Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Internet access across a VPN

Status
Not open for further replies.
JayScovill

JayScovill

IS-IT--Management
Oct 16, 2008
3
CA
My scenario:

Our office is connected to our datacenter via a VPN provided by a local Telco.

This is the topology:

Office -> ME3400A <--> ME3400B -> Datacenter -> ASA5520 ->Internet

The ASA5520 is the default gateway for the Datacenter network.

The inside interface of the ME3400A is the default gateway for the Office network

Office Network: 172.16.0.x
ME3400A Inside: 172.60.0.x
Me3400A Outside: 10.253.x.x
ME3400B Outside: 10.253.x.x
ME3400B Inside: 10.10.x.x
Datacenter Network: 10.10.x.x

We would prefer not to have to add static routes to all of the machines in the Datacenter network back to 172.16.x.x.

We thought this would be possible by adding a static route in the ASA5520 back to 172.16.0.0 through the inside interface of ME3400B.

This sort of works. Pings and traceroutes find their way to 172.16.0.0 via the ASA5520. However, name resolution and other traffic does not. I'm suspecting it's an access rule issue because if I add a static route to any machine on the Datacenter network to 172.16.0.0 everything (except internet access through the ASA5520)is fine.

It's only when we try to point to the 172.16.0.0 network through the ASA5520 that we run into problems.

So the objectives are:

1) Provide a route to 172.16.0.0 without having to add static routes to all the machines in the Dataceter network
b) Provide internet access to machines in the Office Network through the ASA5520.
 
Sort by date Sort by votes
Thanks,

the 'same-security-traffic permit intra-interface' command is enabled on the ASA.

And in fact, pings are successful between computers on the office net and the datacenter net.

However, name resolution and internet access from the office network fail. The two aren't directly related since if I put a static route to the office network on any of my DNS server name resolution, etc are successful. But I still cannot access the internet

It's only when I'm using the ASA to route the packets to my Office network that the problem occurs.
 
Upvote 0 Downvote
do yo have the inside routes on the asa? can you post a scrubbed config?


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
675
Sameer258
Sameer258
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
724
Shmid
Shmid
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
586
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
160
WhosYourDiffie
WhosYourDiffie
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
206
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top