Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to access secondary subnet via VPN

I am having a problem with clients accessing a secondary subnet via VPN.

Clients on VPN are given the address on the 192.168.15.0 subnet. Once connected they can access 192.168.16.0 (Production subnet) fine, but are unable to access the 192.168.8.0 secondary subnet. If you are on the 192.168.16.0 subnet in the office you can access 192.168.8.0 subnet fine. The traffic is coming in via an ASA 5510 then traverses a Juniper firewall and a MPLS router to the secondary subnet. I'm not sure if it's a nat issue or not. Any help would be helpful.

Below is the config of the ASA. Thank you in advance

ASA Version 8.2(5)

!

hostname charlotte

domain-name tg.local

enable password v4DuEgO1ZTlkUiaA encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.254.0 Peak10 description Peak10

name 192.168.116.0 Charlotte_Phones description Charlotte_Phones

name 192.168.15.0 Charlotte_SSL_VPN_Clients description Charlotte_SSL_VPN_Client                                                                                                                                                             s

name 192.168.17.0 Charlotte_Wireless_Data description Charlotte_Wireless_Data

name 192.168.117.0 Charlotte_Wireless_Phones description Charlotte_Wireless_Phon                                                                                                                                                             es

name 192.168.5.0 Huntersville description Huntersville

name 192.168.16.1 SRX_Gateway description Juniper_SRX

name 192.168.108.0 Canton_Data description Canton_Data

name 192.168.8.0 Canton_Phones description Canton_Phones

name 192.168.9.0 Canton_Wireless_Data description Canton_Wireless_Data

name 192.168.109.0 Canton_Wireless_Phones description Canton_Wireless_Phones

name 192.168.16.4 TEST_IP description TEST_IP

name 192.168.16.2 CantonGW description Canton GW 192.168.16.2

name 192.168.5.1 HuntersvilleGW

name 10.176.0.0 RS_Cloud description 10.176.0.0/12

name 172.16.8.0 RS_172.16.8.0

name 172.16.48.0 RS_172.16.48.0

name 172.16.52.0 RS_172.16.52.0

name 10.208.0.0 RS_Cloud_New

name 10.178.0.0 RS_10.178.0.0 description Rackspace DEV servers

name 10.178.0.6 RS_10.178.0.6

name 172.16.20.0 RS_172.16.20.0

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 70.63.165.219 255.255.255.248

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.16.202 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

banner login ASA Login - Unauthorized access is prohibited

banner login ASA Login - Unauthorized access is prohibited

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup Outside

dns domain-lookup Inside

dns domain-lookup management

dns server-group DefaultDNS

name-server 192.168.16.122

name-server 8.8.8.8

domain-name tg.local

dns server-group defaultdns

name-server 192.168.16.122

domain-name tg.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_2

network-object Charlotte_SSL_VPN_Clients 255.255.255.0

network-object 192.168.16.0 255.255.255.0

network-object Canton_Phones 255.255.255.0

object-group network DM_INLINE_NETWORK_3

network-object Charlotte_SSL_VPN_Clients 255.255.255.0

network-object Huntersville 255.255.255.0

object-group network DM_INLINE_NETWORK_4

network-object Charlotte_SSL_VPN_Clients 255.255.255.0

network-object Huntersville 255.255.255.0

object-group network DM_INLINE_NETWORK_10

network-object RS_Cloud 255.240.0.0

network-object 172.16.0.0 255.255.252.0

network-object RS_172.16.8.0 255.255.252.0

network-object RS_172.16.48.0 255.255.252.0

network-object RS_172.16.52.0 255.255.252.0

network-object RS_Cloud_New 255.240.0.0

network-object RS_10.178.0.0 255.255.0.0

network-object RS_172.16.20.0 255.255.252.0

network-object 172.16.0.0 255.255.0.0

network-object Canton_Phones 255.255.255.0

object-group network DM_INLINE_NETWORK_7

network-object RS_Cloud 255.240.0.0

network-object 172.16.0.0 255.255.252.0

network-object RS_172.16.8.0 255.255.252.0

network-object RS_172.16.48.0 255.255.240.0

network-object RS_172.16.52.0 255.255.252.0

network-object RS_Cloud_New 255.240.0.0

network-object RS_10.178.0.0 255.255.0.0

network-object RS_172.16.20.0 255.255.252.0

network-object 172.16.0.0 255.255.0.0

object-group network DM_INLINE_NETWORK_8

network-object Charlotte_SSL_VPN_Clients 255.255.255.0

network-object 192.168.16.0 255.255.255.0

network-object Charlotte_Wireless_Data 255.255.255.0

network-object Canton_Data 255.255.255.0

network-object Canton_Phones 255.255.255.0

object-group network DM_INLINE_NETWORK_9

network-object Charlotte_SSL_VPN_Clients 255.255.255.0

network-object 192.168.16.0 255.255.255.0

network-object Charlotte_Wireless_Data 255.255.255.0

network-object Canton_Data 255.255.255.0

network-object Canton_Phones 255.255.255.0

object-group network DM_INLINE_NETWORK_11

network-object Charlotte_SSL_VPN_Clients 255.255.255.0

network-object 192.168.16.0 255.255.255.0

network-object Charlotte_Wireless_Data 255.255.255.0

object-group network DM_INLINE_NETWORK_12

network-object RS_Cloud 255.240.0.0

network-object 172.16.0.0 255.255.252.0

network-object RS_172.16.8.0 255.255.252.0

network-object RS_172.16.20.0 255.255.252.0

network-object 172.16.0.0 255.255.0.0

object-group network DM_INLINE_NETWORK_13

network-object Charlotte_SSL_VPN_Clients 255.255.255.0

network-object 192.168.16.0 255.255.255.0

network-object Charlotte_Wireless_Data 255.255.255.0

network-object Canton_Phones 255.255.255.0

network-object Canton_Data 255.255.255.0

network-object Canton_Wireless_Data 255.255.255.0

object-group network DM_INLINE_NETWORK_14

network-object RS_Cloud 255.240.0.0

network-object RS_172.16.48.0 255.255.252.0

network-object RS_172.16.52.0 255.255.252.0

network-object RS_Cloud_New 255.240.0.0

network-object RS_10.178.0.0 255.255.0.0

network-object RS_172.16.20.0 255.255.252.0

network-object 172.16.0.0 255.255.0.0

network-object 172.16.0.0 255.255.252.0

object-group network DM_INLINE_NETWORK_5

network-object Charlotte_SSL_VPN_Clients 255.255.255.0

network-object 192.168.16.0 255.255.255.0

network-object Charlotte_Wireless_Data 255.255.255.0

network-object Canton_Phones 255.255.255.0

network-object Canton_Data 255.255.255.0

network-object Canton_Wireless_Data 255.255.255.0

object-group network DM_INLINE_NETWORK_6

network-object RS_Cloud 255.240.0.0

network-object RS_Cloud_New 255.240.0.0

network-object 172.16.0.0 255.255.252.0

network-object RS_172.16.8.0 255.255.252.0

network-object RS_172.16.20.0 255.255.252.0

network-object 172.16.0.0 255.255.0.0

network-object Canton_Phones 255.255.255.0

object-group network tgnc074.tg.local

object-group icmp-type DM_INLINE_ICMP_1

icmp-object echo

icmp-object echo-reply

icmp-object traceroute

icmp-object unreachable

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object tcp eq https

object-group icmp-type DM_INLINE_ICMP_2

icmp-object echo

icmp-object echo-reply

icmp-object traceroute

icmp-object unreachable

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object icmp echo

service-object icmp echo-reply

service-object icmp traceroute

service-object icmp unreachable

object-group service DM_INLINE_SERVICE_3

service-object ip

service-object icmp echo

service-object icmp echo-reply

object-group network DM_INLINE_NETWORK_1

network-object Charlotte_SSL_VPN_Clients 255.255.255.0

object-group service DM_INLINE_SERVICE_4

service-object ip

service-object icmp echo

service-object icmp echo-reply

service-object icmp traceroute

service-object icmp unreachable

object-group service DM_INLINE_SERVICE_5

service-object ip

service-object icmp echo

service-object icmp echo-reply

service-object icmp traceroute

service-object icmp unreachable

object-group network DM_INLINE_NETWORK_15

network-object Canton_Data 255.255.255.0

network-object host CantonGW

object-group service DM_INLINE_SERVICE_6

service-object ip

service-object icmp echo

service-object icmp echo-reply

service-object icmp traceroute

service-object icmp unreachable

object-group service DM_INLINE_SERVICE_7

service-object ip

service-object icmp echo

service-object icmp echo-reply

service-object icmp traceroute

service-object icmp unreachable

access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 Ch                                                                                                                                                             arlotte_SSL_VPN_Clients 255.255.255.0 any

access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_5 ho                                                                                                                                                             st SRX_Gateway Charlotte_SSL_VPN_Clients 255.255.255.0

access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_7 Ch                                                                                                                                                             arlotte_SSL_VPN_Clients 255.255.255.0 host SRX_Gateway

access-list Inside_access_in extended permit icmp any any object-group DM_INLINE                                                                                                                                                             _ICMP_1

access-list Inside_access_in remark Permit all in Char_ORD_VPN

access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_7                                                                                                                                                              object-group DM_INLINE_NETWORK_8

access-list Inside_access_in remark Permit all out Char_ORD_VPN

access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 ob                                                                                                                                                             ject-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10

access-list Inside_access_in extended permit ip Charlotte_SSL_VPN_Clients 255.25                                                                                                                                                             5.255.0 any

access-list Inside_access_in remark Permit all in Char_ORD_VPN

access-list Inside_access_in remark Permit all out Char_ORD_VPN

access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_9                                                                                                                                                              object-group DM_INLINE_NETWORK_10 log disable

access-list Tunneled_Network_List standard permit 192.168.16.0 255.255.255.0

access-list Tunneled_Network_List standard permit Charlotte_Phones 255.255.255.0                                                                                                                                                            

access-list Tunneled_Network_List standard permit Charlotte_Wireless_Data 255.25                                                                                                                                                             5.255.0

access-list Tunneled_Network_List standard permit Charlotte_Wireless_Phones 255.                                                                                                                                                             255.255.0

access-list Tunneled_Network_List standard permit Peak10 255.255.255.0

access-list Tunneled_Network_List standard permit Canton_Data 255.255.255.0

access-list Tunneled_Network_List standard permit Canton_Phones 255.255.255.0

access-list Tunneled_Network_List standard permit Canton_Wireless_Data 255.255.2                                                                                                                                                             55.0

access-list Tunneled_Network_List standard permit Canton_Wireless_Phones 255.255                                                                                                                                                             .255.0

access-list Tunneled_Network_List standard permit Huntersville 255.255.255.0

access-list Tunneled_Network_List standard permit 172.16.0.0 255.255.252.0

access-list Tunneled_Network_List standard permit RS_172.16.8.0 255.255.252.0

access-list Tunneled_Network_List standard permit RS_Cloud 255.240.0.0

access-list Tunneled_Network_List standard permit RS_Cloud_New 255.240.0.0

access-list Tunneled_Network_List standard permit RS_172.16.20.0 255.255.252.0

access-list Tunneled_Network_List standard permit Charlotte_SSL_VPN_Clients 255.                                                                                                                                                             255.255.0

access-list Tunneled_Network_List standard permit 172.16.0.0 255.255.0.0

access-list Inside_nat0_outbound extended permit ip Charlotte_SSL_VPN_Clients 25                                                                                                                                                             5.255.255.0 object-group DM_INLINE_NETWORK_2

access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO                                                                                                                                                             RK_11 object-group DM_INLINE_NETWORK_12

access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO                                                                                                                                                             RK_5 object-group DM_INLINE_NETWORK_6

access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO                                                                                                                                                             RK_1 object-group DM_INLINE_NETWORK_2

access-list Limited_Access extended permit ip Charlotte_SSL_VPN_Clients 255.255.                                                                                                                                                             255.0 host TEST_IP

access-list Limited__VPN_Acccess_List standard permit host 192.168.16.123

access-list Limited__VPN_Acccess_List standard permit Huntersville 255.255.255.0                                                                                                                                                            

access-list Limited__VPN_Acccess_List standard permit host 192.168.16.124

access-list Limited__VPN_Acccess_List standard permit 192.168.16.0 255.255.255.0                                                                                                                                                            

access-list Limited__VPN_Acccess_List standard permit host 172.16.8.52

access-list Limited__VPN_Acccess_List standard permit Canton_Phones 255.255.255.                                                                                                                                                             0

access-list Limited__VPN_Acccess_List remark ORD-VM-DEV1

access-list Limited__VPN_Acccess_List standard permit host RS_10.178.0.6

access-list Limited__VPN_Acccess_List remark ORD-VM-DEV2

access-list Limited__VPN_Acccess_List standard permit host 10.178.192.103

access-list Limited__VPN_Acccess_List standard permit host 192.168.8.10

access-list Limited__VPN_Acccess_List standard permit RS_172.16.8.0 255.255.252.                                                                                                                                                             0

access-list Limited__VPN_Acccess_List standard permit 172.16.0.0 255.255.0.0

access-list Limited__VPN_Acccess_List standard permit host 10.178.133.26

access-list Limited__VPN_Acccess_List standard permit RS_Cloud_New 255.240.0.0

access-list Limited__VPN_Acccess_List standard permit host CantonGW

access-list Limited__VPN_Acccess_List standard permit host SRX_Gateway

access-list Limited__VPN_Acccess_List standard permit host 192.168.8.1

access-list Limited__VPN_Acccess_List standard permit RS_Cloud 255.240.0.0

access-list Limited__VPN_Acccess_List standard permit any

access-list Limited__VPN_Acccess_List remark TGTFS

access-list Limited__VPN_Acccess_List remark TGDEV

access-list Limited__VPN_Acccess_List remark TGTFS

access-list Limited__VPN_Acccess_List remark TGDEV

access-list Outside_cryptomap extended permit ip 192.168.16.0 255.255.255.0 Huntersville 255.255.255.0

access-list Outside_cryptomap extended permit ip Huntersville 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0

access-list Huntersville_nat_outbound extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 Huntersville 255.255.255.0

access-list Huntersville_nat_outbound extended permit ip Huntersville 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0

access-list Huntersville_nat_outbound extended permit ip Canton_Phones 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0

access-list Huntersville_nat_outbound extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 Canton_Phones 255.255.255.0

access-list Outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6

access-list Outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14

access-list Outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2 log disable

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any Charlotte_SSL_VPN_Clients 255.255.255.0

access-list Outside_access_in extended permit ip Huntersville 255.255.255.0 any log disable

access-list Outside_access_in extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 any log disable

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 host SRX_Gateway Charlotte_SSL_VPN_Clients 255.255.255.0 inactive

access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6

access-list Outside_cryptomap_2 extended permit ip 192.168.16.0 255.255.255.0 RS_172.16.20.0 255.255.252.0

access-list Canton_nat_outbound extended permit object-group DM_INLINE_SERVICE_6 Charlotte_SSL_VPN_Clients 255.255.255.0 object-group DM_INLINE_NETWORK_15

access-list splitacl standard permit 192.168.16.0 255.255.255.0

pager lines 24

logging enable

logging console emergencies

logging monitor informational

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

ip local pool SSL_VPN_Pool 192.168.15.10-192.168.15.254 mask 255.255.255.0

ip local pool New_VPN_Pool 192.168.16.50-192.168.16.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Inside

no asdm history enable

arp timeout 14400

nat (Outside) 0 access-list Huntersville_nat_outbound

nat (Inside) 0 access-list Inside_nat0_outbound

access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 70.63.165.217 1

route Inside Canton_Phones 255.255.255.0 CantonGW 1

route Inside Canton_Wireless_Data 255.255.255.0 CantonGW 1

route Inside Charlotte_SSL_VPN_Clients 255.255.255.0 SRX_Gateway 1

route Inside Charlotte_Wireless_Data 255.255.255.0 SRX_Gateway 1

route Inside Canton_Data 255.255.255.0 CantonGW 1

route Inside Canton_Wireless_Phones 255.255.255.0 CantonGW 1

route Inside Charlotte_Phones 255.255.255.0 SRX_Gateway 1

route Inside 192.168.116.219 255.255.255.255 CantonGW 1

route Inside Charlotte_Wireless_Phones 255.255.255.0 SRX_Gateway 1

route Inside Peak10 255.255.255.0 SRX_Gateway 1

timeout xlate 3:00:00

timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

dynamic-access-policy-record TGAD_AccessPolicy

aaa-server TGAD protocol ldap

aaa-server TGAD (Inside) host 192.168.16.122

ldap-base-dn DC=tg,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=vpn user,CN=Users,DC=tg,DC=local

server-type microsoft

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa local authentication attempts max-fail 10

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.16.0 255.255.255.0 Inside

http Charlotte_SSL_VPN_Clients 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map0 1 match address Outside_cryptomap

crypto map Outside_map0 1 set pfs

crypto map Outside_map0 1 set peer 74.218.175.168

crypto map Outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map0 2 match address Outside_cryptomap_2

crypto map Outside_map0 2 set peer 192.237.229.119

crypto map Outside_map0 2 set transform-set ESP-3DES-MD5

crypto map Outside_map0 3 match address Outside_cryptomap_1

crypto map Outside_map0 3 set peer 174.143.192.65

crypto map Outside_map0 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map0 interface Outside

crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Inside_map interface Inside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=charlotte

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

subject-name CN=charlotte

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint1

certificate 48676150

    3082024c 308201b5 a0030201 02020448 67615030 0d06092a 864886f7 0d010105

    05003038 31123010 06035504 03130963 6861726c 6f747465 31223020 06092a86

    4886f70d 01090216 13636861 726c6f74 74652e74 68696e6b 67617465 301e170d

    31323039 32353038 31373333 5a170d32 32303932 33303831 3733335a 30383112

    30100603 55040313 09636861 726c6f74 74653122 30200609 2a864886 f70d0109

    02161363 6861726c 6f747465 2e746869 6e6b6761 74653081 9f300d06 092a8648

    86f70d01 01010500 03818d00 30818902 8181008e d3e1ac63 a8a39dab 02170491

    2bf104d2 732c7fd7 7065758b 03bb9772 c8ab9faf 0e5e9e93 bfb57eea a849c875

    7899d261 8d426c37 9749d3d7 c86ca8e0 1d978069 3d43e7c5 569bb738 37e9bb31

    0ebd5065 01eb7a05 87933d2d 786a722e 8eee16e7 3207510b f5e7e704 cbddbda2

    a6b9ae45 efaba898 b8c921b6 2b05c0fb 1b0a9b02 03010001 a3633061 300f0603

    551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06

    03551d23 04183016 8014fb93 35da7dd5 15d8e2ad 8e05ccf7 b5c333cc 95ac301d

    0603551d 0e041604 14fb9335 da7dd515 d8e2ad8e 05ccf7b5 c333cc95 ac300d06

    092a8648 86f70d01 01050500 03818100 6851ae52 5383c6f6 9e3ea714 85b2c5a0

    fd720959 a0b91899 806bad7a 08e2208e de22cad0 6692b09a 7152b21e 3bbfce68

    cc9f1391 8c460a04 a15e1a9e b18f829d 6d42d9bd ed5346bd 73a402f7 21e0c746

    02757fb6 b60405a9 ac3b9070 8c0f2fba d12f157b 85dd0a8b 2e9cf830 90a19412

    c7af1667 37b5ed8e c023ea4d 0c434609

  quit

crypto isakmp enable Outside

crypto isakmp enable Inside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 170

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 5

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Outside

ssh 172.221.228.164 255.255.255.255 Outside

ssh Charlotte_SSL_VPN_Clients 255.255.255.0 Inside

ssh 192.168.16.0 255.255.255.0 Inside

ssh timeout 5

console timeout 0

management-access Inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl trust-point ASDM_TrustPoint1 Outside

webvpn

enable Outside

enable Inside

anyconnect-essentials

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"

svc enable

group-policy DfltGrpPolicy attributes

dns-server value 192.168.16.122 8.8.8.8

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Limited__VPN_Acccess_List

default-domain value tg.local

split-dns value tg.local

group-policy LimitedAccessGroupPolicy internal

group-policy LimitedAccessGroupPolicy attributes

wins-server none

dns-server value 192.168.16.122 8.8.8.8

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Limited__VPN_Acccess_List

default-domain value thinkgate.local

split-tunnel-all-dns disable

group-policy GroupPolicy2 internal

group-policy GroupPolicy2 attributes

vpn-tunnel-protocol IPSec

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

wins-server none

dns-server value 192.168.16.122 8.8.8.8

vpn-tunnel-protocol svc

default-domain value tg.local

group-policy Site-to-Site_Policy internal

group-policy Site-to-Site_Policy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

default-group-policy LimitedAccessGroupPolicy

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool SSL_VPN_Pool

tunnel-group LimitedAccessTunnelGroup type remote-access

tunnel-group LimitedAccessTunnelGroup general-attributes

address-pool SSL_VPN_Pool

default-group-policy LimitedAccessGroupPolicy

tunnel-group 208.104.76.178 type ipsec-l2l

tunnel-group 208.104.76.178 ipsec-attributes

pre-shared-key *****

tunnel-group 74.218.175.168 type ipsec-l2l

tunnel-group 74.218.175.168 ipsec-attributes

pre-shared-key *****

tunnel-group TGAD_ConnectionProfile type remote-access

tunnel-group TGAD_ConnectionProfile general-attributes

authentication-server-group TGAD

default-group-policy GroupPolicy1

tunnel-group 174.143.192.65 type ipsec-l2l

tunnel-group 174.143.192.65 general-attributes

default-group-policy GroupPolicy2

tunnel-group 174.143.192.65 ipsec-attributes

pre-shared-key *****

tunnel-group 192.237.229.119 type ipsec-l2l

tunnel-group 192.237.229.119 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:ef741b4905b43dc36d0f621e06508840

: end

charlotte#

3 REPLIES
Bronze

Unable to access secondary subnet via VPN

What does the packet-tracer say, what does the IPsec associations say (packets encrypted/decrypted)?

This might be faster that going through your hundreds of lines of config.

New Member

Unable to access secondary subnet via VPN

I was able to resolve this issue. I decided to route traffic throgh the ASA and this fixed the issue.

Thank you for your help.

New Member

Hi

Hi

Can you specify how you route it? I have the same problem but I don't think I have a routing issue or maybe i'm wrong. thanks

406
Views
0
Helpful
3
Replies
CreatePlease login to create content