08-06-2009 11:59 AM - edited 02-21-2020 03:37 AM
I have a new 5505 with a fairly base config. Please provide guidance on the following. I can connect to the ASA(it is at a remote location) with no issue over VPN. From the asa I can ping a switch that hangs off of a directly connected interface. I can not ping or ssh/telnet to the switch from my desktop. My question is what things are need to make this happen? I guess I'm generally a bit fuzzy on the logic the fw uses when dealing with vpn clients. Also, I am NOT using split tunneling...everything goes through the IPSEC tunnel. Thanks.
08-06-2009 02:17 PM
can you pls check if your switch knows how to get back to the pool address?
Do you have NAT configured on ASA? can you pls send me the output of "show run nat" and "sh run global" from the ASA?
thanks
-Syed
08-06-2009 04:16 PM
dc-dfw01# sho run | grep pool
ip local pool dimension 172.24.200.1-172.24.200.254 mask 255.255.255.0
address-pools none
address-pool dimension
dc-dfw01# sho route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 96.11.188.67 to network 0.0.0.0
C 192.168.133.0 255.255.255.0 is directly connected, inside
C 96.11.188.64 255.255.255.240 is directly connected, outside
S 172.24.200.1 255.255.255.255 [1/0] via 96.11.188.67, outside
C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback
S* 0.0.0.0 0.0.0.0 [1/0] via 96.11.188.67, outside
dc-dfw01# sho run nat
nat (outside) 1 172.24.200.0 255.255.255.0
nat (outside) 1 172.24.8.0 255.255.25.0
nat (inside) 0 access-list inside_nat0_outbound_1
dc-dfw01# sho run global
global (outside) 1 interface
dc-dfw01#
Please let me know if you need any additional info.
bc
08-07-2009 07:16 AM
why do you have this statement
nat (outside) 1 172.24.200.0 255.255.255.0
is it because you want these clients to go to internet via this vpn connection?
I think the show route statement you sent is from the firewall? can you pls send me the show route from the switch?
also can you pls send me the contents of the ACL "inside_nat0_outbound_1"?
thanks
-Syed
08-07-2009 07:25 AM
Sounds like this is just a nat-t issue. Do you have this?
crypto isakmp nat-traversal
or
isakmp nat-traversal
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: