salesandservice
asked on
ASA 5505 site to site VPN static route how to or possible workarounds
Currently I have a site to site VPN setup between 2 ASA 5505's. The local subnets are 192.168.1.0/24 for the main location and 192.168.2.0/24 for the remote location. The last part of this equation is a vendor router(192.168.2.25) is located on remote subnet with a connection to a 10.0.0.0/24 network.
A server at the main location has an IP address of 192.168.1.20 and it will need to talk to the vendor router(192.168.2.25) in order to reach the 10.0.0.0/24 network.
How can I get 192.168.1.20 to communicate to the 10.0.0.0/24 network utilizing the VPN connection to get to 192.168.2.25?
Both ASAs are running 7.2
I know the ASA is cable of some some static routing - is it possible to have a static route traverse the VPN to the 192.168.2.25 router? What configurations will I need to add to make this work?
If not, what possible workarounds are available to accomplish this easily? Thanks.
Ideally I would have a static route for 10.0.0.0 255.255.255.0 via 192.168.2.25, but this does not appear to be an option with the ASA.
A server at the main location has an IP address of 192.168.1.20 and it will need to talk to the vendor router(192.168.2.25) in order to reach the 10.0.0.0/24 network.
How can I get 192.168.1.20 to communicate to the 10.0.0.0/24 network utilizing the VPN connection to get to 192.168.2.25?
Both ASAs are running 7.2
I know the ASA is cable of some some static routing - is it possible to have a static route traverse the VPN to the 192.168.2.25 router? What configurations will I need to add to make this work?
If not, what possible workarounds are available to accomplish this easily? Thanks.
Ideally I would have a static route for 10.0.0.0 255.255.255.0 via 192.168.2.25, but this does not appear to be an option with the ASA.
ASKER
The "same-security-traffic permit intra-interface " seems to indicate a similar setup to above except I could leave the default gateway as is.
So traffic going from the server at the main location to the 10.0.0.0/24 network would go to the pix and then go to the new router with an address of lets say 192.168.1.5.
So config would be changed to:
same-security-traffic permit intra-interface
route inside 10.0.0.0 255.255.255.0 192.168.1.5(new router)
-----
And then traffic would go to the router with a config of:
10.0.0.0 255.255.255.0 192.168.2.25
And traffic would travel over the VPN tunnel and out thru the Vendor router - will this configuration work?
So traffic going from the server at the main location to the 10.0.0.0/24 network would go to the pix and then go to the new router with an address of lets say 192.168.1.5.
So config would be changed to:
same-security-traffic permit intra-interface
route inside 10.0.0.0 255.255.255.0 192.168.1.5(new router)
-----
And then traffic would go to the router with a config of:
10.0.0.0 255.255.255.0 192.168.2.25
And traffic would travel over the VPN tunnel and out thru the Vendor router - will this configuration work?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
would it be possible to set the default gateway of the server at the main location to point to the router at the remote location(Internet access will not be required for this server only access is needed to the vendor router).
I would think the same crypto ACLs would need to be applied.
Is this a viable alternative? What are implications of doing this?
I would think the same crypto ACLs would need to be applied.
Is this a viable alternative? What are implications of doing this?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
As you mentioned earlier, the VPN ASA is also the internet connection at the mainsite.
When the server goes to send data to the 10.0.0.0 network, how is this traffic able to go over the VPN tunnel to the remote site instead of being sent out to the outside interface(internet) via the default route on the ASA?
When the server goes to send data to the 10.0.0.0 network, how is this traffic able to go over the VPN tunnel to the remote site instead of being sent out to the outside interface(internet) via the default route on the ASA?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the assistance. This worked great and I appreciate the follow-up to the related questions.
ASKER
http://www.cisco.com/en/US
It seems possible to change the default gateway to a different router and configure that router to point 10.0.0.0/24 traffic to 192.168.2.25 and that way the ASA would only need to send traffic over to the remote subnet via VPN as it normally does. Would this work or am I missing something?
Any other configurations/ideas? Thanks