09-16-2021 10:19 AM
Dear Friends,
I am facing a problem, please help me here. I configured anyconnect VPN on ASA 5508-x.
ASA inside interface ip address is 10.16.5.20/24, there is route " route inside 10.0.0.0 255.0.0.0 10.16.5.1" that is the SVI of Vlan 5 in core Switch.
In ASA, I give the vpn user ip address 10.16.6.10--- 10.16.6.254/24. right now end-users could get ip address and access our inside server, but I am confused here, what is end users' default gateway. for example, I am a vpn user and I get ip address 10.16.6.10. I want to access 10.16.80.80, what's the traffic going to? since I didn't give any Vlan for 10.16.6.0/24. how does core switch know where to go for 10.16.6.10?
thanks in advance.
Solved! Go to Solution.
09-16-2021 10:26 AM
The RAVPN user traffic would be tunnel to the ASA and routed as per the ASAs routing table so would match "route inside 10.0.0.0 255.0.0.0 10.16.5.1" and the packets would be routed to the core switch.
You may not have an explict route for the 10.16.6.0/24 network but the core switch has a default route which would be the ASA, so the core switch really does not need a specific route as traffic would go to the ASA anyway.
09-16-2021 10:44 AM
thanks a lot, I understand better, but there is an issue, right now I couldn't ping 10.16.5.20 the inside interface of ASA. I could ping other IP addresses in the same subnet like 10.16.5.10.
I mean when I log in to VPN and get IP address 10.16.6.10.
09-16-2021 10:50 AM
@Robin.Wang2020 by default you cannot ping a far interface, so if you are behind the outside interface then you cannot ping the inside interface. The only exception to this is if connected to a VPN, in which case you need to configure the command "management-access <inside interface name>".
09-16-2021 10:26 AM
The RAVPN user traffic would be tunnel to the ASA and routed as per the ASAs routing table so would match "route inside 10.0.0.0 255.0.0.0 10.16.5.1" and the packets would be routed to the core switch.
You may not have an explict route for the 10.16.6.0/24 network but the core switch has a default route which would be the ASA, so the core switch really does not need a specific route as traffic would go to the ASA anyway.
09-16-2021 10:44 AM
thanks a lot, I understand better, but there is an issue, right now I couldn't ping 10.16.5.20 the inside interface of ASA. I could ping other IP addresses in the same subnet like 10.16.5.10.
I mean when I log in to VPN and get IP address 10.16.6.10.
09-16-2021 10:50 AM
@Robin.Wang2020 by default you cannot ping a far interface, so if you are behind the outside interface then you cannot ping the inside interface. The only exception to this is if connected to a VPN, in which case you need to configure the command "management-access <inside interface name>".
09-16-2021 11:30 AM
Yes, you are right.
really appreciate it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide