Thank you for your answer!
A short ASCII-Structure is like this:
ext.Router---(old IP-RANGE 195.21.XXX.170)---outside---ASA_01
new ext.Router---(new IP-RANGE 91.215.XXX.4)---outside---ASA_02
The old IP-Range will be closed in the near future.
Default internal Gateway is ASA_01, 192.168.1.130 for all our
VPN works through this ASA_01.
Now I install VPN on the ASA_02 and would like to let the old
gateway on the client-pcs unchanged. So I thought:
VPN-Traffic from outside -> ASA_02 -> client-PC and back:
-> ASA_01 (default gateway) ASA_01 -> ASA_02
(static Route for the VPN-address-space)
-> new ext.Router-> Internet-> VPN-endpoint
When I ping or telnet through the new VPN, I can see the
incoming traffic on the client-pc, but the return path
is blocked by the ASA_01 with the error:
%ASA-6-106015: Deny TCP (no connection) from 192.168.1.162/22 to
192.168.10.1/34625 flags (VPN-address)
SYN ACK on interface inside
%ASA-7-609002: Teardown local-host inside:192.168.1.162 duration 0:00:00
%ASA-7-609002: Teardown local-host inside:192.168.10.1 duration 0:00:00
I understand that the ASA blocks traffic which is not initiated through
it, it seems to be a good behaviour for a firewall, but can I make an
exception for this route (ASA_01 -> ASA_02 192.168.10.0/24)?
thanks again for any idea you have!
> Can you elaborate more on what you are trying to accomplish?
> Looks to me like you have two ASAs on your WAN connection.
> Like this
> (Default Gateay/Route) ASA #1-------outside 220.127.116.11 ------inside
> (VPN) ASA #2-------outside 18.104.22.168 ------ inside 192.168.1.2
> I assume ASA #1 is the default route/default gateway for the hosts
> behind it to the internet and ASA #2 has VPNs that terminate on it
> If you have a VPN with remote subnet 192.168.2.0/24 built to it you
> can had a static host route on the PCs to use the VPN ASA
> (Assuming Windows)
> -route add -p 192.168.2.0 mask 255.255.255.0 192.168.1.2
we would like to avoid to set a static route in every client-pc,
it seems to be smarter to let the old ASA make the routing.
> or use a router as your default gateway your routing table would look
> like this
> ip route 192.168.2.0 255.255.255.0 192.168.1.2
> ip route 0.0.0.0 0.0.0.0 192.168.1.1
> On Aug 4, 3:29 am, Gerhard Lehmann <g...@yahoo.com> wrote:
>> is it possible to allow traffic through an ASA5510 which was not
>> initiated through this firewall but through another one?
>> Background: We change our external IP-Numbers but don't want to change
>> our internal default route (which links to an ASA5510 (the 'old'
>> one). Our new vpn-traffic comes from the 'new' ASA, and the internal
>> client-pc sends it to the 'old' ASA. There is a route which directs
>> this traffic to the new one. But: I get the error
>> (within vpn telnet internal_host 22)
>> 'old' ASA as default gateway
>> %ASA-6-106015: Deny TCP (no connection) from 192.168.XXX.XXX/22 to
>> 192.168.10.1/34625 flags SYN ACK on interface inside
>> I would appreciate any help