07-02-2010 01:07 PM
We have an ASA 5540. Here are the route statements. The inside interface is 66.102.6.10. If I have a server on subnet 66.102.150 and this subnet is not in the route statement, when the user logins to VPN client, will he be able to get to the server 66.102.150.25? What would be the default route when I do not have the static route statement?
route Outside 0.0.0.0 0.0.0.0 66.102.7.100 1
route Inside 66.102.10.0 255.255.255.0 66.102.6.100 1
route Inside 66.102.10.2 255.255.255.255 66.102.6.100 1
route Inside 66.102.10.11 255.255.255.255 66.102.6.100 1
route Inside 66.102.10.12 255.255.255.255 66.102.6.100 1
route Inside 66.102.10.20 255.255.255.255 66.102.6.100 1
route Inside 66.102.11.0 255.255.255.0 66.102.6.100 1
route Inside 66.102.12.0 255.255.255.0 66.102.6.100 1
route Inside 66.102.29.0 255.255.255.0 66.102.6.100 1
route Inside 66.102.30.0 255.255.255.0 66.102.6.100 1
route Inside 66.102.100.0 255.255.255.0 66.102.6.100 1
route Inside 66.102.103.0 255.255.255.0 66.102.6.100 1
route Inside 66.102.111.0 255.255.255.0 66.102.6.100 1
Thanks.
Laura
07-02-2010 01:35 PM
Laura, if 66.102.150.x/? network is in your inside network somewhere being routed by another gateway , the FW will not know how to get to it so even if you allow in your VPN acl this network vpn users will not get to it, just like your other route statemens , how is 66.102.10.0/24 network reachable ? it is reachable via 66.102.6.100 gateway on your inside . same thing for 66.102.150 if it is in your inside network you need to tell fw how to get to it, and the other way around which ever gateway knows about 66.102.150 net needs route to get back to fw.
If 66.102.150.x/? network is somewhere on the internet outside of your realm the fw send the traffic using your default route via fw outside interface .
HTH
Regards
07-02-2010 01:59 PM
Jorgemcse,
Thanks for your prompt response and information. The 66.102.150.0 is my inside network. The 66.102.10.0/24 is my inside network also. The network 66.102.10.0 is reachable through gateway 66.102.6.100.
Even though I do not have a route statement on subnet 66.102.150.0, I can get to the server on 66.102.150.25 through VPN client. So, I guess it is not necessary to put in the route statement??? I always assume that you have to have a route statement for each subnet inside your network so that the users can get to those subnets when they VPN in. How do I know when to put in the route statement? Can I just don't put anything until someone complains then put in the route statement? Thanks.
Laura
07-02-2010 02:34 PM
Hi Laura, are you sure you don't have a route for that network or host in fw. perhaps a 66.102.0.0/16 statement that covers 150 net , you can from the fw see output of all routes by issuing "show route " or " show run | inc route" , you can always confirm host reachability by pinging the host form the firewall itself.
Regards
07-06-2010 11:34 AM
Jorgemcse,
Sorry for the late reply. I tried both "show route " or " show run | inc route" and do not see a route statement for 66.102.150 network. I can ping a server 66.102.150.25 from the firewall. Do you have any other suggestions? Thanks.
Laura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide