Cisco ASA how to add a route to allow VPN sonicwall users to browse internally

Hi I have recently set up an Cisco ASA 5510 to replace a netgear with a few teething problems as all traffic flows in- bar one -via the outside interface IP. Batry_boy and a friend kindly assisted with the static NATs/ PATs and acls and this works fine now. Config attached.

There are just a couple of things I can't get working. We use a sonicwall for VPN connection, and users come in via https to the sonicwall box on the inside- this works fine ( the NAT and acl  work for this) but the thing that doesn't work is once connected the sonicwall dishes out an IP from the 192.168.200.0 /24 subnet and users are unable to browse resources on the local subnet 192.168.2.0 /24 via the sonicwall 192.168.2.9. On the previous netgear this worked fine, with a simple static route:

destination 192.168.200.0  gateway 192.168.2.9

I add a route:
route INSIDE 192.168.200.0 255.255.255.0 192.168.2.9 1

but this hasn't helped; I am unable to ping or browse to servers on the local network when connected to office via VPN. I know I'm missing something. Any ideas?

Also I set up a site to site VPN from this ASA to ia Netgear in Irvine in US.
I configured it from outside interface to peer IP (public IP)- with 3DES/MD5 and preshared key. All setting same either side.

Set up the local users as below (Site2site) on asdm, selecting local users from 192.168.2.0 /24 and remote users in Irvine on 192.168.12.0 /24- I hope set this up ok?

Managed to see that the connection from the Irvine end is seen as established but can't ping their local network 192.168.12.0  whatsoever- the US netgear router is on 192.168.12.1. On the old Netgear in UK this worked seamlessly, and we could ping and connect to their router on 192.168.12.1.

Should I be able to ping this on Cisco? Can someone review the config and see if I have missed anything obvious? What is a good test?

Thanks in advance for everything. Kind regards


Copy-of-ASAconfig090208.txt
site2site.doc
LVL 2
orphancAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Bottom line - ain't gonna happen.
As long as the ASA inside IP is the default gateway of the internal LAN, you will never get this to work.
You need another internal router or just a router-on-a-stick with most any old Cisco router to make this work.
0
orphancAuthor Commented:
Thank you. Can you please elaborate on this. So are you saying there is no way to get VPN users that come into the sonicwall and get given dhcp address 192.168.200.x once connected, access to the internal LAN 192.168.2.0 ??? Isn't that what VPNing onto your network is supposed to allow which some rule on another?
I have a dilemma then as I got in the ASA to replace their previous Netgear router which allowed this to work with one static route- how can a basic Netgear do it and Cisco ASA can't?
Any other ideas?

0
lrmooreCommented:
The ASA is a true world class firewall unlike the consumer grade Netgear. It simply will not redirect a packet that comes in on the inside interface to go back to another inside device. One simple solution would be to use any old router on the LAN as the default gateway. Its route table has default pointig to the ASA and static 192.168.200.x pointing to sonicwall vpn box.
I don't quite understand why you want two boxes to start with when the VPN capabilities of the ASA far exceed the Sonicwall's. Why not just terminate the remote user VPN's right on the ASA?

I object to closing this question.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
orphancAuthor Commented:
Hi Irmoore,
Thanks for your response. I agree. The ASA's VPN capabilities far outway the sonicwalls but their user's are used to it and that change can not happen for awhile. Re the below response- my question to community support was not to close the question, but that I had no response. This was sent before you had responded.

I accept your solution as you're right it can't work- the only way is to use a reserved DHCP range on the existing LAN so the sonicwall dishes out IP's on 192.168.2.x but as they have a class C not going to happen. Plans to change subnet will happen as purchasing additonal routers. Thanks for your comments and sorry for any misunderstanding
0
lrmooreCommented:
Sorry I didn't respond sooner. I had email issues for a few days and was not receiving any notifications.
If you have almost any old router laying around you can have a quick short term fix.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
File Sharing Software

From novice to tech pro — start learning today.