Cisco ASA  how to add a route to allow VPN sonicwall users to browse internally

Posted on 2008-02-12
Medium Priority
Last Modified: 2013-11-21
Hi I have recently set up an Cisco ASA 5510 to replace a netgear with a few teething problems as all traffic flows in- bar one -via the outside interface IP. Batry_boy and a friend kindly assisted with the static NATs/ PATs and acls and this works fine now. Config attached.

There are just a couple of things I can't get working. We use a sonicwall for VPN connection, and users come in via https to the sonicwall box on the inside- this works fine ( the NAT and acl  work for this) but the thing that doesn't work is once connected the sonicwall dishes out an IP from the /24 subnet and users are unable to browse resources on the local subnet /24 via the sonicwall On the previous netgear this worked fine, with a simple static route:

destination  gateway

I add a route:
route INSIDE 1

but this hasn't helped; I am unable to ping or browse to servers on the local network when connected to office via VPN. I know I'm missing something. Any ideas?

Also I set up a site to site VPN from this ASA to ia Netgear in Irvine in US.
I configured it from outside interface to peer IP (public IP)- with 3DES/MD5 and preshared key. All setting same either side.

Set up the local users as below (Site2site) on asdm, selecting local users from /24 and remote users in Irvine on /24- I hope set this up ok?

Managed to see that the connection from the Irvine end is seen as established but can't ping their local network  whatsoever- the US netgear router is on On the old Netgear in UK this worked seamlessly, and we could ping and connect to their router on

Should I be able to ping this on Cisco? Can someone review the config and see if I have missed anything obvious? What is a good test?

Thanks in advance for everything. Kind regards

Question by:orphanc
  • 3
  • 2
LVL 79

Expert Comment

ID: 20906892
Bottom line - ain't gonna happen.
As long as the ASA inside IP is the default gateway of the internal LAN, you will never get this to work.
You need another internal router or just a router-on-a-stick with most any old Cisco router to make this work.

Author Comment

ID: 20909195
Thank you. Can you please elaborate on this. So are you saying there is no way to get VPN users that come into the sonicwall and get given dhcp address 192.168.200.x once connected, access to the internal LAN ??? Isn't that what VPNing onto your network is supposed to allow which some rule on another?
I have a dilemma then as I got in the ASA to replace their previous Netgear router which allowed this to work with one static route- how can a basic Netgear do it and Cisco ASA can't?
Any other ideas?

LVL 79

Accepted Solution

lrmoore earned 1000 total points
ID: 20914440
The ASA is a true world class firewall unlike the consumer grade Netgear. It simply will not redirect a packet that comes in on the inside interface to go back to another inside device. One simple solution would be to use any old router on the LAN as the default gateway. Its route table has default pointig to the ASA and static 192.168.200.x pointing to sonicwall vpn box.
I don't quite understand why you want two boxes to start with when the VPN capabilities of the ASA far exceed the Sonicwall's. Why not just terminate the remote user VPN's right on the ASA?

I object to closing this question.

Author Comment

ID: 20927235
Hi Irmoore,
Thanks for your response. I agree. The ASA's VPN capabilities far outway the sonicwalls but their user's are used to it and that change can not happen for awhile. Re the below response- my question to community support was not to close the question, but that I had no response. This was sent before you had responded.

I accept your solution as you're right it can't work- the only way is to use a reserved DHCP range on the existing LAN so the sonicwall dishes out IP's on 192.168.2.x but as they have a class C not going to happen. Plans to change subnet will happen as purchasing additonal routers. Thanks for your comments and sorry for any misunderstanding
LVL 79

Expert Comment

ID: 20927362
Sorry I didn't respond sooner. I had email issues for a few days and was not receiving any notifications.
If you have almost any old router laying around you can have a quick short term fix.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question