03-04-2008 02:51 AM - edited 02-21-2020 03:36 PM
Hi,
I have a 5510 that is used for Client VPN access and there is something simple I just can't get to work.
The VPN part works fine with AAA done on an ACS.
But what doesn't work is Access to networks that are not directly connected to the Inside interface.
ie VPN users can connect to the Inside Interface network (say 192.168.0.0/24) but not to a 10.0.0.0/8 network that is connected thru 192.168.0.1 router.
I have the static routes all in the Firewall and all routing pointing the way back to the Firewall from all other networks but I get no further than the 192.168.0.1 router......
I use split-tunneling and forward all Private networks over the VPN - internet is used thru the clients own local access.
Can someone help me out here ?
Thanks.
Fraser
PS: have the same type of access on a 7206VXR and that is just Sweet , everything can be accessed that is needed - but I would like to move this service over to the ASA.
Solved! Go to Solution.
03-04-2008 06:53 AM
Fraser
I dont understand ASDM parts like you submit. Some of the code would be great.
I would also recommend checking ACLs applied to inside interface (If any) that it permits the traffic like
access-list inside_access_in permit 10.0.0.0 255.0.0.0 vpnsubnet vpnnetmask
If still no joy, attaching your sanitized config would be helpful for me to diagnose.
Regards
03-04-2008 03:54 AM
Hi Fraser
I assume exempt NAT statements for these specific networks are missing. Following is an example exempt NAT
access-list inside_nat0_outbound permit 10.0.0.0 255.0.0.0 vpnipool vpnsubnetmask
nat (inside) 0 access-list inside_nat0_outbound
Also double-check that a route back to VPN IP pool exists in 192.168.0.1 router, like following
ip route vpnpool vpnsubnetmask ASAinsideinterface
Regards
03-04-2008 04:26 AM
03-04-2008 06:53 AM
Fraser
I dont understand ASDM parts like you submit. Some of the code would be great.
I would also recommend checking ACLs applied to inside interface (If any) that it permits the traffic like
access-list inside_access_in permit 10.0.0.0 255.0.0.0 vpnsubnet vpnnetmask
If still no joy, attaching your sanitized config would be helpful for me to diagnose.
Regards
03-04-2008 10:56 PM
jo !
You were right here - I think I will stick to the CLI from now on - is much easier to find out what I want to know than ASDM.
Thanks !
Fraser
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide