Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

routing question

Status
Not open for further replies.
aquila125

aquila125

MIS
Jan 12, 2005
109
BE
Hi all,

this is our network layout:


INTERNET - ASA5510 - LAN 1 - MPLS - LAN 2 - PIX515 - VPN TUNNEL TO CUSTOMER

The MPLS is a VPN solution that connects our different offices to each other. In one of those offices we have a VPN connection to a customer. Now we would like to be able to connect to that customer from all our offices (and through the remote access vpn to the asa5510).

I'll add some IP information:

ASA5510 internal interface: 192.168.40.2
MPLS LAN1 internal interface: 192.168.40.1
MPLS LAN2 internal interface: 192.168.50.1
PIX515 internal interface: 192.168.50.2
CUSTOMER NETWORK: 176.26.0.0

We tried to add a route to our ASA5510 stating:
route inside 176.26.0.0 255.255.0.0 192.168.50.2
and added a nonat rule for this network, but that doesn't seem to work. Do we have to change the route to:
route inside 176.26.0.0 255.255.0.0 192.168.40.1
and ask our ISP to add a route for the 176.26.0.0 network to 192.168.50.2? (we don't control the MPLS routers.) If possible we would like to keep the routing on our equipment so we can make changes much faster.

All help is greatly appreciated!
 
Sort by date Sort by votes
Well you also have to make sure that the terminating point on the customer side has you subnet listed in its IPSEC config. If the proxy ids dont match you wont be able to connect.

Free Firewall/Network/Systems Support-
 
Upvote 0 Downvote
The VPN tunnel is working alright, so that's not the problem. I would just like to now where we have to add the routes. To our main firewall (ASA5510) or on the intermediate routers of our ISP (MPLS LAN1 and LAN2).
 
Upvote 0 Downvote
You don't need a route in the ASA unless the internal networks arent already in the firewall. Your crypto ACL on both sides of the tunnel will have to reflect the subnets behind your ASA.
 
Upvote 0 Downvote
The problem is that the tunnel is not installed on the main firewall but on a seperate line in LAN2 (only used for this tunnel). So if I connect from LAN1 to the network of the customer, the traffic will go to the main firewall (the gateway), who doesn't know what to do with it. So can I add a route to an IP that doesn't belong to the subnet of the internal interface of the asa5510? (I have added a route to the LAN2 network to 192.168.40.1)
 
Upvote 0 Downvote
On lan1 router 40.1 you need to add a route for the remote network and send it over to the lan2 router
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
860
intel233
intel233
Modem80
  • Locked
  • Question
Novice SonicOS user, need routing help
Replies
2
Views
255
Modem80
Modem80
NoCoolHandle
  • Locked
  • Question
TLS 1.0 vrs TLS 1.1 vrs 1.2 connection strategy question
Replies
1
Views
236
ChrisHirst
ChrisHirst
J001
  • Locked
  • Question
Checkpoint Upgrade Question
Replies
0
Views
167
J001
J001
barbastica
  • Locked
  • Question
Cisco PIX Fierwall- SSH authentication question
Replies
0
Views
229
barbastica
barbastica

Part and Inventory Search

Sponsor

Back
Top