Re: VPN Remote Access Issue

pittchuck · ‎01-10-2008

I can connect to the tunnel from a remote client using Cisco's VPN client and I get an address from the address pool. But I am not able to ping or connect to any of my machines within the same subnet.

I have attached the config for assistance.

gfullage · ‎01-10-2008

Your IP address pool is part of your internal DMZ subnet. When packets come into the ASA from the DMZ hosts destined to the VPN clients, the ASA is going to look in it's routing table to see where it should send them. The ASA is going to believe that these addresses reside on the DMZ subnet cause that's where they fit, and so is going to send the packets back out that interface, NOT out the external interface as you think it might.

Change your VPN pool to be addresses in the external subnet, or make them a completely different subnet (like 10.1.1.1-10.1.1.5), and then add a static route to the ASA pointing 10.1.1.x out the EXTERNAL int (and make sure your DMZ hosts route 10.1.1.x to the ASA via their default gateway setting).

pittchuck · ‎01-11-2008

Thanks.

I will go ahead and make the address pool change then for those host within the address pool that need connectivity to resources on the DMZ interface, I will add a static and ACL. I will let you know how it turns out.