Can't access other subnets once connected

Unanswered Question
Mar 28th, 2008
User Badges:

I have pix525 with ASA8 with ADSM6 behind layer 2(transparent mode) firewall.

I've configured Remote access VPN on this thing and I can connect from home(with NAT-T disabled)

all the ip address are public ip except the client from home which go through a NAT.


Once connected, I can't ping/reach any other subnet except the one that's assigned to cipsec0 interface.


I've try to add allow all on firewall rule on PIX itself, disabled NAT, many other settings, but can't seem to make it go beyond the "inside" net of the PIX.


any ideas?


here is simple diagram.


[email protected](10.0.0.2)->NAT(verizon)->internet->layer2firewall->PIX-outside(129.2.10.2)->PIX-inside(129.2.20.2)


now 129.2.20.0/24 network is not for VPN only, it's an existing subnet that has it's own default gateway.

inface the PIX is not the default gateway in any subnet.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Fri, 03/28/2008 - 07:05
User Badges:
  • Green, 3000 points or more

You need to enable nat-t.


crypto isakmp nat-traversal

dkim777oig Fri, 03/28/2008 - 08:31
User Badges:

Well, in my ASDM6 crypto maps settings.

"NAT-T Enabled" is checked.


BUT, in sh run, I don't see any command silimar to "crypto isakmp nat-traversal"


what is that mean?


acomiskey Fri, 03/28/2008 - 08:40
User Badges:
  • Green, 3000 points or more

Then it is enabled. It would only display in config if it were disabled "no crypto isakmp nat-traveral".


Must be another issue, like nat exemption maybe, can you post the config?

kduckett Fri, 03/28/2008 - 12:01
User Badges:

This solved the same problem I was having with a Cisco ASA 5540. Thanks for the very helpful post.


Keith

Actions

This Discussion