08-12-2010 12:29 PM
One of our clients currently has an ASA 5510 on site, and they are using IPSEC VPN for their mobile users to connect.
The VPN Subnet is 172.16.1.0/24.
Internal network is 192.0.0.0/24. VPN Access works fine to the 192 subnet.
Private network behind the firewall is 162.xx.xx.0/16
Recently, we added an internal router for one of their departments to have secure access to the private network. There is another managed router on-site to connect to this private network that we have no access to change. We are connecting to the private network through the client's internal router and NAT-ing their internal network to the private network subnet. That is also working fine.
The issue is that I also need to route the VPN subnet to the private network. I have attempted to add the private network subnet to the split tunnel list and I can get as far as pinging the managed router interface at 162.xx.xx.1 but it goes no further than that.
I tried adding the 172 subnet to the NAT statements but that didn't get me anywhere.
What am I missing? See my 5-minute VISIO diagram for a better picture.
Thanks.
08-12-2010 12:48 PM
This might be a routing problem on your private network.
You can apply this capture on ASA to confirm
access-list cap permit ip 172.16.1.0 255.255.255.0 162.0.0.0 255.255.0.0
access-list cap permit ip 162.0.0.0 255.255.0.0 172.16.1.0 255.255.255.0
cap test access-list cap interface inside
Run this comamnd to check the hits while you ping 162.x.x.x network from your VPN client.
sh cap test
If you see echo requests being sent and no replies then your server or router in the private network dont know how to reach the VPN pool addresses
08-12-2010 12:58 PM
The capture works when I ping 162.xx.xx.1 but anything else in that network, the capture doesn't show anything.
08-12-2010 01:03 PM
What ip address you are pinging, make sure it matches 162.0.0.0 255.255.0.0 as we defined in the capture acl
08-12-2010 01:04 PM
I am pinging an address that's 162.xx.xx.8 in the /16 network that works from the internal LAN.
08-12-2010 01:12 PM
Please try the capture with the host ip for your server or make it general by using "any" for destinition as below
access-list cap permit ip 172.16.1.0 255.255.255.0 any
access-list cap permit ip any 172.16.1.0 255.255.255.0
We should be able to see some hits as we are able to ping the router interface. Make sure you applied it to the correct interface. In the command below we have assumed your interface facing private side is "inside" you might be using some other interface so check this too.
cap test access-list cap interface inside
08-12-2010 01:10 PM
I figured it out. It was easier than I thought. My split tunnel list was using a network object with a subnet of 162.xx.xx.0/28 which was a previous configuration before I knew the private network was a /16.
Once I edited the split tunnel list to /16 it worked.
So basically all I had to do was add 162.xx.xx.0/16 to the split tunnel, add a static route in the ASA for 162.xx.xx.0/16 to point to 192.0.0.252, and then add the 172.16.1.0 network to the NAT statement on the internal router.
Thanks for the help.
08-12-2010 01:14 PM
No problem. I am glad the issue is fixed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide