Routing VPN clients to private network behind an ASA

Unanswered Question
Aug 12th, 2010

One of our clients currently has an ASA 5510 on site, and they are using IPSEC VPN for their mobile users to connect.

The VPN Subnet is

Internal network is VPN Access works fine to the 192 subnet.

Private network behind the firewall is 162.xx.xx.0/16

Recently, we added an internal router for one of their departments to have secure access to the private network. There is another managed router on-site to connect to this private network that we have no access to change. We are connecting to the private network through the client's internal router and NAT-ing their internal network to the private network subnet. That is also working fine.

The issue is that I also need to route the VPN subnet to the private network. I have attempted to add the private network subnet to the split tunnel list and I can get as far as pinging the managed router interface at 162.xx.xx.1 but it goes no further than that.

I tried adding the 172 subnet to the NAT statements but that didn't get me anywhere.

What am I missing? See my 5-minute VISIO diagram for a better picture.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Asim Malik Thu, 08/12/2010 - 12:48

This might be a routing problem on your private network.

You can apply this capture on ASA to confirm

access-list cap permit ip

access-list cap permit ip

cap test access-list cap interface inside

Run this comamnd to check the hits while you ping 162.x.x.x network from your VPN client.

sh cap test

If you see echo requests being sent and no replies then your server or router in the private network dont know how to reach the VPN pool addresses

ewellsie07 Thu, 08/12/2010 - 12:58

The capture works when I ping 162.xx.xx.1 but anything else in that network, the capture doesn't show anything.

Asim Malik Thu, 08/12/2010 - 13:03

What ip address you are pinging, make sure it matches as we defined in the capture acl

ewellsie07 Thu, 08/12/2010 - 13:04

I am pinging an address that's 162.xx.xx.8 in the /16 network that works from the internal LAN.

Asim Malik Thu, 08/12/2010 - 13:12

Please try the capture with the host ip for your server or make it general by using "any" for destinition as below

access-list cap permit ip any

access-list cap permit ip any

We should be able to see some hits as we are able to ping the router interface. Make sure you applied it to the correct interface. In the command below we have assumed your interface facing private side is "inside" you might be using some other interface so check this too.

cap test access-list cap interface inside

ewellsie07 Thu, 08/12/2010 - 13:10

I figured it out. It was easier than I thought. My split tunnel list was using a network object with a subnet of 162.xx.xx.0/28 which was a previous configuration before I knew the private network was a /16.

Once I edited the split tunnel list to /16 it worked.

So basically all I had to do was add 162.xx.xx.0/16 to the split tunnel, add a static route in the ASA for 162.xx.xx.0/16 to point to, and then add the network to the NAT statement on the internal router.

Thanks for the help.


This Discussion

Related Content