Hi all, hope somebody can help me out or point me in the right direction with this one. This is my setup:
HQ - MX behind an ASA
Branch - MX with AutoVPN to HQ with DSL connection
HQ is on a 10.32.0.x subnet with a static IP in that range, gateway is set to the core switch IP
Branch is on a 10.32.18.x subnet with a route on the ASA to allow reaching the network beyond the HQ MX
Everything works as expected with the VPN,from the branch we can reach any 10.32.x .x subnet as well as subnets in the range 172.30.x.x. coming from the ASA
Now it becomes murky, currently because we have the Default route ticked in Site-to-Site VPN, all our traffic goes over the VPN, we need to change this behaviour to ensure only advertised subnets go over the VPN and all internet traffic breaks out locally. I know that by unticking the Default Route, I will get local internet breakout for non-vpn traffic, but this means that I can only reach the 10.32.x.x subnets and crucially not the 172.32.x.x subnets.
I tried adding another VLAN in the 172 subnet but it didn't work because the MX doesn't know how to route this vlan, I also tried adding a static route but this also failed. So now I'm stumped. It might well be that my inputs in vlans/static were wrong, any help would be greatly appreciated. Feel free to ask for more details.
Solved! Go to Solution.
Hq mx is in routed mode? You have a simple network drawing? Not sure if your hq is behind asa,coreswitch or both..
On the hq mx you create a route for 172.30.x.x to the next hop (ip of the coreswitch 10.32.0.??? ) , and you select advertise this route in vpn.
The coreswitch knows the way(routing table) to 172.30.x.x and 10.32.18.x ?
HQ is behind ASA and Core Switch and in Passthrough mode, is this incorrect? Should I change it?
Yes the Core Switch knows the routing to the subnets