Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
10
Helpful
5
Replies

cisco asa 5510 - remote vpn network conflicts with inside interface

stevegoc100
Level 1
Level 1

‎06-26-2018 08:28 AM - edited ‎03-12-2019 05:24 AM

dear all,

 

Can anyone help me solve this issue, we have an IPSec site to site vpn setup between our Cisco ASA 5510 and the clients vpn device:

 

192.168.155.0/24 and 192.168.217.0/24 and 2nd network 192.168.218.0/24

 

This is fine however the client's 2nd of network 192.168.218.0/24 is on the same network range as one our other inside interfaces and the traffic is going to the other inside interface instead of down the VPN tunnel.

 

Is their a static route I can add to push the traffic down the VPN tunnel and not towards my other inside interface?

 

Unfortunately manually changing either IP range is not an option.

 

The Cisco asa version is: 9.1(7)13 with asdm: 7.7(1)

 

thanks in advane

 

steve.

Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-26-2018 08:49 AM

My friend Pete Long just recently posted a blog covering this sort of situation.

 

I recommend you have a look at it and see if it answers your question:

 

https://www.petenetlive.com/KB/Article/0001446

stevegoc100
Level 1
Level 1
In response to Marvin Rhoads

‎06-27-2018 01:14 AM

Hi Marvin,

 

Thanks for the reply but what I forgot to mention is that I don't have control of the other side of the VPN! So unfortunately I cannot use the method in the blog.

 

Do you know if a static route can be created to send traffic to the VPN instead of the other inside interface?

 

thanks again

 

steve.

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎06-27-2018 01:35 AM

you will need to apply NAT to hide those overlapping subnets. so in your case the 192.168.218.0/24 subnet needs to be Natted from a unique subnet (really can be anything you chose in the private space, for instance 172.16.20.0/24. so once traffic for the 172.16.20.0/24 hits your firewall, you NAT it to 192.168.218.0/24  and send it down the VPN tunnel.  Namaste

Please remember to rate useful posts, by clicking on the stars below.

stevegoc100
Level 1
Level 1
In response to Dennis Mink

‎06-27-2018 01:48 AM

do you think this needs to be done at both ends of the VPN?

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to stevegoc100

‎06-27-2018 03:45 PM

No. only on the side where there is an overlap.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents