https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/807823#M1022113 <HTML><HEAD></HEAD><BODY><P>Without even looking at your config, my guess is that you need a route on the remote network which points to the vpn client pool subnet. Probably...</P><P></P><P>ip route 192.168.20.0 255.255.255.0 192.168.8.1</P></BODY></HTML> Wed, 13 Jun 2007 17:34:56 GMT acomiskey 2007-06-13T17:34:56Z https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/807822#M1022112 <P>Hi friends,</P><P></P><P>There is a ASA 7.2 acting as a VPN gateway for a Remote Access VPN. </P><P></P><P>There are primarily three networks behind the ASA inside network that are accessed by Remote VPN clients. They are:</P><P> </P><P>192.168.7.0</P><P>192.168.8.0</P><P>10.10.0.0</P><P></P><P>There is an access-list on which the ASA is doing No natting and Split tunneling for these three networks.</P><P></P><P>From the above three networks, 192.168.7.0 and 192.168.8.0 are local network resources. The other network viz. 10.10.0.0 is a remote network to the ASA and is accessible via a MPLS link to the remote network. </P><P></P><P>All the three networks are reachable from the ASA but for the remote clients, only the local networks behind the ASA are reachable viz. 192.168.7.0 and 192.168.8.0. The remote network on other end of MPLS 10.10.0.0 is not reachable for the remote VPN clients.</P><P></P><P>Is it possible for these remote VPN users to access 10.10.0.0 network (remote network to ASA)? Just wanted to know if it is technically possible and any directions/ pointers?</P><P></P><P>I am also enclosing a copy of the config for your kind reference.</P><P> </P><P>Thanks a lot</P><P>Gautam</P><P></P><P></P><P> </P><P></P> Mon, 11 Mar 2019 10:30:04 GMT https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/807822#M1022112 gautamzone 2019-03-11T10:30:04Z https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/807823#M1022113 <HTML><HEAD></HEAD><BODY><P>Without even looking at your config, my guess is that you need a route on the remote network which points to the vpn client pool subnet. Probably...</P><P></P><P>ip route 192.168.20.0 255.255.255.0 192.168.8.1</P></BODY></HTML> Wed, 13 Jun 2007 17:34:56 GMT https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/807823#M1022113 acomiskey 2007-06-13T17:34:56Z https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/807824#M1022114 <HTML><HEAD></HEAD><BODY><P>Ever figure it out?</P></BODY></HTML> Thu, 14 Jun 2007 13:51:27 GMT https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/807824#M1022114 acomiskey 2007-06-14T13:51:27Z https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/807825#M1022115 <HTML><HEAD></HEAD><BODY><P>I dont think I have a solution to your problem, but your inside acl is poorly configured..</P><P></P><P>access-list inside extended permit ip host 192.168.8.51 any log critical</P><P>access-list inside extended permit ip any any</P><P>access-list inside extended permit icmp any any</P><P>access-list inside extended permit tcp any any eq ftp</P><P>access-list inside extended permit tcp any any eq ftp-data</P><P></P><P>your permit ip any any statement negates anything after it (and really everything before it). You dont even need that ACL on the inside interface, unless you want to specifically deny any traffic, or specifically permit any traffic while denying others. your permit ip any any causes EVERYthing to be allowed through.</P></BODY></HTML> Thu, 14 Jun 2007 13:56:51 GMT https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/807825#M1022115 srue 2007-06-14T13:56:51Z