Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

VPN Remote Access Issue

I can connect to the tunnel from a remote client using Cisco's VPN client and I get an address from the address pool. But I am not able to ping or connect to any of my machines within the same subnet.

I have attached the config for assistance.

2 REPLIES
Cisco Employee

Re: VPN Remote Access Issue

Your IP address pool is part of your internal DMZ subnet. When packets come into the ASA from the DMZ hosts destined to the VPN clients, the ASA is going to look in it's routing table to see where it should send them. The ASA is going to believe that these addresses reside on the DMZ subnet cause that's where they fit, and so is going to send the packets back out that interface, NOT out the external interface as you think it might.

Change your VPN pool to be addresses in the external subnet, or make them a completely different subnet (like 10.1.1.1-10.1.1.5), and then add a static route to the ASA pointing 10.1.1.x out the EXTERNAL int (and make sure your DMZ hosts route 10.1.1.x to the ASA via their default gateway setting).

New Member

Re: VPN Remote Access Issue

Thanks.

I will go ahead and make the address pool change then for those host within the address pool that need connectivity to resources on the DMZ interface, I will add a static and ACL. I will let you know how it turns out.

109
Views
0
Helpful
2
Replies
CreatePlease to create content