Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problems with vpn client and asa

Hi all...

I have set up my asa accepting vpn clients in from outside... My clients get their adresses from a pool 192.168.22.0/24.

ip local pool VPN_CLIENT_POOL 192.168.22.1-192.168.22.255 mask 255.255.255.0

Then I have a net that are behind another router on the LAN side that I am trying to reach :

NorAlarm(config)# sh route

S 172.16.0.0 255.255.0.0 [1/0] via 10.0.2.10, inside

I am reaching that net from the asa :

NorAlarm(config)# ping 172.16.0.13

Sending 5, 100-byte ICMP Echos to 172.16.0.13, timeout is 2 seconds:

!!!!!

but from the vpn client I am not.. I do have a route back to the vpn client net from that inside router..

C:\Documents and Settings\jpe>ping 172.16.0.13

Pinger 172.16.0.13 med 32 byte data:

Foresp?rsel avbrutt.

Foresp?rsel avbrutt.

As you can see I am not getting there. I am not sure what I do wrong here. I got the route on the vpn client also :

172.16.0.0 255.255.255.0 192.168.22.2 192.168.22.2 1

I am reaching all the servers on the inside net from my vpn clients but not on that remote net on the inside of that net again..

net :

vpn client(192.168.22.0)---ASA---inside(10.0.2.0)---router--- 172.16.0.0

Anybody that can help me understand why I am not reaching that net..

nat (inside) 0 access-list NAT-0

nat (inside) 1 0.0.0.0 0.0.0.0

access-list NAT-0 extended permit ip 10.0.2.0 255.255.255.0 192.168.22.0 255.255.255.0

access-list NAT-0 extended permit ip 172.16.0.0 255.255.0.0 192.168.22.0 255.255.255.0

access-list SPLIT_TUNNEL extended permit ip 10.0.2.0 255.255.255.0 any

access-list SPLIT_TUNNEL extended permit ip 172.16.0.0 255.255.0.0 any

3 REPLIES
New Member

Re: Problems with vpn client and asa

Hi Jenseike,

Have you not answered your own question ?

"I do have a route back to the vpn client net from that inside router.. "

Is there a route to 192.168.22.x on the inside router ?

New Member

Re: Problems with vpn client and asa

yes, the route are there... routing is not the problem here...

New Member

Re: Problems with vpn client and asa

cool, ok, next I'd check to see if the ASA's tunnel is working properly.... i.e. set up a packet capture on the ASA's inside interface, something like

access-list sniffer permit ip any any

capture testcap access-list sniffer interface inside

show capture testcap

122
Views
0
Helpful
3
Replies
CreatePlease to create content