Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN access to not directly-connected networks

Hi,

I have a 5510 that is used for Client VPN access and there is something simple I just can't get to work.

The VPN part works fine with AAA done on an ACS.

But what doesn't work is Access to networks that are not directly connected to the Inside interface.

ie VPN users can connect to the Inside Interface network (say 192.168.0.0/24) but not to a 10.0.0.0/8 network that is connected thru 192.168.0.1 router.

I have the static routes all in the Firewall and all routing pointing the way back to the Firewall from all other networks but I get no further than the 192.168.0.1 router......

I use split-tunneling and forward all Private networks over the VPN - internet is used thru the clients own local access.

Can someone help me out here ?

Thanks.

Fraser

PS: have the same type of access on a 7206VXR and that is just Sweet , everything can be accessed that is needed - but I would like to move this service over to the ASA.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN access to not directly-connected networks

Fraser

I dont understand ASDM parts like you submit. Some of the code would be great.

I would also recommend checking ACLs applied to inside interface (If any) that it permits the traffic like

access-list inside_access_in permit 10.0.0.0 255.0.0.0 vpnsubnet vpnnetmask

If still no joy, attaching your sanitized config would be helpful for me to diagnose.

Regards

4 REPLIES

Re: VPN access to not directly-connected networks

Hi Fraser

I assume exempt NAT statements for these specific networks are missing. Following is an example exempt NAT

access-list inside_nat0_outbound permit 10.0.0.0 255.0.0.0 vpnipool vpnsubnetmask

nat (inside) 0 access-list inside_nat0_outbound

Also double-check that a route back to VPN IP pool exists in 192.168.0.1 router, like following

ip route vpnpool vpnsubnetmask ASAinsideinterface

Regards

Community Member

Re: VPN access to not directly-connected networks

Hi Husycisco

I have 3 NAT exempts

1 for each Private Subnet

10.0.0.0/8

192.168.0.0/16

172.16.0.0/12

The routes back to the VPN network are in all other devices.....

Anything else that I can check ?

Re: VPN access to not directly-connected networks

Fraser

I dont understand ASDM parts like you submit. Some of the code would be great.

I would also recommend checking ACLs applied to inside interface (If any) that it permits the traffic like

access-list inside_access_in permit 10.0.0.0 255.0.0.0 vpnsubnet vpnnetmask

If still no joy, attaching your sanitized config would be helpful for me to diagnose.

Regards

Community Member

Re: VPN access to not directly-connected networks

jo !

You were right here - I think I will stick to the CLI from now on - is much easier to find out what I want to know than ASDM.

Thanks !

Fraser

101
Views
0
Helpful
4
Replies
CreatePlease to create content