlapping.

2. Build a VPN between NY and NJ.

Jordan Taylor · ‎01-27-2018

At the moment we are not able to change the encryption domains so they are not overlapping.

This network was made before I was in this position, I do relize this is a very bad design. We just need to correct this for the time being.

In the future we will be able to move this to it's own seprate network witch would not be overlaping with the 10.90.0.0 network.

mvsheik123 · ‎01-28-2018

Hi,

You may be able to NAT 10.90.19.0/24 to another subnet (ex: 172.16.20.0/24) on NJ ASA and then setup vpn to 172.16.20.0/24. Not the clean way but will resolve the issue for now.

hth

MS

Jordan Taylor · ‎01-28-2018

May need to look into that to see if this is something we can do as well, also I might wanna see if changing the access-list on both our MAIN ASA and our NY ASA, exclude the 10.90.19.0 from that tunnel now since we now have a tunnel for that site over on the NJ tunnel. because as of right now the tunnel from MAIN to NY is responding to all of the 10.90.0.0/16 address space.