02-24-2008 08:45 PM - edited 03-11-2019 05:07 AM
Hi,
We are having ASA 5500 series and on whcih we have configured remote vpn access. This ASA then connected to L3 swicth and also to our router.
There are different subnet (vlans ) on L3 swicth. Similarly different subnets are reachable from router( connected by leased serial lines to other locations ). A simple static routing is done to connect our other locations. We have configured a pool of IP address on ASA which is used to give IP address to VPN users one by one. Problem which we are facing is that once user is connected to ASA using VPN client loaded on his notebook, user can access all subnets connectd to L3 switch. But subnets reachable by router ( other locatios ) are not reachable from users notebook.
The subnet of the pool which we are using in ASA for remote access VPN client is directed to PIX inside IP address from router and from L3 swicth.
That means if packet with Target address of the ASA remote access POOL is directed to pix inside interface as next hop. We have checked it using tracert.
Please suggest.
Thanks in advance
Any experience pls share.
Subodh
02-24-2008 11:24 PM
Hi,
Not exatly understood about the prob.
u want to reach all remote locations through router or deny access to the subnets reachable by L3 switch ?
Pl check for the nat 0 access lists .
They should exatly define which source to destination it should go .
Plz povide a hand drawn diagram
Raj
02-25-2008 12:10 AM
Hi Bapat
"The subnet of the pool which we are using in ASA for remote access VPN client is directed to PIX inside IP address from router and from L3 swicth"
You mean you added route for VPN pool in both router and switch correct? If yest thats fine! But did you add the route for VPN pool in routers located at the other end of leased line?
Run tracert in a notebook connected to VPN to an IP at the other and of leased line and check where traceroute ends.
Regards
02-25-2008 01:54 AM
Hi,
Thanks for reply.
The pool which we have defined in ASA is
10.1.12.1 to 10.1.12.254. Users using remote access VPN get IP from this pool. With this pool IP address say 10.1.12.5 ( which can be seen in ipconfig command output in VPN user notebook ) is given to one user. And our L3 subnets are 10.1.4.0 /24 , 10.1.5.0 / 24 user can access this subnets from VPN user notebook. But subnet 10.1.11.0 which is reachable from router which a remote VPN notebook cant reach. We have given tracert on notebook , it shows upto the router. but thne it is all star star. For testing purpose we created VLAN on L3 swicth and have the same pool ip address that is 10.1.12.5 /24 . And as expected it was reachable from all locations even those from router. so packets are reaching the pool subnet. in our case 10.1.12.0/24.
Please guide !
02-25-2008 02:04 AM
"We have given tracert on notebook , it shows upto the router. but thne it is all star star"
So routing is fine and packet reaches the router, that means VLAN config is all OK. This strengthens the possibilty that there is no route for 10.1.12.0/24 is set in router that terminates lesaedline (10.1.11.0 site)
Please apply the follwoing
In router that tracert shows up to, type ping (just ping, no dest address). Type source address an IP in 10.1.12.0/24 and destination address an IP in remote site (10.1.11.0) . Are pings successfull?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide