We are having ASA 5500 series and on whcih we have configured remote vpn access. This ASA then connected to L3 swicth and also to our router.
There are different subnet (vlans ) on L3 swicth. Similarly different subnets are reachable from router( connected by leased serial lines to other locations ). A simple static routing is done to connect our other locations. We have configured a pool of IP address on ASA which is used to give IP address to VPN users one by one. Problem which we are facing is that once user is connected to ASA using VPN client loaded on his notebook, user can access all subnets connectd to L3 switch. But subnets reachable by router ( other locatios ) are not reachable from users notebook.
The subnet of the pool which we are using in ASA for remote access VPN client is directed to PIX inside IP address from router and from L3 swicth.
That means if packet with Target address of the ASA remote access POOL is directed to pix inside interface as next hop. We have checked it using tracert.
10.1.12.1 to 10.1.12.254. Users using remote access VPN get IP from this pool. With this pool IP address say 10.1.12.5 ( which can be seen in ipconfig command output in VPN user notebook ) is given to one user. And our L3 subnets are 10.1.4.0 /24 , 10.1.5.0 / 24 user can access this subnets from VPN user notebook. But subnet 10.1.11.0 which is reachable from router which a remote VPN notebook cant reach. We have given tracert on notebook , it shows upto the router. but thne it is all star star. For testing purpose we created VLAN on L3 swicth and have the same pool ip address that is 10.1.12.5 /24 . And as expected it was reachable from all locations even those from router. so packets are reaching the pool subnet. in our case 10.1.12.0/24.
"We have given tracert on notebook , it shows upto the router. but thne it is all star star"
So routing is fine and packet reaches the router, that means VLAN config is all OK. This strengthens the possibilty that there is no route for 10.1.12.0/24 is set in router that terminates lesaedline (10.1.11.0 site)
Please apply the follwoing
In router that tracert shows up to, type ping (just ping, no dest address). Type source address an IP in 10.1.12.0/24 and destination address an IP in remote site (10.1.11.0) . Are pings successfull?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :