Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
623
Views
0
Helpful
4
Replies

Remote access VPN to ASA from same external subnet

justanas1
Level 1
Level 1

ā€Ž02-01-2011 02:51 AM - edited ā€Ž02-21-2020 05:08 PM

Hi All,

i have two firewalls connected to same external real  IP subnet (example FW1: 1.1.1.1 FW2: 1.1.1.2), i configured FW1 as a remote access VPN, i tried VPN access from external remote networks it is working fine, but when i try to access from users behind FW2 the connection establish completely but i can access anything behins FW1, is this there a feature on a firewall block this because both firewalls sharing the same external subnet?

thanks and regards

Anas

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

ā€Ž02-01-2011 04:43 AM

I understand that you have FW1 and FW2, and you are trying to VPN to FW1 from behind FW2, however, you were not able to access anything behind FW1 once the VPN is connected.

Can you please share how are the internal subnet of both FW1 and FW2 are connected?

What are their subnets, and what configuration have you configured on both FW1 and FW2 as far as translation and routing is concern?

What are the internal subnets of FW1 and FW2? Are the 2 internal subnets of fw1 and fw2 completely separate from each other?

Can you pls share the configuration of both FWs?

Having both FWs external ip addresses in the same subnet shouldn't be any problem. I am also assuming that the vpn client traffic from behind fw2 is getting PATed to the fw2 outside interface ip address?

0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to Jennifer Halim

ā€Ž02-01-2011 06:22 AM

Hi Anas,

What is happening in your case is true because the both Firewalls are in same subnet and are in active failover.
And you are accessing from local (from behing FW2)

Please rate if this helped you...

Regards,
Naidu.

0 Helpful

justanas1
Level 1
Level 1

ā€Ž02-01-2011 07:25 AM

Hi,

Thank you for your reply.

the network behind FW1 is completly separate than network behind FW2. FW1 LAN range is 10.10.0.0/16 and FW2 LAN is 10.16.1.0/24.

the telco internet is terminated in a router and both firewalls taking internet from the LAN ports of the router.

Anas

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to justanas1

ā€Ž02-01-2011 09:08 AM

Can you please share more information so we can assist further with your queries.
Pls advise where it's actually failing, ie: at which point. If you can share the output of the following that would help:
show cry isa sa
show cry ipsec sa

once you are connected from behind fw2.

Also, please kindly share the configuration from fw1 so we can double check if there is any configuration error/missing config.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents