Re: Can't access other subnets once connected

dkim777oig · ‎03-28-2008

I have pix525 with ASA8 with ADSM6 behind layer 2(transparent mode) firewall.

I've configured Remote access VPN on this thing and I can connect from home(with NAT-T disabled)

all the ip address are public ip except the client from home which go through a NAT.

Once connected, I can't ping/reach any other subnet except the one that's assigned to cipsec0 interface.

I've try to add allow all on firewall rule on PIX itself, disabled NAT, many other settings, but can't seem to make it go beyond the "inside" net of the PIX.

any ideas?

here is simple diagram.

VPNclient@home(10.0.0.2)->NAT(verizon)->internet->layer2firewall->PIX-outside(129.2.10.2)->PIX-inside(129.2.20.2)

now 129.2.20.0/24 network is not for VPN only, it's an existing subnet that has it's own default gateway.

inface the PIX is not the default gateway in any subnet.

acomiskey · ‎03-28-2008

You need to enable nat-t.

crypto isakmp nat-traversal

dkim777oig · ‎03-28-2008

Well, in my ASDM6 crypto maps settings.

"NAT-T Enabled" is checked.

BUT, in sh run, I don't see any command silimar to "crypto isakmp nat-traversal"

what is that mean?

acomiskey · ‎03-28-2008

Then it is enabled. It would only display in config if it were disabled "no crypto isakmp nat-traveral".

Must be another issue, like nat exemption maybe, can you post the config?

kduckett · ‎03-28-2008

This solved the same problem I was having with a Cisco ASA 5540. Thanks for the very helpful post.

Keith