VPN Establishes Correctly Unable to access Internal Networks

Unanswered Question

I have a new 5505 with a fairly base config. Please provide guidance on the following. I can connect to the ASA(it is at a remote location) with no issue over VPN. From the asa I can ping a switch that hangs off of a directly connected interface. I can not ping or ssh/telnet to the switch from my desktop. My question is what things are need to make this happen? I guess I'm generally a bit fuzzy on the logic the fw uses when dealing with vpn clients. Also, I am NOT using split tunneling...everything goes through the IPSEC tunnel. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sziaulla Thu, 08/06/2009 - 14:17
User Badges:
  • Cisco Employee,

can you pls check if your switch knows how to get back to the pool address?

Do you have NAT configured on ASA? can you pls send me the output of "show run nat" and "sh run global" from the ASA?

thanks

-Syed

dc-dfw01# sho run | grep pool

ip local pool dimension 172.24.200.1-172.24.200.254 mask 255.255.255.0

address-pools none

address-pool dimension

dc-dfw01# sho route


Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route


Gateway of last resort is 96.11.188.67 to network 0.0.0.0


C 192.168.133.0 255.255.255.0 is directly connected, inside

C 96.11.188.64 255.255.255.240 is directly connected, outside

S 172.24.200.1 255.255.255.255 [1/0] via 96.11.188.67, outside

C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback

S* 0.0.0.0 0.0.0.0 [1/0] via 96.11.188.67, outside

dc-dfw01# sho run nat

nat (outside) 1 172.24.200.0 255.255.255.0

nat (outside) 1 172.24.8.0 255.255.25.0

nat (inside) 0 access-list inside_nat0_outbound_1

dc-dfw01# sho run global

global (outside) 1 interface

dc-dfw01#




Please let me know if you need any additional info.


bc



sziaulla Fri, 08/07/2009 - 07:16
User Badges:
  • Cisco Employee,

why do you have this statement

nat (outside) 1 172.24.200.0 255.255.255.0


is it because you want these clients to go to internet via this vpn connection?


I think the show route statement you sent is from the firewall? can you pls send me the show route from the switch?

also can you pls send me the contents of the ACL "inside_nat0_outbound_1"?

thanks

-Syed

acomiskey Fri, 08/07/2009 - 07:25
User Badges:
  • Green, 3000 points or more

Sounds like this is just a nat-t issue. Do you have this?


crypto isakmp nat-traversal

or

isakmp nat-traversal

Actions

This Discussion