Hi Manouchehr

Thanks for your response.

I wish I could post the config. It is lengthen config.

I checked the config. there is an access-list that allows vpn client to WAN3 network as below

access-list 102 permit ip 192.168.50.0 0.0.0.255 10.0.0.0 0.255.255.255

Thanks

Is there any other ideas? please

Thanks

If the HO is connected to WAN3 via VPN  using the the same device you are connected to, you will probably need to enable same-security interface connections on that device.

On an ASA, that would be same-security permit intra-interface

I think this is referred to as "hairpinning"

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnsysop.html#wp1042114

I know that's for an old version of the ASA, but I don't think that command has changed much.

Thanks for your responses,

I have had a go, it did not work, it stuffed up the interface for other WANs that are working.

I believe it must be a way to get it communicated. I have tried whatever I think of + this site.

Any other ideas please. Thanks

Regards

Cal

Hey Cal,

We need to go step by step troubleshooting.

Please follow below steps and post results.

(You may not share complete result for confidentiality, just let us know whr packet gets dropped)

1) Allow trace and ping on you firewall for time being to below communicaton.

     Rule: Source( VPN subnet 192.168.50.0/24) -> destination Wan3(lan and wan pools)

     Rule: Destination( VPN subnet 192.168.50.0/24) -> Source Wan3(lan and wan pools)

2) Open VPN and issue a trace to WAN3 subnets(both lan and WAN)

     Now Issue a reverse extended trace from WAN3 (LAn and WAN pools) to your VPN connected PC.

Check where the packet is getting dropped.

Ameya

Hi Ameya,

thanks for your reply. Sorry it is long and messy result.

Regards

Here is the result of tracert from my laptop using VPN client to connect to our company (192.168.50.162)

Note: x.x.x.x is our public IP address.

C:\>tracert 10.0.3.254

Tracing route to 10.0.3.254 over a maximum of 30 hops

  1    14 ms    24 ms    13 ms  c-20466-1191-VAIES-300-238.cust.nxg.net [x.x.x.x]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
10     *        *        *     Request timed out.
11     *        *        *     Request timed out.
12     *        *        *     Request timed out.
13     *        *        *     Request timed out.
14     *        *        *     Request timed out.
15     *        *        *     Request timed out.
16     *        *        *     Request timed out.
17     *        *        *     Request timed out.
18     *        *        *     Request timed out.
19     *        *        *     Request timed out.
20     *        *        *     Request timed out.
21     *        *        *     Request timed out.
22     *        *        *     Request timed out.
23     *        *        *     Request timed out.
24     *        *        *     Request timed out.
25     *        *        *     Request timed out.
26     *        *        *     Request timed out.
27     *        *        *     Request timed out.
28     *        *        *     Request timed out.
29     *        *        *     Request timed out.
30     *        *        *     Request timed out.

Here is the one from LAN (my PC at work) to a PC in WAN3  where 192.168.0.3 is our cisco router interface

C:\>tracert 10.0.3.254 Tracing route to 10.0.3.254 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.0.3

  2       *             *             *         Request timed out.
  2   212 ms   199 ms   201 ms  10.0.3.254

Here is the one from a PC in WAN310.0.3.254 to my PC at work 192.168.0.116

C:\>tracert 192.168.0.161

Tracing route to 192.168.0.161 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.0.3.252

2    *          *          *        Request timed out.
3 1562 ms 1100 ms 138 ms 192.168.0.116

Here is the one from WAN3 10.0.3.254 to my laptop 192.168.50.162 (VPN client)

C:\>tracert 192.168.50.162

Tracing route to 192.168.50.162 over a maximum of 30 hops

  1  < 1 ms    < 1 ms    < 1 ms 10.0.3.252
  2    1 ms      1 ms      1 ms 10.0.0.138
  3  106 ms   137 ms   120 ms   10.4.49.195 
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
10     *        *        *     Request timed out.
11     *        *        *     Request timed out.
12     *        *        *     Request timed out.
13     *        *        *     Request timed out.
14     *        *        *     Request timed out.
15     *        *        *     Request timed out.
16     *        *        *     Request timed out.
17     *        *        *     Request timed out.
18     *        *        *     Request timed out.
19     *        *        *     Request timed out.
20     *        *        *     Request timed out.
21     *        *        *     Request timed out.
22     *        *        *     Request timed out.
23     *        *        *     Request timed out.
24     *        *        *     Request timed out.
25     *        *        *     Request timed out.
26     *        *        *     Request timed out.
27     *        *        *     Request timed out.
28     *        *        *     Request timed out.
29     *        *        *     Request timed out.
30     *        *        *     Request timed out.

Hi Cal,

I am assuming that as requested you have enabled tracert on all your intermediate firewalls.

Now please check for below.

Trace 1) Trace from VPN PC to WAn 3

i.e    192.168.50.162 -> 10.0.3.254

  1    14 ms    24 ms    13 ms  c-20466-1191-VAIES-300-238.cust.nxg.net [x.x.x.x]

2     *        *        *     Request timed out.

Step 1)x.x.x.x is your gateway IP for all traffic sourced from 192.168.50.162 and it is clear that you either dont have routing for 10.0.3.0/24 subnet or there some control mechanism in place.

If you have this "c-20466-1191-VAIES-300-238.cust.nxg.net " under your admin domain, check for the WAN3 subnet in its routing table.

Post the results.

Trace2)Trace from WAN3 to VPN PC.

10.0.3.254  ->192.168.50.162

Step 2)

  1  < 1 ms    < 1 ms    < 1 ms 10.0.3.252

  2    1 ms      1 ms      1 ms 10.0.0.138

  3  106 ms   137 ms   120 ms   10.4.49.195 

  4     *        *        *     Request timed out.

**Same case here, check routing for 192.168.50.0/24  on gateway 10.4.49.195.

Check if any traffic blocking mechanism is in place on this gateway.

Post results.

NOTE: I am considering tracert is open end to end, please make sure!!

Ameya

Hi Ameya,

Thanks for your response. I have been reading a lot of info on Static routing table, and trying to test on my network, it didn't help

At WAN3 there is a D-link router and I was able to static route of my PC with X.x.x.x as next hope on the D-Link router.

I ran out of ideas please help me out

Thanks in advance

Cal