cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
410
Views
0
Helpful
3
Replies

VPN Client Issue

networker101
Level 1
Level 1

Hi,

Can someone advise me on this;

We are having issue's with external suppliers accessing servers using the Cisco IPSec client (ver 5). The clients can vpn into the ASA and they receive an IP address from the address pool. When the supplier tries to RDP to the servers at the site they receive an error that they cannot connect.

The IP Address range on the inside network is 10.0.0.0/8 and frequently the suppliers are using this for some part of their network as well. We suspect a routing issue but we have been unable to find a way to force the traffic (typically a server somewhere on the 10.20.0.0 subnet) down the VPN tunnel

When they dial in from other network (ie home broadband) they can RDP into the servers without any issue.

So we are assuming that the clients office address range is what is causing the problem.

We have tried SSL and Anyconnect with more success but it is not reliable

Thanks

3 Replies 3

Hi,

The internal network behind the ASA is 10.0.0.0/8

The VPN clients presenting problems are when they reside somewhere on a segment of the 10.0.0.0/8 as well?

The VPN pool belongs to the 10.0.0.0/8?

You say you have seen the problem only when clients attempt to connect from a segment belonging to the 10.0.0.0/8 and accessing a particular server?

Sometimes you can NAT your VPN traffic to avoid overlapping issues.

Federico.

Hi Fedrico,

I am not sure exactly what the clients address is, but the user did say they were on a Segment 10 address.

The VPN pool that has been allocated is 10.20.28.X

Only clients that are accessing from a Segment 10 address experience this problem, I have tried from an ADSL using the users credentials and i have no problem accessing the servers via RDP. The server is also behind a 10.0.0.0/8.

Can you give me example of NATING VPN traffic for users who are coming from Segment 10 address?

Thanks

Let's say that you have a problem accesing an internal server 10.9.9.9

You can create a NAT rule for that server:

static (in,out) x.x.x.x 10.9.9.9

The above rule will statically translate the internal server 10.9.9.9 to x.x.x.x

To make this work, 10.9.9.9 should be excluded from the NAT0 statement for the entire 10.0.0.0/8 since NAT0 will ACL takes precedence over static NAT.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: