Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL VPN problem

I've been working for a while with my ISA550W to give access to remote employees using SSL VPN.

LAN was configured on ip 10.10.0.234 netmask 255.255.255.0 and VPN on 192.168.200.x.

Remote clients were able to connect my internal lan across all the 10.10.0.x. (255.255.255.0).

Now I've expanded my LAN and the current netmask is 255.255.0.0 (10.10.y.x).

I was supposing that changing the ISA550 address to 10.10.0.234 netmask 255.255.0.0 will be sufficient to let remote users to access all the internale LAN, but it does not work.

As soon as a client connect, the ISA give vpn address (ie. 192.168.200.7) and enable access to 10.10.0.x ip addresses, but it is not possible to access the extra address I need (example 10.10.5.6).

Could someone help ? The only thing I've changed is the LAN netsmask, so I suppose there is something else to change.

Thanks in advance,

  Max

6 REPLIES
New Member

Check your split-tunneling

Check your split-tunneling ACL if you have one.

http://www.cisco.com/c/en/us/td/docs/security/small_business_security/isa500/administration/guide/ISA500_AG_book.pdf

Page 64.

New Member

HI Ji Won,

HI Ji Won,

  Thanks for your reply.

  I've checked and I have no split-tunneling active.

Any other suggestion ?

Thanks

  Max

Hello Max,

Hello Max,

Since you have tunneall, on the PC from where you connect, it will always send it through a VA(Virtual Adapter) that the SSL client creates, that seems to be fine, the traffic for the new IP addresses should be getting to the VPN gateway(ISA550w appliance), and from there router to the pertinent IP addresses, first off make sure that the VPN traffic is reaching the destination and then there should be a route, for the traffic coming back to the VPN IP addresses assigned, so if there is a router behind add the route for it, and set u a fw monitor, so we can see the traffic traversing on both directions,

Please dont forget to rate and mark as correct this post, keep me posted!

Regards,

David Castro,

New Member

Hi

Hi

Probably PC has route only to subnet 10.10.0.0/24, you can check it in windows cmd line by "route print"

You have to also change tunnel properties: http://www.cisco.com/c/dam/en/us/td/docs/security/small_business_security/isa500/technical_reference/ssl_vpn/isa500_sslvpn_appnote.pdf , page 11.

New Member

Hi Pawel,

Hi Pawel,

  here below the route print output


IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.75 276
0.0.0.0 0.0.0.0 192.168.200.1 192.168.200.4 2
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.75 255.255.255.255 On-link 192.168.1.75 276
192.168.200.0 255.255.255.0 On-link 192.168.200.4 257
192.168.200.4 255.255.255.255 On-link 192.168.200.4 257
192.168.200.255 255.255.255.255 On-link 192.168.200.4 257
195.250.246.210 255.255.255.255 192.168.1.254 192.168.1.75 21
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.75 276
224.0.0.0 240.0.0.0 On-link 192.168.200.4 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.75 276
255.255.255.255 255.255.255.255 On-link 192.168.200.4 257
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.1.254 Default
0.0.0.0 0.0.0.0 192.168.200.1 1
===========================================================================

Moreover, if I do tracert 10.10.5.40 I get

Tracing route to 10.10.5.40 over a maximum of 30 hops
1 37 ms 37 ms 36 ms 192.168.200.1
2 * Request timed out.
3 *

That means the traffic is routed to the VPN...

 It's something is driving me crazy...

Max

New Member

So you don't have split

So you don't have split tunnel, all traffic is routed through vpn tunnel.

Did you check firewall rules from vpn tunnel to lan?

165
Views
0
Helpful
6
Replies
CreatePlease to create content