Im trying to configure a backup connection with a 501 that will have VPN connection. I am able to connect to the tunnel Using the client. But once Im connected I cant ping or connect to anything in the network. This is the config from the 501.
access-list NONAT permit ip 192.168.200.0 255.255.255.0 10.25.0.0 255.255.0.0
ip address outside World 255.255.255.248
ip address inside 10.74.253.0 255.255.255.252
ip local pool TECH_VPN_POOL 192.168.200.10-192.168.200.254
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 World 1
route inside 10.25.0.0 255.255.0.0 10.25.200.2 1
route inside 192.168.25.0 255.255.255.0 192.168.25.1 1
route inside 192.168.200.0 255.255.255.0 192.168.200.1 1
Gateway of last resort is 10.25.21.1 to network 0.0.0.0
C 192.168.200.0/24 is directly connected, Vlan61
C 10.25.0.0/16 is directly connected, Vlan10
C 192.168.25.0/24 is directly connected, Vlan1
S* 0.0.0.0/0 [1/0] via 10.25.21.1
C 10.65.253.0/30 is directly connected, FastEthernet5/48
Interface IP-Address OK? Method Status Protocol
Vlan1 192.168.34.7 YES NVRAM up up
Vlan10 10.34.200.2 YES NVRAM up up
Vlan666 192.168.200.1 YES manual up up
Sorry for late reply, been busy.
Did you configured the static routes I suggested in my last post.
for telnet ssh to the pix while connected through vpn tunnel you will need management-access inside
Just for giggles, even though I am connecting to the PIX, could the ISP be blocking certain traffic?
This is very unlikely
Do I need to setup split tunneling maybe
Don't need to go there.
If you have access to the PIX while VPN connected try confirming the PC RA client is indeed connected.
You can verify in the firewall by issuing the following and save the output.
show crypto isakmp sa
you may also confirm the client is geting IP from local pool
show ip local pool
it should show the IP address the RA client was assigned.
from the PIX itself you should be able to ping the RA client IP provided the PC client does not have firewall turned on.
If you get up to above point we can say RA VPN is fine.. now from that point on downstream to reach your networks in the 4500 switch is where you have to do the routing changes I provided you.
The problem I see that you cannot reach the networks in the 4500 switch is because there is no route back to the secondary PIX for RA VPN pool network. Because you have a default route in 4500 switch pointing to the primary PIX the switch has not knowledge of Secondary PIX RA.
Looking at the show ip route of 4500 switch it shows your default route is
S* 0.0.0.0/0 [1/0] via 10.25.21.1 , but your diagram says 10.25.20.1 I assume diagram is a typo.
In any case, try working your way down to reach your subnets in 4500 switch, once you get this fixed then move towards the 6500 switch subnets. Are you doing any dynamic routing internally?