Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA Remote access VPN Problem

Hi,

We are having ASA 5500 series and on whcih we have configured remote vpn access. This ASA then connected to L3 swicth and also to our router.

There are different subnet (vlans ) on L3 swicth. Similarly different subnets are reachable from router( connected by leased serial lines to other locations ). A simple static routing is done to connect our other locations. We have configured a pool of IP address on ASA which is used to give IP address to VPN users one by one. Problem which we are facing is that once user is connected to ASA using VPN client loaded on his notebook, user can access all subnets connectd to L3 switch. But subnets reachable by router ( other locatios ) are not reachable from users notebook.

The subnet of the pool which we are using in ASA for remote access VPN client is directed to PIX inside IP address from router and from L3 swicth.

That means if packet with Target address of the ASA remote access POOL is directed to pix inside interface as next hop. We have checked it using tracert.

Please suggest.

Thanks in advance

Any experience pls share.

Subodh

4 REPLIES
New Member

Re: ASA Remote access VPN Problem

Hi,

Not exatly understood about the prob.

u want to reach all remote locations through router or deny access to the subnets reachable by L3 switch ?

Pl check for the nat 0 access lists .

They should exatly define which source to destination it should go .

Plz povide a hand drawn diagram

Raj

Re: ASA Remote access VPN Problem

Hi Bapat

"The subnet of the pool which we are using in ASA for remote access VPN client is directed to PIX inside IP address from router and from L3 swicth"

You mean you added route for VPN pool in both router and switch correct? If yest thats fine! But did you add the route for VPN pool in routers located at the other end of leased line?

Run tracert in a notebook connected to VPN to an IP at the other and of leased line and check where traceroute ends.

Regards

New Member

Re: ASA Remote access VPN Problem

Hi,

Thanks for reply.

The pool which we have defined in ASA is

10.1.12.1 to 10.1.12.254. Users using remote access VPN get IP from this pool. With this pool IP address say 10.1.12.5 ( which can be seen in ipconfig command output in VPN user notebook ) is given to one user. And our L3 subnets are 10.1.4.0 /24 , 10.1.5.0 / 24 user can access this subnets from VPN user notebook. But subnet 10.1.11.0 which is reachable from router which a remote VPN notebook cant reach. We have given tracert on notebook , it shows upto the router. but thne it is all star star. For testing purpose we created VLAN on L3 swicth and have the same pool ip address that is 10.1.12.5 /24 . And as expected it was reachable from all locations even those from router. so packets are reaching the pool subnet. in our case 10.1.12.0/24.

Please guide !

Re: ASA Remote access VPN Problem

"We have given tracert on notebook , it shows upto the router. but thne it is all star star"

So routing is fine and packet reaches the router, that means VLAN config is all OK. This strengthens the possibilty that there is no route for 10.1.12.0/24 is set in router that terminates lesaedline (10.1.11.0 site)

Please apply the follwoing

In router that tracert shows up to, type ping (just ping, no dest address). Type source address an IP in 10.1.12.0/24 and destination address an IP in remote site (10.1.11.0) . Are pings successfull?

154
Views
0
Helpful
4
Replies
CreatePlease to create content