Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
0
Helpful
2
Replies

2 Gateway in LAN, But the VPN Gateway can't be routed

behigh
Level 1
Level 1

‎01-04-2007 07:13 AM

Dear guys, can you give me an idea pls?

Big thanks in advance.

(Internet)-------(ASA5510)------(192.168.2.2)------LAN-------PC

``````````````````````````````````````````````````````````````|

``````````````````````````````````````````````````````````````|

```````````````````````````````````````````````````````(192.168.2.1)

``````````````````````````````````````````````````````````````|

``````````````````````````````````````````````````````````````|

(Internet_IPSec-VPN)-(172.x.x.0)-----------CheckPoint

Here's the topo, A LAN has two gateway, one for Internet web access, another for VPN connection.

The VPN connection is connected via the Wizard in a small Checkpoint box, a IPSec VPN, one side is LAN, another is WAN.

When Client PC's gateway point to ASA5510, it can't access the VPN resource, but if the gateway changed to CheckPoint, it works. But the related route(route inside 172.x.x.0 255.255.255.0 192.168.2.1) is added on the ASA5510.

============================

ASA Version 7.0(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

!

interface Ethernet0/0

nameif Inside

security-level 100

ip address 192.168.2.2 255.255.255.0

!

interface Ethernet0/1

nameif DMZ

security-level 90

no ip address

!

interface Ethernet0/2

nameif Outside

security-level 0

ip address 158.146.x.x.255.255.x

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.2.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

access-list Inside_access_in extended permit ip 192.168.2.0 255.255.255.0 10.10.0.0 255.255.0.0 inactive

access-list Inside_access_in extended permit ip 192.168.2.0 255.255.255.0 interface Outside inactive

access-list Inside_access_in extended permit ip any any

pager lines 24

logging asdm informational

mtu Inside 1500

mtu DMZ 1500

mtu management 1500

mtu Outside 1500

ERROR: Command requires failover license

ERROR: Command requires failover license

asdm image disk0:/asdm-504.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (Inside) 1 192.168.2.0 255.255.255.0

access-group Inside_access_in in interface Inside

route Inside 172.28.0.0 255.255.0.0 192.168.2.1 1

route Outside 0.0.0.0 0.0.0.0 158.146.0.43 1

timeout xlate 0:20:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username xxx password xxx encrypted privilege 15

http server enable

http 192.168.2.0 255.255.255.0 Inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

Cryptochecksum:xxx

: end

Labels:
0 Helpful
2 Replies 2

5220
Level 4
Level 4

‎01-04-2007 10:01 AM

Hi,

Unlike a router, an ASA/PIX will discard any traffic that tries to exit the same interface it entered (good security reasons).

Since you are using all 3 interfaces, i suggest creating VLANS on the inside interface.

One VLAN will be between LAN and ASA (subnet 192.168.2.x) and the other between ASA and the CheckPoint (e.g. 192.168.3.x/30).

(Internet)-------(ASA5510)------(192.168.2.2)------LAN-------PC

`````````````````````| 192.168.3.1/30

`````````````````````|

`````````````````````|

`````````````````````|

`````````````````````| 192.168.3.2/30

(172.1.1.0)--------CheckPoint

interface Ethernet0/0.100

nameif VPN

security-level 95

ip address 192.168.3.1 255.255.255.0

vlan 100

no shut

no route Inside 172.28.0.0 255.255.0.0 192.168.2.1

route VPN 172.28.0.0 255.255.0.0 192.168.3.2

static (inside,VPN) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

I used static instead of NAT 0 so that the VPN remote end can initiate connections.

You need to specify the same VLAN on the Checkpoint or use a VLAN able SW.

Please rate if this helped.

Regards,

Daniel

0 Helpful

5220
Level 4
Level 4
In response to 5220

‎01-08-2007 03:48 AM

Hi,

Just found a better solution for you:

"The same-security-traffic command permits traffic to enter and exit the same interface when you use it with the intra-interface keyword which enables spoke-to-spoke VPN support"

command: same-security-traffic intra-interface

Check http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml for more details.

Please rate if this helped.

Regards,

Daniel

0 Helpful
Customers Also Viewed These Support Documents