Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Any Cisco ASA Firewall peeps around?

Status
Not open for further replies.
vco08

vco08

IS-IT--Management
Nov 12, 2007
7
US
Im sure someone might know what the problem could be...Here is my situation... Ive got two networks going on right now. They are both on the same subnet, but split into two different networks. I have a VPN tunnel setup on the ASA firewall at my remote location. When I VPN in I VPN into that remote location and get my exchange and everything. Unfortunately, I cant get to my other server at my current location in Portland. Ive gone over my configs time and time again, but cant seem to figure this out. Anybody have any ideas?
 
Sort by date Sort by votes
If the same subnet exists in both locations then how is the routing configured? It sounds to me like it's just a routing issue - i.e. the ASA is making a forwarding decision (if the packets are making it that far?) but because both the source and destination are on the same subnet then it doesn't forward the packet.

Andy
 
Upvote 0 Downvote
So how would I get it to route packets to the other network? It comes into the ASA via VPN, but wont go anywhere else on the network except for where it comes in. Would the routing issue be on the ASA or the router itself?
 
Upvote 0 Downvote
No - it's a fundamental flaw in your plan... You could look at NAT and try and work around it this way but I think you should look at sorting the IP addressing issues out as a matter of urgency.

Andy
 
Upvote 0 Downvote
I will be changing the IP structure at one of the sites pretty soon. Basically, im changing it from 172.16.200.x to 172.16.220.x. Would that make it any better?
 
Upvote 0 Downvote
Yes. I assume you have 172.16.200.0/24 configured at both sites?

Andy
 
Upvote 0 Downvote
Yea. Except, the subnet is split. One side would be 172.16.200.1 - 172.16.200.50. (hypothetical) And on the other network it would be 172.16.200.128 - 172.16.200.250. We have two DNS and two DHCP servers at both ends. When im on one network say on the west side I get 172.16.200.150 as DHCP and if im on the east side network I get 172.16.200.2 as DHCP. When I VPN in, I automatically get the 172.16.200.2 DHCP. It wont however, let me see the other side where I have file servers.
 
Upvote 0 Downvote
Ah, OK. So you are saying you have subnet 172.16.200.0/25 (255.255.255.128) at one site and 172.16.200.128/25 at the other? If that's the case then routing shouldn't be a problem since you don't have overlapping networks. Or are you saying you have 'logically' but not physically split the subnet? i.e. you hosts all have a subnet mask of /24 (255.255.255.0)?

Andy
 
Upvote 0 Downvote
What you're saying is correct. One network is 172.16.200.128 and the other is 172.16.200.0. When I VPN into my network I VPN into 172.16.200.0 which is where the ASA is located. I can get to my servers in Eastern Oregon on that network, but cant get to my File server in Portland, which has an IP from 172.16.200.128. All I really need to do is get to my file server via VPN for when im at home or offsite, but I cant.
 
Upvote 0 Downvote
Can you explain the setup a bit clearer? Is the ASA the VPN gateway for both the remote site (172.16.200.128/15) and your Remote Access VPN? It's a bit difficult to understand the topology

Andy
 
Upvote 0 Downvote
yea no problem. My ASA is setup with an ip address of 172.16.200.1. I cant get to the 172.16.200.128 network through my VPN. I have a file server on the 172.16.200.128 network that I need to get too, but cant get to it when I VPN in. I can get to everything on the 172.16.200.0 network and thats it.
 
Upvote 0 Downvote
How are the two sites linked? Is it via a leased connection or is it a VPN tunnel? If its a VPN tunnel does it terminate on the ASA? If its a leased line what routers are you using and have you any routing protocols set up or are you using static routes? What IP address do you get assigned when you VPN in?

I think a picture would help a lot here, otherwise we are really struggling to understand the topology.

Andy
 
Upvote 0 Downvote
Well when I first inherited this network it supposedly has a tunnel in between both sites. Unfortunately, I dont believe that tunnel exists because i should be able to see both networks even if im at the office. Im trying to think of what else I can get you. I only have one router on the network and its in Eastern Oregon on the 172.16.200.0 network. Like I said before the VPN tunnel should terminate on the ASA, but I dont think it does. Ive never really messed with ASA's or Pix's before. Thats why im having such a hard time with this...
 
Upvote 0 Downvote
I think you need to take a step back and build some sort of diagram of the network - use the CLI tools of Windows: Ping, tracert, route etc. Work out what are the gateways between the networks and then knock some diagram up. It should be pretty easy as there are only two sites (that you have mentioned so far?) and some Remote Access VPN connectivity.

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
580
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
624
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
314
AllenH12
AllenH12
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
158
WhosYourDiffie
WhosYourDiffie
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
159
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top