Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can't access other subnets once connected

I have pix525 with ASA8 with ADSM6 behind layer 2(transparent mode) firewall.

I've configured Remote access VPN on this thing and I can connect from home(with NAT-T disabled)

all the ip address are public ip except the client from home which go through a NAT.

Once connected, I can't ping/reach any other subnet except the one that's assigned to cipsec0 interface.

I've try to add allow all on firewall rule on PIX itself, disabled NAT, many other settings, but can't seem to make it go beyond the "inside" net of the PIX.

any ideas?

here is simple diagram.

VPNclient@home(10.0.0.2)->NAT(verizon)->internet->layer2firewall->PIX-outside(129.2.10.2)->PIX-inside(129.2.20.2)

now 129.2.20.0/24 network is not for VPN only, it's an existing subnet that has it's own default gateway.

inface the PIX is not the default gateway in any subnet.

4 REPLIES
Green

Re: Can't access other subnets once connected

You need to enable nat-t.

crypto isakmp nat-traversal

New Member

Re: Can't access other subnets once connected

Well, in my ASDM6 crypto maps settings.

"NAT-T Enabled" is checked.

BUT, in sh run, I don't see any command silimar to "crypto isakmp nat-traversal"

what is that mean?

Green

Re: Can't access other subnets once connected

Then it is enabled. It would only display in config if it were disabled "no crypto isakmp nat-traveral".

Must be another issue, like nat exemption maybe, can you post the config?

New Member

Re: Can't access other subnets once connected

This solved the same problem I was having with a Cisco ASA 5540. Thanks for the very helpful post.

Keith

115
Views
5
Helpful
4
Replies