Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

5510 vpn, i changed public ip address and now connection issues

i'm running a 5510 asa and the vpn has been working great for a while.   We recently change our network provider so i had to change the public ip, and dns on the firewall... now i can still connect via the vpn and browse accross my mpls to other sites, but cant really access anything on the native lan that the firewall resides on? 

9 REPLIES
New Member

Re: 5510 vpn, i changed public ip address and now connection iss



09:36:2610600110.0.0.83338910.0.40.1011266Inbound TCP connection denied from 10.0.0.83/3389 to 10.0.40.101/1266 flags PSH ACK  on interface asa5510

thats what i get when i try rdp to a system on the same lan as the firewall.

also the only thing i can ping on the lan is the firewall and the default gateway. everything else give me one ping then  dies.

5510 vpn, i changed public ip address and now connection issues

Hi Chris,

You mentioned that browsing across MPLS is fine, does that include RDP sessions as well? Just want to make sure.

Thx

MS

New Member

Re: 5510 vpn, i changed public ip address and now connection iss

yeah rdp and everything else works to the mpls site, just not to the local site the vpn is at.  seems very odd the vpn users can route to the other networks just not the network its ip is on.

the firewall/vpn can communcate with everything on our network.

5510 vpn, i changed public ip address and now connection issues

Very odd. As 'ping' is does as well, start with a simple test by enabling 'debug icmp trace' on inside interface and see if the 'reply' packets reaching ASA or not. Not sure but ASA may be dropping the pkts.Also check 'asp drop' counters as well (guess that gives some info).

Thx

MS

Re: 5510 vpn, i changed public ip address and now connection iss

Dear  Chris,

Lets follow this action plan to find your issue:

1- packet-tracer from the inside network to the VPN network.

2- packet-tracer from the outside (VPN network) to an internal machine, for this test you may need to allow the traffic on the outside access-group (the "sysopt connection permit-vpn" already takes care of this traffic, but for the purpose of the packet-tracer the access-group must allow it).

3- Packet-capture on the inside interface:

          capture capin interface inside match ip vpn_net netmask internal_net netmask

4- Logs at debbuging level.

The first two will let us know how the FW is treating this traffic the third one will isolate a possible routing issue.

Please keep me posted.

Thanks in advance.

New Member

5510 vpn, i changed public ip address and now connection issues

guess i'm not sure how to work the packet tracer. i do a trace from my firewall to the gateway and the internal implicit rule any to any ip deny, is blocking it. even though their is a any to any less secure networks ip permit above it.

and if i do a ping from the firewall to the gateway it works.

Re: 5510 vpn, i changed public ip address and now connection iss

Hi Chris,

Please provide:

LAN IP network

VPN pool network / remote network

LAN interface nameif

I will show you how to run the packet-tracer.

Thanks.

New Member

Re: 5510 vpn, i changed public ip address and now connection iss

well i might of gotten it fixed... i checked out the wiring and noticed someone hooked up a lan line into our pre firewall switch (very bad). so once i fixed that the local access started to work.... but remote sites didnt.  gave up over the weekend and tried it again today and everything is working now.  very strange.

Re: 5510 vpn, i changed public ip address and now connection iss

Dear Chris,

I am glad to hear such good news.

I hope you have a nice day.

Please rate any post you find helpful

703
Views
0
Helpful
9
Replies
CreatePlease to create content