cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2170
Views
0
Helpful
15
Replies

CISCO ASA 9.1 Remote Access VPN client were unable to ping/access other inside subnets/vlan

drlbaluyut
Level 1
Level 1

Hi guys

I've been having an issue about this for a week now.

My setup is ASA connected to a Layer3 switch with vlan 158 (10.158.0.0 /16) and vlan 193 (10.193.0.0 /16). Vlan 193 is for our servers.

ASA inside interface is connected to vlan 158 on layer 3 switch with an ip address of 10.158.2.6 255.255.0.0

MY VPN pool is 172.30.30.1 to 172.30.30.10 /16

After connecting to the VPN with assigned IP from VPN pool, I was successful on connecting to 10.158.0.0 network after I created a NO NAT rule between vlan158 and VPN pool.

Doing the same no NAT rule between vpn pool and my server subnet in VLAN 193 (10.193.0.0 /16), I was unable to ping host on vlan 193.

nat (inside,outside) source static ServerSubnet ServerSubnet destination static RA_VPN_TEST RA_VPN_TEST

I don't think there's a routing issue here because pings from ASA inside interface to VLAN 193 are all successful using the gateway of vlan 158.

Please see running-config below.

Take note of the ff: first.

1. Management interface is disconnected to vlan 193.

2. Majority of twice nat rules are inactive.

3. Majority of Network nat object are also inactive. 

ASA Version 9.1(1)
!
hostname SMMDZRA002
domain-name smmph.local
enable password 8T8R6XdsfHe6TaJO encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd iimrgUvTSQcRUuCl encrypted
names
ip local pool mypool 172.16.1.1-172.16.1.254
ip local pool mailpool 10.158.30.1-10.158.30.254
ip local pool 158POOL 172.30.30.1-172.30.30.10 mask 255.255.0.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.248
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.158.2.6 255.255.0.0
!
interface GigabitEthernet0/2
 shutdown
 nameif intf2
 security-level 0
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 10.193.1.250 255.255.0.0
!
ftp mode passive
clock timezone SGT 8
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.193.1.1
 name-server 10.193.1.6
 domain-name smmph.local
same-security-traffic permit inter-interface
object network OBJ-10.158.2.25
 host 10.158.2.25
object network OBJ-10.158.2.2
 host 10.158.2.2
object network OBJ-10.159.1.2
 host 10.159.1.2
object network obj-10.60.1.7
 host 10.60.1.7
object network obj-10.60.1.60
 host 10.60.1.60
object network obj-10.60.1.85
 host 10.60.1.85
object network obj-10.60.1.91
 host 10.60.1.91
object network obj-10.60.1.206
 host 10.60.1.206
object network obj-10.60.1.241
 host 10.60.1.241
object network obj-10.60.1.244
 host 10.60.1.244
object network obj-10.60.1.245
 host 10.60.1.245
object network obj-10.60.1.246
 host 10.60.1.246
object network obj-10.60.1.247
 host 10.60.1.247
object network obj-10.158.2.4
 host 10.158.2.4
object network obj-10.158.2.11
 host 10.158.2.11
object network obj-10.158.2.12
 host 10.158.2.12
object network obj-10.158.2.28
 host 10.158.2.28
object network obj-10.158.2.38
 host 10.158.2.38
object network obj-10.158.2.50
 host 10.158.2.50
object network obj-10.158.2.52
 host 10.158.2.52
object network obj-10.158.10.6
 host 10.158.10.6
object network obj-10.159.1.4
 host 10.159.1.4
object network obj-10.159.1.10
 host 10.159.1.10
object network obj-10.159.1.251
 host 10.159.1.251
object network obj-10.159.1.253
 host 10.159.1.253
object network obj-10.159.0.0_16
 subnet 10.159.0.0 255.255.0.0
object network obj-172.16.1.0_24
 subnet 172.16.1.0 255.255.255.0
object network obj-10.158.30.0_24
 subnet 10.158.30.0 255.255.255.0
object network obj-10.158.0.0_16
 subnet 10.158.0.0 255.255.0.0
object network obj-outside
 host 203.177.11.5
object network obj-10.20.1.0_24
 subnet 10.20.1.0 255.255.255.0
object network obj-10.30.1.0_24
 subnet 10.30.1.0 255.255.255.0
object network obj-10.40.1.0_24
 subnet 10.40.1.0 255.255.255.0
object network obj-10.50.1.0_24
 subnet 10.50.1.0 255.255.255.0
object network obj-10.60.1.0_24
 subnet 10.60.1.0 255.255.255.0
object network obj-10.70.1.0_24
 subnet 10.70.1.0 255.255.255.0
object network obj-10.80.1.0_24
 subnet 10.80.1.0 255.255.255.0
object network obj-10.90.1.0_24
 subnet 10.90.1.0 255.255.255.0
object network obj-10.20.0.0_16
 subnet 10.20.0.0 255.255.0.0
object network obj-10.30.0.0_16
 subnet 10.30.0.0 255.255.0.0
object network obj-10.40.0.0_16
 subnet 10.40.0.0 255.255.0.0
object network obj-10.50.0.0_16
 subnet 10.50.0.0 255.255.0.0
object network obj-10.60.0.0_16
 subnet 10.60.0.0 255.255.0.0
object network obj-10.70.0.0_16
 subnet 10.70.0.0 255.255.0.0
object network obj-10.80.0.0_16
 subnet 10.80.0.0 255.255.0.0
object network obj-10.90.0.0_16
 subnet 10.90.0.0 255.255.0.0
object network obj-144.36.217.201
 host 144.36.217.201
object network obj-58.137.205.2
 host 58.137.205.2
object network obj-10.161.2.250
 host 10.161.2.250
 description Manila Proxy IP
object network SMMPH-IT_IP
 range 10.161.2.96 10.161.2.102
 description SMMPH-IT_IP
object network NETWORK_OBJ_10.158.0.0_16
 subnet 10.158.0.0 255.255.0.0
object network NETWORK_OBJ_10.158.10.80_29
 subnet 10.158.10.80 255.255.255.248
object network inside158
 subnet 10.158.0.0 255.255.0.0
object network ServerSub2
 subnet 10.193.1.0 255.255.255.0
object network ServerSubnet
 subnet 10.193.0.0 255.255.0.0
object network IN158
 subnet 10.158.0.0 255.255.0.0
object network IN161
 subnet 10.161.0.0 255.255.0.0
object network IN193
 subnet 10.193.1.0 255.255.255.0
object network INSIDE158
 subnet 10.158.0.0 255.255.0.0
object network INSIDE161
 subnet 10.161.0.0 255.255.0.0
object network INSIDE193
 subnet 10.193.0.0 255.255.0.0
object network obj10.158.2.50
 host 10.158.2.50
object network 203.177.11.3
 host 203.177.11.3
object network obj10.158.2.25
 host 10.158.2.25
object network 203.177.11.3(S)
 host 203.177.11.3
object network obj-10.60.1.242
 host 10.60.1.242
object network obj-10.60.1.243
 host 10.60.1.243
object network RA_VPN_TEST
 subnet 172.30.0.0 255.255.0.0
access-list 101 extended permit ip 10.159.0.0 255.255.0.0 172.16.1.0 255.255.255.0
access-list 101 extended permit ip 10.159.0.0 255.255.0.0 10.158.30.0 255.255.255.0
access-list 101 extended permit ip 10.158.0.0 255.255.0.0 10.158.30.0 255.255.255.0
access-list ftp.jgc.co.jp extended permit tcp host 10.158.10.130 host 150.5.65.99 eq ftp
access-list acl-outside extended deny tcp host 60.254.0.0 any eq www
access-list 102 extended permit ip 10.158.0.0 255.255.0.0 host 144.36.217.201
access-list 103 extended permit ip 10.159.0.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.20.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.30.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.40.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.50.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.60.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.70.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.80.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.90.1.0 255.255.255.0 host 144.36.217.201
access-list 104 extended permit ip 10.158.0.0 255.255.0.0 host 58.137.205.2
access-list 105 extended permit ip 10.159.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.20.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.30.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.40.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.50.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.60.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.70.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.80.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.90.0.0 255.255.255.0 host 58.137.205.2
access-list inside_access_in remark Cisco IronPort C170
access-list inside_access_in extended permit ip object OBJ-10.158.2.25 any inactive
access-list inside_access_in remark Manila Mail Server
access-list inside_access_in extended permit ip object OBJ-10.158.2.2 any inactive
access-list inside_access_in remark Manila Proxy
access-list inside_access_in remark Blue Coat 300
access-list inside_access_in extended permit ip object obj-10.161.2.250 any
access-list inside_access_in remark Manila Proxy
access-list inside_access_in extended permit ip object obj-10.158.2.50 any
access-list inside_access_in extended permit ip host 10.158.2.103 any
access-list SMMPH standard permit 10.193.0.0 255.255.0.0
no pager
logging enable
logging buffered debugging
logging trap notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu management 1500
ip verify reverse-path interface outside
ip audit attack action alarm drop reset
no failover
icmp unreachable rate-limit 10 burst-size 5
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static ServerSubnet ServerSubnet destination static RA_VPN_TEST RA_VPN_TEST
nat (inside,outside) source static obj-10.159.0.0_16 obj-10.159.0.0_16 destination static obj-172.16.1.0_24 obj-172.16.1.0_24 inactive
nat (inside,outside) source static obj-10.159.0.0_16 obj-10.159.0.0_16 destination static obj-10.158.30.0_24 obj-10.158.30.0_24
nat (inside,outside) source static obj-10.158.0.0_16 obj-10.158.0.0_16 destination static obj-10.158.30.0_24 obj-10.158.30.0_24
nat (inside,outside) source dynamic obj-10.158.0.0_16 interface
nat (inside,outside) source dynamic obj-10.20.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.30.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.40.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.50.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.60.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.70.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.80.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.90.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.158.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.159.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.20.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.30.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.40.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.50.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.60.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.70.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.80.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.90.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source static NETWORK_OBJ_10.158.0.0_16 NETWORK_OBJ_10.158.0.0_16 destination static NETWORK_OBJ_10.158.10.80_29 NETWORK_OBJ_10.158.10.80_29 no-proxy-arp route-lookup inactive
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.158.10.80_29 NETWORK_OBJ_10.158.10.80_29 no-proxy-arp route-lookup inactive
!
object network OBJ-10.158.2.25
 nat (inside,outside) static 203.177.11.3 net-to-net
object network OBJ-10.158.2.2
 nat (inside,outside) static 203.177.11.4 net-to-net
object network OBJ-10.159.1.2
 nat (inside,outside) static 203.177.11.2 net-to-net
object network obj-10.60.1.7
 nat (inside,outside) dynamic interface
object network obj-10.60.1.60
 nat (inside,outside) dynamic interface
object network obj-10.60.1.85
 nat (inside,outside) dynamic interface
object network obj-10.60.1.91
 nat (inside,outside) dynamic interface
object network obj-10.60.1.206
 nat (inside,outside) dynamic interface
object network obj-10.60.1.241
 nat (inside,outside) dynamic interface
object network obj-10.60.1.244
 nat (inside,outside) dynamic interface
object network obj-10.60.1.245
 nat (inside,outside) dynamic interface
object network obj-10.60.1.246
 nat (inside,outside) dynamic interface
object network obj-10.60.1.247
 nat (inside,outside) dynamic interface
object network obj-10.158.2.4
 nat (inside,outside) dynamic interface
object network obj-10.158.2.11
 nat (inside,outside) dynamic interface
object network obj-10.158.2.12
 nat (inside,outside) dynamic interface
object network obj-10.158.2.28
 nat (inside,outside) dynamic interface
object network obj-10.158.2.38
 nat (inside,outside) dynamic interface
object network obj-10.158.2.50
 nat (inside,outside) dynamic interface
object network obj-10.158.2.52
 nat (inside,outside) dynamic interface
object network obj-10.158.10.6
 nat (inside,outside) dynamic interface
object network obj-10.159.1.4
 nat (inside,outside) dynamic interface
object network obj-10.159.1.10
 nat (inside,outside) dynamic interface
object network obj-10.159.1.251
 nat (inside,outside) dynamic interface
object network obj-10.159.1.253
 nat (inside,outside) dynamic interface
object network obj-10.60.1.242
 nat (inside,outside) dynamic interface
object network obj-10.60.1.243
 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 122.52.52.41 1
route inside 10.0.0.0 255.0.0.0 10.158.1.1 1
route inside 10.159.0.0 255.255.0.0 10.158.2.100 1
route management 10.161.2.0 255.255.255.0 10.193.255.254 1
route inside 192.168.10.0 255.255.255.252 10.158.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
 action terminate
dynamic-access-policy-record DAP-GP-VPNAC-TEST2
dynamic-access-policy-record DAP-GP-VPNAC-TEST
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server SG-GP-VPNAC-TEST protocol ldap
aaa-server SG-GP-VPNAC-TEST (inside) host 10.193.1.1
 ldap-base-dn dc=smmph, dc=local
 ldap-scope subtree
 ldap-naming-attribute SamAccountName
 ldap-login-password *****
 ldap-login-dn cn=administrator, cn=users, dc=smmph, dc=local
 server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 10.158.0.0 255.255.0.0 inside
http 10.159.1.16 255.255.255.255 inside
http 10.161.2.0 255.255.255.0 inside
http 10.161.2.99 255.255.255.255 management
http 10.161.2.101 255.255.255.255 management
http 10.161.2.102 255.255.255.255 management
http 10.161.2.98 255.255.255.255 management
http 10.161.2.96 255.255.255.255 management
http 10.161.2.97 255.255.255.255 management
http 10.193.1.0 255.255.255.0 inside
snmp-server host inside 10.158.254.254 poll community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 10 set ikev1 transform-set myset
crypto dynamic-map dynmap 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto ca trustpoint SMMDZRA002_TrustPoint0
 enrollment self
 subject-name CN=SMMDZRA002
 keypair SMMDZRA002KP
 crl configure
crypto ca trustpool policy
crypto ca certificate chain SMMDZRA002_TrustPoint0
 certificate d9ac7656
    308201fb 30820164 a0030201 020204d9 ac765630 0d06092a 864886f7 0d010105
    05003042 31133011 06035504 03130a53 4d4d445a 52413030 32312b30 2906092a
    864886f7 0d010902 161c534d 4d445a52 41303032 2e436973 636f4153 412d3535
    34352e63 6f6d301e 170d3136 30313231 30373236 33345a17 0d323630 31313830
    37323633 345a3042 31133011 06035504 03130a53 4d4d445a 52413030 32312b30
    2906092a 864886f7 0d010902 161c534d 4d445a52 41303032 2e436973 636f4153
    412d3535 34352e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00
    30818902 818100b8 4eb35cdb f45b2a35 aeee5a0c 8ff0b915 04a71205 7eea4f1d
    4f8416a4 23f44f0a 34745bfb 188b25a2 fc4ce95a 7c434084 bc553439 518d52e2
    68f41793 58b40c17 254c3854 c05708be ce28597b a6e4174a 78d5bcda 926dfec2
    a1a187d0 6237fff8 dc19814a ea902e02 a0c4cb79 75ead721 f48a2bd4 27212348
    151657fc b9909502 03010001 300d0609 2a864886 f70d0101 05050003 81810047
    6ae1e858 25a8c692 4f1efbfc 31ad9c00 bb24285c 6a6d6b20 ce24ba54 2f45347b
    d4852c07 5445fd63 291e7a56 72804cbf aa23bb9f 40775a46 785efcd1 4cf28531
    3562e30e d1b27787 86f46c66 80807934 5b115e56 14c29d88 3df5870a 4d708763
    2c442855 701da13f 5574ee6e 3e74f342 72742440 cfcefc37 eb7ee98b 0dfcb3
  quit
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint SMMDZRA002_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
telnet 10.158.0.0 255.255.0.0 inside
telnet 10.159.0.0 255.255.0.0 inside
telnet 10.60.1.0 255.255.255.0 inside
telnet 10.158.0.0 255.255.0.0 intf2
telnet 10.159.0.0 255.255.0.0 intf2
telnet 10.60.1.0 255.255.255.0 intf2
telnet timeout 5
ssh 10.161.2.98 255.255.255.255 inside
ssh 10.161.2.99 255.255.255.255 inside
ssh 10.161.2.0 255.255.255.0 management
ssh timeout 5
console timeout 0
management-access management
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point SMMDZRA002_TrustPoint0 outside
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect profiles CP-GP-VPNAC-TEST_client_profile disk0:/CP-GP-VPNAC-TEST_client_profile.xml
 anyconnect profiles CP-VPNAC-TEST2_client_profile disk0:/CP-VPNAC-TEST2_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_CP-GP-VPNAC-TEST internal
group-policy GroupPolicy_CP-GP-VPNAC-TEST attributes
 wins-server none
 dns-server value 10.193.1.1 10.193.1.6
 vpn-tunnel-protocol ikev2 ssl-client
 default-domain value smmph.local
 webvpn
  anyconnect profiles value CP-GP-VPNAC-TEST_client_profile type user
group-policy GroupPolicy_CP-VPNAC-TEST2 internal
group-policy GroupPolicy_CP-VPNAC-TEST2 attributes
 wins-server none
 dns-server value 10.193.1.1 10.193.1.6
 vpn-tunnel-protocol ikev2 ssl-client
 default-domain value smmph.local
 webvpn
  anyconnect profiles value CP-VPNAC-TEST2_client_profile type user

tunnel-group CP-GP-VPNAC-TEST type remote-access
tunnel-group CP-GP-VPNAC-TEST general-attributes
 address-pool 158POOL
 authentication-server-group SG-GP-VPNAC-TEST
 default-group-policy GroupPolicy_CP-GP-VPNAC-TEST
tunnel-group CP-GP-VPNAC-TEST webvpn-attributes
 group-alias CP-GP-VPNAC-TEST enable
tunnel-group CP-VPNAC-TEST2 type remote-access
tunnel-group CP-VPNAC-TEST2 general-attributes
 address-pool 158POOL
 authentication-server-group SG-GP-VPNAC-TEST
 default-group-policy GroupPolicy_CP-VPNAC-TEST2
tunnel-group CP-VPNAC-TEST2 webvpn-attributes
 group-alias CP-VPNAC-TEST2 enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect http
  inspect icmp
 class class-default
  set connection decrement-ttl
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 23
  subscribe-to-alert-group configuration periodic monthly 23
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:210096a352e0a30803fcf07d6f2a2aa1

Thank you in advance!

15 Replies 15

jagmeesi
Level 1
Level 1

Pings being successful from the inside interface ip address doesn't mean it has capability to reach VPN pool,

  • Put up the following capture on the ASA inside interface,
  • Connect to AnyConnect Client
  • Ping any ip address in Server range.
  • See if the packets are coming in the capture or not. ("show capture capii")
capture capii interface inside match ip 172.30.30.0 255.255.255.0 10.193.0.0 255.255.0.0

If you can see the packets going from ASA inside interface to Server range ip address and not coming back then its the issue with routing.

In case you don't see any packets in the capture, please put up the asp-drop capture to see if asa is dropping any packets:

capture asp type asp-drop all
capture asp buffer 3355442

Regards

Jagmeet

Hi Jagmeesi

Please see output. Can you explain what is this output?

Additional info, my vpn client can also ping the Layer3 Switch VLAN 193 default-gateways.

I only ping 10.193.1.21.

The 10.193.1.1 and 10.193.1.6 are the AD/DNS servers set on ASA.

SMMDZRA002(config)# capture capii interface inside match ip 172.30.0.0 255.255$
SMMDZRA002(config)# show capture capii
43 packets captured
   1: 08:39:18.082866       172.30.30.2 > 10.193.1.21: icmp: echo request
   2: 08:39:20.808735       172.30.30.2.53254 > 10.193.1.1.53:  udp 40
   3: 08:39:20.808948       172.30.30.2.53254 > 10.193.1.6.53:  udp 40
   4: 08:39:23.082438       172.30.30.2 > 10.193.1.21: icmp: echo request
   5: 08:39:24.314207       172.30.30.2.64813 > 10.193.1.6.53:  udp 47
   6: 08:39:25.276001       172.30.30.2.64813 > 10.193.1.1.53:  udp 47
   7: 08:39:26.338986       172.30.30.2.64813 > 10.193.1.6.53:  udp 47
   8: 08:39:28.103723       172.30.30.2 > 10.193.1.21: icmp: echo request
   9: 08:39:28.324659       172.30.30.2.64813 > 10.193.1.1.53:  udp 47
  10: 08:39:28.324888       172.30.30.2.64813 > 10.193.1.6.53:  udp 47
  11: 08:39:32.329679       172.30.30.2.64813 > 10.193.1.1.53:  udp 47
  12: 08:39:32.329954       172.30.30.2.64813 > 10.193.1.6.53:  udp 47
  13: 08:39:33.129448       172.30.30.2 > 10.193.1.21: icmp: echo request
  14: 08:39:38.118447       172.30.30.2 > 10.193.1.21: icmp: echo request
  15: 08:39:39.846391       172.30.30.2.56498 > 10.193.1.6.53:  udp 40
  16: 08:39:40.875641       172.30.30.2.56498 > 10.193.1.1.53:  udp 40
  17: 08:39:41.816669       172.30.30.2.56498 > 10.193.1.6.53:  udp 40
  18: 08:39:43.095133       172.30.30.2 > 10.193.1.21: icmp: echo request
  19: 08:39:43.910231       172.30.30.2.56498 > 10.193.1.1.53:  udp 40
  20: 08:39:43.910475       172.30.30.2.56498 > 10.193.1.6.53:  udp 40
  21: 08:39:47.807621       172.30.30.2.56498 > 10.193.1.1.53:  udp 40
  22: 08:39:47.807850       172.30.30.2.56498 > 10.193.1.6.53:  udp 40
  23: 08:39:48.007491       172.30.30.2 > 10.193.1.21: icmp: echo request
  24: 08:39:53.131966       172.30.30.2 > 10.193.1.21: icmp: echo request
  25: 08:39:54.574646       172.30.30.2.63100 > 10.193.1.6.53:  udp 40
  26: 08:39:55.614760       172.30.30.2.63100 > 10.193.1.1.53:  udp 40
  27: 08:39:56.581436       172.30.30.2.63100 > 10.193.1.6.53:  udp 40
  28: 08:39:58.122460       172.30.30.2 > 10.193.1.21: icmp: echo request
  29: 08:39:58.604506       172.30.30.2.63100 > 10.193.1.1.53:  udp 40
  30: 08:39:58.605254       172.30.30.2.63100 > 10.193.1.6.53:  udp 40
  31: 08:40:02.586670       172.30.30.2.63100 > 10.193.1.1.53:  udp 40
  32: 08:40:02.586914       172.30.30.2.63100 > 10.193.1.6.53:  udp 40
  33: 08:40:03.061718       172.30.30.2 > 10.193.1.21: icmp: echo request
  34: 08:40:06.409707       172.30.30.2.54765 > 10.193.1.6.53:  udp 34
  35: 08:40:07.407449       172.30.30.2.54765 > 10.193.1.1.53:  udp 34
  36: 08:40:08.093775       172.30.30.2 > 10.193.1.21: icmp: echo request
  37: 08:40:08.440910       172.30.30.2.54765 > 10.193.1.6.53:  udp 34
  38: 08:40:10.427346       172.30.30.2 > 10.193.1.21: icmp: echo request
  39: 08:40:10.451667       172.30.30.2.54765 > 10.193.1.1.53:  udp 34
  40: 08:40:10.453605       172.30.30.2.54765 > 10.193.1.6.53:  udp 34
  41: 08:40:14.487020       172.30.30.2.54765 > 10.193.1.1.53:  udp 34
  42: 08:40:14.492665       172.30.30.2.54765 > 10.193.1.6.53:  udp 34
  43: 08:40:15.107919       172.30.30.2 > 10.193.1.21: icmp: echo request

If it's indeed a routing issue, I don't understand what i'm missing on routing for both the layer3 switch and ASA.

VLAN 158 subnet are 10.158.0.0 255.255.0.0

VLAN 193 subnet are 10.193.0.0 255.255.0.0

My settings on routing are the ff:

ASA directly connected to Layer3 switch VLAN 158: route inside 10.0.0.0 255.0.0.0 10.158.1.1 1

Layer3 Switch directly connected to ASA: route 0.0.0.0 0.0.0.0 10.158.2.6

My VLAN193 servers can ping ASA inside interface IP 10.158.2.6 as well as VLAN158 gateway IP 10.158.1.1 and all the hosts in VLAN158.

Also, pings to VLAN 193 hosts are successful using the ping tool in ASDM with inside interface as a source.

Thank you in advance

Additional info.

I have attached other detailed info that may help for troubleshooting.

This includes the ff:

1. network setup

2. Ping from ASDM

3. ASA access rules

4. ASA NAt rules

5. ASA static routes

6. ASA interfaces

7. ASA packet trace (i'm not sure about how to use this one, kindly advise me please.)

Additional info.

tracert from 193 host with GW:10.193.255.254 to vpn client

C:\Users\Administrator>tracert -d 172.30.30.2
Tracing route to 172.30.30.2 over a maximum o
  1     1 ms     1 ms     1 ms  10.193.255.250
  2    <1 ms    <1 ms    <1 ms  10.160.1.3 ->juniper edge firewall
  3    <1 ms    <1 ms    <1 ms  222.127.3.241
Should the traceroute to vpn client from 193 hosts be routed to asa inside interface or not?
Layer3 switch routing table
SMMNLCS001#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
Gateway of last resort is 10.158.2.6 to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 10.158.2.6
      10.0.0.0/8 is variably subnetted, 34 subnets, 3 masks
S        10.20.1.0/24 [1/0] via 10.160.1.1
S        10.30.1.0/24 [1/0] via 10.160.1.1
S        10.40.1.0/24 [1/0] via 10.160.1.1
S        10.50.1.0/24 [1/0] via 10.160.1.1
S        10.60.1.0/24 [1/0] via 10.160.1.1
S        10.70.1.0/24 [1/0] via 10.160.1.1
S        10.80.1.0/24 [1/0] via 10.160.1.1
S        10.90.1.0/24 [1/0] via 10.160.1.1
C        10.158.0.0/16 is directly connected, Vlan158
L        10.158.254.250/32 is directly connected, Vlan158
L        10.158.255.250/32 is directly connected, Vlan158
S        10.159.0.0/16 [1/0] via 10.160.1.1
C        10.160.0.0/16 is directly connected, Vlan160
L        10.160.255.250/32 is directly connected, Vlan160
C        10.161.0.0/16 is directly connected, Vlan161
L        10.161.255.250/32 is directly connected, Vlan161
S        10.171.0.0/16 [1/0] via 10.160.1.5
S        10.172.0.0/16 [1/0] via 10.160.1.5
S        10.172.12.111/32 [1/0] via 10.160.1.1
S        10.173.0.0/16 [1/0] via 10.160.1.5
S        10.174.0.0/16 [1/0] via 10.160.1.5
S        10.175.0.0/16 [1/0] via 10.160.1.5
S        10.176.0.0/16 [1/0] via 10.160.1.5
S        10.177.0.0/16 [1/0] via 10.160.1.5
S        10.178.0.0/16 [1/0] via 10.160.1.1
S        10.179.0.0/16 [1/0] via 10.160.1.5
S        10.180.0.0/16 [1/0] via 10.160.1.5
C        10.190.0.0/16 is directly connected, Vlan190
L        10.190.255.250/32 is directly connected, Vlan190
C        10.193.0.0/16 is directly connected, Vlan193
L        10.193.255.250/32 is directly connected, Vlan193
C        10.203.0.0/16 is directly connected, Vlan203
L        10.203.255.250/32 is directly connected, Vlan203
S        10.210.0.0/16 [1/0] via 10.160.1.5
      116.0.0.0/29 is subnetted, 1 subnets
S        116.50.215.136 [1/0] via 10.160.1.3
      122.0.0.0/32 is subnetted, 1 subnets
S        122.216.84.178 [1/0] via 10.160.1.3
S     172.16.0.0/16 [1/0] via 10.160.1.3
S     172.21.0.0/16 [1/0] via 172.22.1.1
      172.22.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.22.0.0/16 is directly connected, Vlan172
L        172.22.255.250/32 is directly connected, Vlan172
S     172.23.0.0/16 [1/0] via 172.22.1.1
S     192.168.1.0/24 [1/0] via 10.160.1.3
      192.168.10.0/30 is subnetted, 1 subnets
S        192.168.10.0 [1/0] via 10.160.1.1
SMMNLCS001#

Hi

Can you try to give a specific route for the VPN pool and try to see if it worked after that or not, from the traceroute i am able to see that it is not sending the traffic to ASA's interface 10.158.2.6, its sending it over to 10.160.1.3.

ip route 172.30.30.0 255.255.255.0 10.158.2.6

Regards

Jagmeet

Hi

Still doesn't work unfortunately.

SMMNLCS001#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
Gateway of last resort is 10.158.2.6 to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 10.158.2.6
      10.0.0.0/8 is variably subnetted, 34 subnets, 3 masks
S        10.20.1.0/24 [1/0] via 10.160.1.1
S        10.30.1.0/24 [1/0] via 10.160.1.1
S        10.40.1.0/24 [1/0] via 10.160.1.1
S        10.50.1.0/24 [1/0] via 10.160.1.1
S        10.60.1.0/24 [1/0] via 10.160.1.1
S        10.70.1.0/24 [1/0] via 10.160.1.1
S        10.80.1.0/24 [1/0] via 10.160.1.1
S        10.90.1.0/24 [1/0] via 10.160.1.1
C        10.158.0.0/16 is directly connected, Vlan158
L        10.158.254.250/32 is directly connected, Vlan158
L        10.158.255.250/32 is directly connected, Vlan158
S        10.159.0.0/16 [1/0] via 10.160.1.1
C        10.160.0.0/16 is directly connected, Vlan160
L        10.160.255.250/32 is directly connected, Vlan160
C        10.161.0.0/16 is directly connected, Vlan161
L        10.161.255.250/32 is directly connected, Vlan161
S        10.171.0.0/16 [1/0] via 10.160.1.5
S        10.172.0.0/16 [1/0] via 10.160.1.5
S        10.172.12.111/32 [1/0] via 10.160.1.1
S        10.173.0.0/16 [1/0] via 10.160.1.5
S        10.174.0.0/16 [1/0] via 10.160.1.5
S        10.175.0.0/16 [1/0] via 10.160.1.5
S        10.176.0.0/16 [1/0] via 10.160.1.5
S        10.177.0.0/16 [1/0] via 10.160.1.5
S        10.178.0.0/16 [1/0] via 10.160.1.1
S        10.179.0.0/16 [1/0] via 10.160.1.5
S        10.180.0.0/16 [1/0] via 10.160.1.5
C        10.190.0.0/16 is directly connected, Vlan190
L        10.190.255.250/32 is directly connected, Vlan190
C        10.193.0.0/16 is directly connected, Vlan193
L        10.193.255.250/32 is directly connected, Vlan193
C        10.203.0.0/16 is directly connected, Vlan203
L        10.203.255.250/32 is directly connected, Vlan203
S        10.210.0.0/16 [1/0] via 10.160.1.5
      116.0.0.0/29 is subnetted, 1 subnets
S        116.50.215.136 [1/0] via 10.160.1.3
      122.0.0.0/32 is subnetted, 1 subnets
S        122.216.84.178 [1/0] via 10.160.1.3
S     172.16.0.0/16 [1/0] via 10.160.1.3
S     172.21.0.0/16 [1/0] via 172.22.1.1
      172.22.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.22.0.0/16 is directly connected, Vlan172
L        172.22.255.250/32 is directly connected, Vlan172
S     172.23.0.0/16 [1/0] via 172.22.1.1
S     172.30.0.0/16 [1/0] via 10.158.2.6
S     192.168.1.0/24 [1/0] via 10.160.1.3
      192.168.10.0/30 is subnetted, 1 subnets
S        192.168.10.0 [1/0] via 10.160.1.1

QUESTIONS:

1. Does route-maps have something to do why my hosts on vlan 193 are not going to 10.158.2.6?

2.  the Cisco ASA inside interface is directly connected to VLAN158 of the layer3 switch. The port on layer3 switch where the ASA is connected is access mode. Does it need to be a trunk port?

3. Why the ping from vpn client to VLAN193 SVI/Gateway is successful but not the hosts?

Thank you

This is the running config of layer3 switch.

ip routing
!
!
!
no ip domain-lookup
vtp mode transparent
!
!
crypto pki trustpoint TP-self-signed-1701104512
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1701104512
 revocation-check none
 rsakeypair TP-self-signed-1701104512
!
!
crypto pki certificate chain TP-self-signed-1701104512
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31373031 31303435 3132301E 170D3131 30333330 30313239
  32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37303131
  30343531 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81008E7B B1C88A43 D346C6F0 B415D6D0 39FA6E43 97B62494 4EA501CC CF14AD6B
  16803A29 D10DAE4E C595786C B3BBB3A2 C6050A02 BDD413F9 0B7A3745 BD875088
  159A7CC9 FAEAE347 5F9BE4E5 932D23E8 08FF7C27 418CF04A E1847BDE 00652789
  793284D4 413473EF 1CCDA7DE 7027DA21 B9B02C58 37A8DB47 D2A0A1D7 A4BFD2D4
  DBDF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14B9262F E47A74C7 AE0CA0B1 52B85F8D 10E5F7CB 9B301D06
  03551D0E 04160414 B9262FE4 7A74C7AE 0CA0B152 B85F8D10 E5F7CB9B 300D0609
  2A864886 F70D0101 05050003 8181005A 1809B13E DA1E0034 5789218B 29387654
  D4AD144E 4CACA917 11C13BA6 EC9A69D0 71C84FF6 3AD92E2F D248C870 55B10986
  32CD8C4A AEB85750 1D9DEC03 6E8EAB29 F9403E9B 58840DD7 811159D5 97330B5C
  2A16A073 F6876A61 77241AFA 455A45BF 792637B6 A1DC8ADC 035A621B A51651CB
  50DC4FE5 2122AEF4 89C49FFB 97776F
        quit
archive
 log config
  logging enable
  logging size 1000
  notify syslog contenttype plaintext
  hidekeys
 path flash:archive-config
 write-memory
 time-period 1440
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 158 priority 0
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
vlan 158,160-161,172,190,193,203
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
 description *** Link to SMMKTHB001 Gi0/1, Gi0/2 ***
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0
 no ip address
 no ip route-cache
!
interface GigabitEthernet0/1
 description *** Link to SMMKTHB001 Gi0/1 ***
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode desirable
!
interface GigabitEthernet0/2
 description *** Link to SMMKTHB001 Gi0/2 ***
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode desirable
!
interface GigabitEthernet0/3
 switchport access vlan 160
 switchport mode access
!
interface GigabitEthernet0/4
 switchport access vlan 160
 switchport mode access
!
interface GigabitEthernet0/5
 switchport access vlan 160
 switchport mode access
!
interface GigabitEthernet0/6
 switchport access vlan 160
 switchport mode access
!
interface GigabitEthernet0/7
 switchport access vlan 160
 switchport mode access
!
interface GigabitEthernet0/8
 switchport access vlan 160
 switchport mode access
!
interface GigabitEthernet0/9
 switchport access vlan 161
 switchport mode access
!
interface GigabitEthernet0/10
 switchport access vlan 161
 switchport mode access
!
interface GigabitEthernet0/11
 switchport access vlan 161
 switchport mode access
!
interface GigabitEthernet0/12
 description ## connection to SMMNLWC251 WLC ##
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 193
 switchport mode trunk
!
interface GigabitEthernet0/13
 description <<<to SMMPH Server Farm L2SW>>
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/14
 description <<<to SMMPH Server Farm L2SW>>
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/15
 switchport access vlan 193
 switchport mode access
!
interface GigabitEthernet0/16
 switchport access vlan 172
 switchport mode access
 ip access-group 172 in
!
interface GigabitEthernet0/17
 switchport access vlan 203
 switchport mode access
!
interface GigabitEthernet0/18
 description ## connection to 24th floor switch ##
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 158,161,193
 switchport mode trunk
!
interface GigabitEthernet0/19
 description ## connection to SMMNLHB002 25F switch ##
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 158,161,193
 switchport mode trunk
!
interface GigabitEthernet0/20
 description ## connection to SMMNLHB001 25F switch ##
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 158,161,193
 switchport mode trunk
!
interface GigabitEthernet0/21
 switchport access vlan 158
 switchport trunk encapsulation dot1q
 switchport mode access
!
interface GigabitEthernet0/22
 switchport access vlan 158
 switchport mode access
!
interface GigabitEthernet0/23
 switchport access vlan 158
 switchport mode access
!
interface GigabitEthernet0/24
 switchport access vlan 158
 switchport mode access
 speed 100
 duplex full
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan158
 description CBNC_VLAN
 ip address 10.158.254.250 255.255.0.0 secondary
 ip address 10.158.255.250 255.255.0.0
 standby 1 ip 10.158.1.1
 standby 1 ip 10.158.2.100 secondary
 standby 1 priority 105
 standby 1 preempt
 ip policy route-map CBNC_RMAP
!
interface Vlan160
 description RTR
 ip address 10.160.255.250 255.255.0.0
 standby 2 ip 10.160.255.254
 standby 2 preempt
!
interface Vlan161
 description THPAL_VLAN
 ip address 10.161.255.250 255.255.0.0
 standby 3 ip 10.161.1.1
 standby 3 preempt
 ip policy route-map THPAL_RMAP
!
interface Vlan172
 description <<DMZ-2 Segment>>
 ip address 172.22.255.250 255.255.0.0
 standby 4 ip 172.22.255.254
 standby 4 preempt
!
interface Vlan190
 ip address 10.190.255.250 255.255.0.0
 standby 5 ip 10.190.255.254
 standby 5 preempt
!
interface Vlan193
 ip address 10.193.255.250 255.255.0.0
 standby 6 ip 10.193.255.254
 standby 6 preempt
 ip policy route-map SMMPH_RMAP
!
interface Vlan203
 description <<<SMMPH Backup Server NW>>>
 ip address 10.203.255.250 255.255.0.0
 ip access-group 103 out
 standby 7 ip 10.203.255.254
 standby 7 preempt
!
!
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.158.2.6
ip route 10.20.1.0 255.255.255.0 10.160.1.1
ip route 10.30.1.0 255.255.255.0 10.160.1.1
ip route 10.40.1.0 255.255.255.0 10.160.1.1
ip route 10.50.1.0 255.255.255.0 10.160.1.1
ip route 10.60.1.0 255.255.255.0 10.160.1.1
ip route 10.70.1.0 255.255.255.0 10.160.1.1
ip route 10.80.1.0 255.255.255.0 10.160.1.1
ip route 10.90.1.0 255.255.255.0 10.160.1.1
ip route 10.159.0.0 255.255.0.0 10.160.1.1
ip route 10.171.0.0 255.255.0.0 10.160.1.5
ip route 10.172.0.0 255.255.0.0 10.160.1.5
ip route 10.172.12.111 255.255.255.255 10.160.1.1
ip route 10.173.0.0 255.255.0.0 10.160.1.5
ip route 10.174.0.0 255.255.0.0 10.160.1.5
ip route 10.175.0.0 255.255.0.0 10.160.1.5
ip route 10.176.0.0 255.255.0.0 10.160.1.5
ip route 10.177.0.0 255.255.0.0 10.160.1.5
ip route 10.178.0.0 255.255.0.0 10.160.1.1
ip route 10.179.0.0 255.255.0.0 10.160.1.5
ip route 10.180.0.0 255.255.0.0 10.160.1.5
ip route 10.210.0.0 255.255.0.0 10.160.1.5
ip route 116.50.215.136 255.255.255.248 10.160.1.3
ip route 122.216.84.178 255.255.255.255 10.160.1.3
ip route 172.16.0.0 255.255.0.0 10.160.1.3
ip route 172.21.0.0 255.255.0.0 172.22.1.1
ip route 172.23.0.0 255.255.0.0 172.22.1.1
ip route 192.168.1.0 255.255.255.0 10.160.1.3
ip route 192.168.10.0 255.255.255.252 10.160.1.1
!
ip access-list extended CBNC_ACL
 deny   ip 10.158.0.0 0.0.255.255 10.158.0.0 0.0.255.255
 deny   ip 10.158.0.0 0.0.255.255 10.159.0.0 0.0.255.255
 deny   ip 10.158.0.0 0.0.255.255 10.0.0.0 0.255.255.255
 deny   ip 10.158.0.0 0.0.255.255 10.210.0.0 0.0.255.255
 deny   ip 10.158.0.0 0.0.255.255 host 10.161.1.32
 deny   ip 10.158.0.0 0.0.255.255 10.193.0.0 0.0.255.255
 deny   ip 10.158.3.0 0.0.0.255 host 10.193.1.61
 deny   ip 10.30.1.0 0.0.0.255 host 10.193.1.1
 deny   ip 10.30.1.0 0.0.0.255 host 10.193.1.6
 deny   ip 10.30.1.0 0.0.0.255 host 10.193.1.61
 deny   ip 10.30.1.0 0.0.0.255 host 10.193.1.62
 deny   ip 10.30.1.0 0.0.0.255 host 10.193.1.21
 deny   ip 10.30.1.0 0.0.0.255 host 10.193.1.26
 deny   ip 10.40.1.0 0.0.0.255 host 10.193.1.1
 deny   ip 10.40.1.0 0.0.0.255 host 10.193.1.6
 deny   ip 10.158.10.0 0.0.0.255 host 10.193.1.21
 deny   ip 10.40.1.0 0.0.0.255 host 10.193.1.61
 deny   ip 10.40.1.0 0.0.0.255 host 10.193.1.62
 deny   ip 10.40.1.0 0.0.0.255 host 10.193.1.21
 deny   ip 10.40.1.0 0.0.0.255 host 10.193.1.26
 deny   ip 10.50.1.0 0.0.0.255 host 10.193.1.1
 deny   ip 10.50.1.0 0.0.0.255 host 10.193.1.6
 deny   ip 10.50.1.0 0.0.0.255 host 10.193.1.61
 deny   ip 10.50.1.0 0.0.0.255 host 10.193.1.62
 deny   ip 10.60.1.0 0.0.0.255 host 10.193.1.1
 deny   ip 10.60.1.0 0.0.0.255 host 10.193.1.6
 deny   ip 10.60.1.0 0.0.0.255 host 10.193.1.21
 deny   ip 10.60.1.0 0.0.0.255 host 10.193.1.26
 deny   ip 10.60.1.0 0.0.0.255 host 10.193.1.61
 deny   ip 10.50.1.0 0.0.0.255 host 10.193.1.21
 deny   ip 10.60.1.0 0.0.0.255 host 10.193.1.62
 deny   ip host 10.158.2.50 host 10.193.1.65
 deny   ip 10.50.1.0 0.0.0.255 host 10.193.1.26
 deny   ip host 10.158.2.31 10.193.1.0 0.0.0.255
 deny   ip host 10.158.2.50 10.161.2.0 0.0.0.255
 deny   ip host 10.158.2.50 host 10.193.1.1
 deny   ip host 10.158.2.50 host 10.193.1.6
 deny   ip host 10.158.2.11 host 10.193.1.1
 deny   ip host 10.158.2.12 host 10.193.1.1
 deny   ip 10.159.1.0 0.0.0.255 10.193.1.0 0.0.0.255
 deny   ip 10.159.1.0 0.0.0.255 10.161.2.0 0.0.0.255
 deny   ip 10.159.1.0 0.0.0.255 172.21.0.0 0.0.255.255
 deny   ip 10.159.1.0 0.0.0.255 172.22.0.0 0.0.255.255
 deny   ip 10.159.1.0 0.0.0.255 172.23.0.0 0.0.255.255
 deny   ip 10.158.20.0 0.0.0.255 host 10.193.1.40
 deny   ip 10.158.20.0 0.0.0.255 host 10.193.1.103
 deny   ip 10.158.20.0 0.0.0.255 host 10.193.1.21
 deny   ip 10.158.20.0 0.0.0.255 host 10.193.1.26
 deny   ip 10.158.20.0 0.0.0.255 host 10.193.1.1
 deny   ip host 10.158.2.150 host 10.193.1.11
 deny   ip 10.50.0.0 0.0.255.255 10.161.3.0 0.0.0.1
 permit ip 10.20.1.0 0.0.0.255 any
 permit ip 10.30.1.0 0.0.0.255 any
 permit ip 10.40.1.0 0.0.0.255 any
 permit ip 10.50.1.0 0.0.0.255 any
 permit ip 10.60.1.0 0.0.0.255 any
 permit ip 10.70.1.0 0.0.0.255 any
 permit ip 10.80.1.0 0.0.0.255 any
 permit ip 10.90.1.0 0.0.0.255 any
 permit ip 10.158.0.0 0.0.255.255 any
 permit ip 10.159.0.0 0.0.255.255 any
 permit ip 192.168.10.0 0.0.0.3 any
ip access-list extended SMMPH_ACL
 deny   ip 10.193.0.0 0.0.255.255 10.160.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 172.21.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 172.22.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 172.23.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.158.0.0 0.0.255.255
 deny   ip host 10.193.1.1 10.30.1.0 0.0.0.255
 deny   ip host 10.193.1.6 10.30.1.0 0.0.0.255
 deny   ip host 10.193.1.61 10.30.1.0 0.0.0.255
 deny   ip host 10.193.1.62 10.30.1.0 0.0.0.255
 deny   ip host 10.193.1.21 10.30.1.0 0.0.0.255
 deny   ip host 10.193.1.26 10.30.1.0 0.0.0.255
 deny   ip host 10.193.1.1 10.40.1.0 0.0.0.255
 deny   ip host 10.193.1.6 10.40.1.0 0.0.0.255
 deny   ip host 10.193.1.61 10.40.1.0 0.0.0.255
 deny   ip host 10.193.1.11 host 10.158.3.2
 deny   ip host 10.193.1.11 host 10.158.3.3
 deny   ip host 10.193.1.62 10.40.1.0 0.0.0.255
 deny   ip host 10.193.1.21 10.40.1.0 0.0.0.255
 deny   ip host 10.193.1.26 10.40.1.0 0.0.0.255
 deny   ip 10.193.1.0 0.0.0.255 host 10.158.2.31
 deny   ip host 10.193.1.40 10.158.20.0 0.0.0.255
 deny   ip host 10.193.1.103 10.158.20.0 0.0.0.255
 deny   ip host 10.193.1.21 10.158.20.0 0.0.0.255
 deny   ip host 10.193.1.26 10.158.20.0 0.0.0.255
 deny   ip host 10.193.1.1 10.158.20.0 0.0.0.255
 deny   ip host 10.193.1.1 10.50.1.0 0.0.0.255
 deny   ip host 10.193.1.6 10.50.1.0 0.0.0.255
 deny   ip host 10.193.1.61 10.50.1.0 0.0.0.255
 deny   ip host 10.193.1.62 10.50.1.0 0.0.0.255
 deny   ip host 10.193.1.1 10.60.1.0 0.0.0.255
 deny   ip host 10.193.1.6 10.60.1.0 0.0.0.255
 deny   ip host 10.193.1.21 10.60.1.0 0.0.0.255
 deny   ip host 10.193.1.26 10.60.1.0 0.0.0.255
 deny   ip host 10.193.1.61 10.60.1.0 0.0.0.255
 deny   ip host 10.193.1.21 10.50.1.0 0.0.0.255
 deny   ip host 10.193.1.62 10.60.1.0 0.0.0.255
 deny   ip host 10.193.1.26 10.50.1.0 0.0.0.255
 deny   ip host 10.193.1.1 host 10.158.2.50
 deny   ip host 10.193.1.6 host 10.158.2.50
 deny   ip host 10.193.1.65 host 10.158.2.50
 deny   ip host 10.193.1.1 host 10.158.2.11
 deny   ip host 10.193.1.1 host 10.158.2.12
 deny   ip 10.193.1.0 0.0.0.255 10.159.1.0 0.0.0.255
 deny   ip host 10.193.1.61 10.158.3.0 0.0.0.255
 deny   ip host 10.193.1.11 host 10.158.2.150
 deny   ip 10.193.0.0 0.0.255.255 10.193.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.161.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.171.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.172.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.173.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.174.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.175.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.176.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.177.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.178.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.179.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.180.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.210.0.0 0.0.255.255
 permit ip 10.193.0.0 0.0.255.255 any
ip access-list extended THPAL_ACL
 deny   ip 10.161.0.0 0.0.255.255 10.160.0.0 0.0.255.255
 deny   ip 10.161.2.0 0.0.0.255 host 10.158.3.2
 deny   ip 10.161.2.0 0.0.0.255 host 10.158.3.3
 deny   ip 10.161.2.0 0.0.0.255 host 10.158.2.103
 deny   ip host 10.161.1.22 host 10.158.2.103
 deny   ip 10.161.2.0 0.0.0.255 host 10.158.2.31
 deny   ip host 10.161.1.32 10.158.10.0 0.0.0.255
 deny   ip 10.161.2.0 0.0.0.255 host 10.158.2.50
 deny   ip 10.161.0.0 0.0.255.255 10.161.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 10.171.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 10.172.0.0 0.0.255.255
 deny   ip 10.50.0.0 0.0.255.255 10.161.3.0 0.0.0.1
 deny   ip 10.161.0.0 0.0.255.255 10.173.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 10.174.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 10.175.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 10.176.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 10.177.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 10.178.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 10.179.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 10.180.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 10.193.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 10.210.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 172.21.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 172.22.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 172.23.0.0 0.0.255.255
 deny   ip 10.161.0.0 0.0.255.255 192.168.1.0 0.0.0.255
 deny   ip host 10.161.2.101 10.158.2.0 0.0.0.255
 deny   ip 10.161.2.0 0.0.0.255 10.159.1.0 0.0.0.255
 deny   ip host 10.161.2.102 10.158.2.0 0.0.0.255
 deny   ip host 10.161.2.101 10.158.255.0 0.0.0.255
 deny   ip host 10.161.2.102 10.158.255.0 0.0.0.255
 deny   ip host 10.161.2.98 10.158.2.0 0.0.0.255
 deny   ip host 10.161.2.96 10.158.2.0 0.0.0.255
 deny   ip host 10.161.2.99 10.158.2.0 0.0.0.255
 deny   ip host 10.161.2.97 10.158.2.0 0.0.0.255
 deny   ip host 10.161.2.189 192.168.10.0 0.0.0.3
 deny   ip host 10.161.2.173 host 10.158.2.33
 deny   ip host 10.161.2.174 host 10.158.2.33
 deny   ip host 10.161.2.172 host 10.158.2.33
 permit ip 10.160.0.0 0.0.255.255 any
 permit ip 10.161.0.0 0.0.255.255 any
 permit ip 10.193.0.0 0.0.255.255 any
!
logging trap notifications
logging host 10.193.1.65
access-list 10 permit 10.158.2.12
access-list 10 permit 10.158.10.100
access-list 10 permit 10.158.10.101
access-list 10 permit 10.193.1.0 0.0.0.255 log
access-list 10 permit 10.161.2.0 0.0.0.255
access-list 10 permit 10.160.0.0 0.0.255.255
access-list 103 permit ip 10.203.0.0 0.0.255.255 10.160.0.0 0.0.255.255 log
access-list 103 permit ip 10.203.0.0 0.0.255.255 203.167.81.224 0.0.0.15
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.193.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.193.0.0 0.0.255.255
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.173.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.173.0.0 0.0.255.255
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.161.3.0 0.0.0.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.161.3.0 0.0.0.255
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.194.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.194.0.0 0.0.255.255
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.174.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.174.0.0 0.0.255.255
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.210.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.210.0.0 0.0.255.255
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.176.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.176.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.161.0.0 0.0.255.255
access-list 172 permit ip 172.21.0.0 0.0.255.255 10.159.0.0 0.0.255.255
access-list 172 permit ip 172.22.0.0 0.0.255.255 10.159.0.0 0.0.255.255
!
route-map THPAL_RMAP permit 10
 match ip address THPAL_ACL
 set ip next-hop 10.160.1.3
!
route-map SMMPH_RMAP permit 10
 match ip address SMMPH_ACL
 set ip next-hop 10.160.1.3
!
route-map CBNC_RMAP permit 10
 match ip address CBNC_ACL
 set ip next-hop 10.158.2.6
!
!

!
!
line con 0
 logging synchronous
 login local
line vty 0 4
 access-class 10 in
 logging synchronous
 login local
line vty 5 15
 access-class 10 in
 logging synchronous
 login local
!
!
monitor session 1 source vlan 160 - 161 , 172 , 190 , 193 , 203
monitor session 1 destination interface Gi0/7
end

I Just went through the config and was able to see a route-map applied to the vlan 193.

interface Vlan193
 ip address 10.193.255.250 255.255.0.0
 standby 6 ip 10.193.255.254
 standby 6 preempt
 ip policy route-map SMMPH_RMAP
!
route-map SMMPH_RMAP permit 10
 match ip address SMMPH_ACL
 set ip next-hop 10.160.1.3

And according to the access-list SMMPH_ACL, i was able to see that the traffic from 10.193.0.0/16 to 172.30.0.0/16 should be using the next hop as defined in the route-map that is 10.160.1.3.

Please try to add the following statement to the access-list.

ip access-list extended SMMPH_ACL
 5 deny ip 10.193.0.0 0.0.255.255 172.30.0.0.255.255

Regards

Jagmeet

Hi

Even without the ACL added, the traceroute from 193 to VPN client goes through 10.160.1.3. But 10.160.1.3 (juniper fw) cannot ping the asa inside interface or the hosts in VLAN 158 and vice versa. If that's the case, do I need to create a route from 10.160.1.3 to VLAN 158?, I don't have the knowledge for juniper devices unfortunately

Is it not possible to set the next hop for VLAN 193 to be 10.158.2.6 when trying to ping the VPN clients?

How can we do that if ever?

Thanks

The Hosts in the VLAN 158 are directed connected to the switch, that is the reason ASA inside ip address is able to ping hosts on 10.193.0.0/16 subnet.

They are not going through Juniper device.

But anything else that will use the next-hop for routing traffic from the 193 vlan interface should follow the policy based routing rule applied via route-map on that interface.

And according to access-list defined on that route map i can clearly see that the traffic from 10.193.0.0 to 172.30.0.0 should go to 10.160.1.3.

ip access-list extended SMMPH_ACL
 deny   ip 10.193.0.0 0.0.255.255 10.160.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 172.21.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 172.22.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 172.23.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.158.0.0 0.0.255.255
 deny   ip host 10.193.1.1 10.30.1.0 0.0.0.255
 deny   ip host 10.193.1.6 10.30.1.0 0.0.0.255
 deny   ip host 10.193.1.61 10.30.1.0 0.0.0.255
 deny   ip host 10.193.1.62 10.30.1.0 0.0.0.255
 deny   ip host 10.193.1.21 10.30.1.0 0.0.0.255
 deny   ip host 10.193.1.26 10.30.1.0 0.0.0.255
 deny   ip host 10.193.1.1 10.40.1.0 0.0.0.255
 deny   ip host 10.193.1.6 10.40.1.0 0.0.0.255
 deny   ip host 10.193.1.61 10.40.1.0 0.0.0.255
 deny   ip host 10.193.1.11 host 10.158.3.2
 deny   ip host 10.193.1.11 host 10.158.3.3
 deny   ip host 10.193.1.62 10.40.1.0 0.0.0.255
 deny   ip host 10.193.1.21 10.40.1.0 0.0.0.255
 deny   ip host 10.193.1.26 10.40.1.0 0.0.0.255
 deny   ip 10.193.1.0 0.0.0.255 host 10.158.2.31
 deny   ip host 10.193.1.40 10.158.20.0 0.0.0.255
 deny   ip host 10.193.1.103 10.158.20.0 0.0.0.255
 deny   ip host 10.193.1.21 10.158.20.0 0.0.0.255
 deny   ip host 10.193.1.26 10.158.20.0 0.0.0.255
 deny   ip host 10.193.1.1 10.158.20.0 0.0.0.255
 deny   ip host 10.193.1.1 10.50.1.0 0.0.0.255
 deny   ip host 10.193.1.6 10.50.1.0 0.0.0.255
 deny   ip host 10.193.1.61 10.50.1.0 0.0.0.255
 deny   ip host 10.193.1.62 10.50.1.0 0.0.0.255
 deny   ip host 10.193.1.1 10.60.1.0 0.0.0.255
 deny   ip host 10.193.1.6 10.60.1.0 0.0.0.255
 deny   ip host 10.193.1.21 10.60.1.0 0.0.0.255
 deny   ip host 10.193.1.26 10.60.1.0 0.0.0.255
 deny   ip host 10.193.1.61 10.60.1.0 0.0.0.255
 deny   ip host 10.193.1.21 10.50.1.0 0.0.0.255
 deny   ip host 10.193.1.62 10.60.1.0 0.0.0.255
 deny   ip host 10.193.1.26 10.50.1.0 0.0.0.255
 deny   ip host 10.193.1.1 host 10.158.2.50
 deny   ip host 10.193.1.6 host 10.158.2.50
 deny   ip host 10.193.1.65 host 10.158.2.50
 deny   ip host 10.193.1.1 host 10.158.2.11
 deny   ip host 10.193.1.1 host 10.158.2.12
 deny   ip 10.193.1.0 0.0.0.255 10.159.1.0 0.0.0.255
 deny   ip host 10.193.1.61 10.158.3.0 0.0.0.255
 deny   ip host 10.193.1.11 host 10.158.2.150
 deny   ip 10.193.0.0 0.0.255.255 10.193.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.161.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.171.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.172.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.173.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.174.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.175.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.176.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.177.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.178.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.179.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.180.0.0 0.0.255.255
 deny   ip 10.193.0.0 0.0.255.255 10.210.0.0 0.0.255.255
 permit ip 10.193.0.0 0.0.255.255 any

According to above access-list configured the intended traffic will match permit ip 10.193.0.0 0.0.255.255 any statement and will use the next-hop 10.160.1.3.

SO just make the change that i suggested to make it work, you needn't to do anything on the juniper device.

Regards

Jagmeet

Hi Jagmeet.

Wow I can now ping and access the hosts on vlan 193. How did that happen? .Sorry for my poor routing skills.

Ping are okay from VPN client to VLAN 193 but ping from VLAN 193 to VPN client is not successful. What I am missing?

Thank you again in advance!

Hi

Can you please try to check if there is any software firewall applied on the client machine. Please try to switch it off and try to ping.

Regardsa

Jagmeet

Hi

The windows firewall on the server is turned off but the ping from vlan 193 server to VPN client is unsuccessful.

Thanks in advance

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: