Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
453
Views
0
Helpful
4
Replies

VPN Establishes Correctly Unable to access Internal Networks

cantorb1
Level 1
Level 1

‎08-06-2009 11:59 AM - edited ‎02-21-2020 03:37 AM

I have a new 5505 with a fairly base config. Please provide guidance on the following. I can connect to the ASA(it is at a remote location) with no issue over VPN. From the asa I can ping a switch that hangs off of a directly connected interface. I can not ping or ssh/telnet to the switch from my desktop. My question is what things are need to make this happen? I guess I'm generally a bit fuzzy on the logic the fw uses when dealing with vpn clients. Also, I am NOT using split tunneling...everything goes through the IPSEC tunnel. Thanks.

0 Helpful
4 Replies 4

sziaulla
Cisco Employee
Cisco Employee

‎08-06-2009 02:17 PM

can you pls check if your switch knows how to get back to the pool address?

Do you have NAT configured on ASA? can you pls send me the output of "show run nat" and "sh run global" from the ASA?

thanks

-Syed

0 Helpful

cantorb1
Level 1
Level 1
In response to sziaulla

‎08-06-2009 04:16 PM

dc-dfw01# sho run | grep pool

ip local pool dimension 172.24.200.1-172.24.200.254 mask 255.255.255.0

address-pools none

address-pool dimension

dc-dfw01# sho route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 96.11.188.67 to network 0.0.0.0

C 192.168.133.0 255.255.255.0 is directly connected, inside

C 96.11.188.64 255.255.255.240 is directly connected, outside

S 172.24.200.1 255.255.255.255 [1/0] via 96.11.188.67, outside

C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback

S* 0.0.0.0 0.0.0.0 [1/0] via 96.11.188.67, outside

dc-dfw01# sho run nat

nat (outside) 1 172.24.200.0 255.255.255.0

nat (outside) 1 172.24.8.0 255.255.25.0

nat (inside) 0 access-list inside_nat0_outbound_1

dc-dfw01# sho run global

global (outside) 1 interface

dc-dfw01#

Please let me know if you need any additional info.

bc

0 Helpful

sziaulla
Cisco Employee
Cisco Employee
In response to cantorb1

‎08-07-2009 07:16 AM

why do you have this statement

nat (outside) 1 172.24.200.0 255.255.255.0

is it because you want these clients to go to internet via this vpn connection?

I think the show route statement you sent is from the firewall? can you pls send me the show route from the switch?

also can you pls send me the contents of the ACL "inside_nat0_outbound_1"?

thanks

-Syed

0 Helpful

acomiskey
Level 10
Level 10
In response to sziaulla

‎08-07-2009 07:25 AM

Sounds like this is just a nat-t issue. Do you have this?

crypto isakmp nat-traversal

or

isakmp nat-traversal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card