07-08-2008 08:01 AM
hi,
Currently, my vpn works fine from the outside to the router. The problem I'm not quite sure why the traffic on the inside is not finding its way to the outside (VPNclient). I tried adding interesting traffic acl on my DynamicMap, the vpn client lock would not close, but there was a QM_IDLE isakmp session established and an IPSEC tunnel. I've also tried adding a static route on all my local routers (for test only) routing 10.0.12.0 network to my vpn router 10.0.0.188, only my network device can communicate with my VPN client host when I do this, but the hosts that belong to the network cannot communicate.
I've attached config and debug outputs.
Any suggestions?
TIA,
-Fred
Solved! Go to Solution.
07-08-2008 10:19 AM
Hi,
Can u plz no nat acl , internal lan as source and vpn pool as destination.
Make sure that your gw router has a route towards vpn pool.
r/g
07-08-2008 08:52 AM
What is the defaut gateway for internal hosts?
07-08-2008 09:42 AM
The GW for internal hosts is a different router 10.0.0.10.
10.0.0.10's default GW is 10.0.0.52 (.52 is PBR router) all traffic from 10.0.0.0/24 flows like this.
10.0.0.x/24 -> 10.0.0.10(inside Hosts Default GW) -> 10.0.0.52 (PBR router) -> 10.0.0.191(ASAC1)
the asa does the static nat for VPN router.
Also,
i've tried making Router 10.0.0.10 default GW to .191(ASAC1) to bypass the PBR, but still the problem existed.
On router 10.0.0.10 I've also tried adding the following statement: ip route 10.0.12.0 255.255.255.0 10.0.0.188 (RA VPN router)
The only thing that worked here, was my vpn client PC was able to successfully ping/telnet into the 10.0.0.10 router, but still no hosts on the 10.0.0.x/24 subnet were able to reach 10.0.12.x.
07-08-2008 09:51 AM
you should have a static route for the vpn pool on the router which is the defaut gateway for internal users.
07-08-2008 10:01 AM
Sorry I was adding on to my post as you replied, adding the static route to the vpn pool for the router which is my default gw for internal users only worked for my router, but not my network.
If I add that static route for my internal hosts default gw, my vpn client can only access that router, but not the network itself.
07-08-2008 10:19 AM
Hi,
Can u plz no nat acl , internal lan as source and vpn pool as destination.
Make sure that your gw router has a route towards vpn pool.
r/g
07-08-2008 10:37 AM
In conclusion,
Didn't include a nonat acl on asa for my router's vpn traffic.
Thanks for your help.
Regards,
-Fred
07-09-2008 03:35 AM
No worries:)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: