Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
4
Replies

Remote vpn can not access inside user.

teymur azimov
Level 1
Level 1

‎10-21-2011 12:27 AM - edited ‎03-04-2019 02:00 PM

Hi dears. i configurated remote vpn at asa 5510. i attached my network topology.

ip local pool VPNPOOL 192.168.200.1-192.168.200.100.

i can access servers with remote vpn which they located at dmz zone at asa(write nonat access-lsit) but i can not 192.168.193.0 subnet at asa.

i configurated proxy server. my proxy server inside interface get ip address my dmz zone(172.16.10.254) and outside is ip adddress asa outside interface

(10.0.0.254).

the users (192.168.193.0/24) go internet from proxy server.

ASA config:

interface Ethernet0/0

description connect to RTR1 inside

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.0 standby 10.0.0.3

!

interface Ethernet0/1

description connect to CoreSW

nameif inside

security-level 100

ip address 172.30.30.1 255.255.255.0 standby 172.30.30.3

!

interface Ethernet0/2

description DMZ zone connect mail server

nameif DMZ

security-level 50

ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2

!

route inside 192.168.193.0 255.255.255.0 172.30.30.2 1

192.168.193.0 is user vlan and created at core switch. i want to access 192.168.193.0 subnet when connect remote vpn but i acn not access.

static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0

i write nonat access list but it is not help me.

how i solved this issue?

please help me

Labels:
115805-Cosmos new.vsd.zip
0 Helpful
4 Replies 4

andrew.prince
Level 10
Level 10

‎10-21-2011 06:35 AM

I notice this config line

route inside 192.168.193.0 255.255.255.0 172.30.30.2 1

Which means you have a L3 routing device in the mix.  Does 172.30.30.2 know that 192.168.200.1/24 is via

172.30.30.1??

Also post you no-nat config.

0 Helpful

teymur azimov
Level 1
Level 1
In response to andrew.prince

‎10-22-2011 02:30 AM

hi

yes i have ip route 0.0.0.0 0.0.0.0 172.30.30.1 at core sw

ai think the this defualt route must  help me to know 192.168.200.0 subnet. but i can not access 192.168.193.0 subnet with remote vpn.

the 192.168.200.0 vpn subnet at asa and 192.168.193.0 are created at core sw

int vlan 393

ip address 192.168.193.1 255.255.255.0

the users port which is access vlan 393 they default gateway 192.168.193.1

please help me

0 Helpful

andrew.prince
Level 10
Level 10
In response to teymur azimov

‎10-25-2011 11:04 AM

OK firstly using a 0.0.0.0 to catch a 192.168.193.0 is like using a cannon to kill a fly.........a little to much.

Remove the "ip route 0.0.0.0 0.0.0.0 172.30.30.2" and replace it with "ip route 192.168.193.0 255.255.255.0 172.30.30.2"

The on 172.30.30.1 make sure there is a route like "ip route 192.168.200.0 255.255.255.0 172.30.30.1"

See if that helps.

0 Helpful

Kishore Chennupati
Level 7
Level 7

‎10-25-2011 08:28 PM

Let me ask you a question here.

Is your remote VPN user able to acess the other networks like the DMZ etc on the ASA.? What I am trying to ask is if your VPN remote user is able to access other networks without any issues and its just this 192.168..193.0 not accessible.

Also, I dont see any ACL to permit traffic between 192.168.200.1-192.168.200.100. and 192.168.193.0/24

on your Ethernet0/1 you need to add an ACL to permit . Although your inside network is trusted and security level is 100 , I believe the VPN users are not. In the ASA if you dont specifically mention the ACL's then the traffic will be dropped.

HTH

Regards,

0 Helpful
Customers Also Viewed These Support Documents