Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Remote Access VPN issue

Hi friends,

There is a ASA 7.2 acting as a VPN gateway for a Remote Access VPN.

There are primarily three networks behind the ASA inside network that are accessed by Remote VPN clients. They are:

192.168.7.0

192.168.8.0

10.10.0.0

There is an access-list on which the ASA is doing No natting and Split tunneling for these three networks.

From the above three networks, 192.168.7.0 and 192.168.8.0 are local network resources. The other network viz. 10.10.0.0 is a remote network to the ASA and is accessible via a MPLS link to the remote network.

All the three networks are reachable from the ASA but for the remote clients, only the local networks behind the ASA are reachable viz. 192.168.7.0 and 192.168.8.0. The remote network on other end of MPLS 10.10.0.0 is not reachable for the remote VPN clients.

Is it possible for these remote VPN users to access 10.10.0.0 network (remote network to ASA)? Just wanted to know if it is technically possible and any directions/ pointers?

I am also enclosing a copy of the config for your kind reference.

Thanks a lot

Gautam

3 REPLIES
Green

Re: Remote Access VPN issue

Without even looking at your config, my guess is that you need a route on the remote network which points to the vpn client pool subnet. Probably...

ip route 192.168.20.0 255.255.255.0 192.168.8.1

Green

Re: Remote Access VPN issue

Ever figure it out?

Gold

Re: Remote Access VPN issue

I dont think I have a solution to your problem, but your inside acl is poorly configured..

access-list inside extended permit ip host 192.168.8.51 any log critical

access-list inside extended permit ip any any

access-list inside extended permit icmp any any

access-list inside extended permit tcp any any eq ftp

access-list inside extended permit tcp any any eq ftp-data

your permit ip any any statement negates anything after it (and really everything before it). You dont even need that ACL on the inside interface, unless you want to specifically deny any traffic, or specifically permit any traffic while denying others. your permit ip any any causes EVERYthing to be allowed through.

555
Views
0
Helpful
3
Replies
CreatePlease to create content