05-23-2013 11:37 AM - edited 03-04-2019 07:59 PM
All-
I have been asked to take a look at correcting a configuration that I am unfamiliar with. Previously here when VPN'd in they were able to reach sites at other locations in other subnets via the WAN. Currently, they have to remote a PC in the data center's subnet then access a site on the WAN that way. I am not sure if the problem is in the ASA or with the routing at either the data center or the remote site. Would anyone be kind enough to give me a sample ASA config that will pass that VPN traffic or can you direct me to a resource that I can do some comparison to?
Thank you,
Dave
Solved! Go to Solution.
05-27-2013 03:26 PM
*Assuming we are talking about remote-access VPNs
Start at the top. In the ASA's configuration, there will be an access list refered to in the VPN's group-policy attributes. Verify that the access list contains the correct subnet information.
Example:
access-list VPN_ACL standard permit 1.1.1.0 255.255.255.0
access-list VPN_ACL standard permit 2.2.2.0 255.255.255.0
(where 1.1.1.1 is your datacenter and 2.2.2.2 is the remote network)
Once that is verified, connect to the VPN via a remote workstation and look at the local machine's routing table (Start > Run > netstat -r)
Are the remote site's subnets in the workstation's routing table when VPN'd?
If so, perform a traceroute from the VPN'd workstation to an IP address on one of the remote sites to see where the failure is.
05-27-2013 03:26 PM
*Assuming we are talking about remote-access VPNs
Start at the top. In the ASA's configuration, there will be an access list refered to in the VPN's group-policy attributes. Verify that the access list contains the correct subnet information.
Example:
access-list VPN_ACL standard permit 1.1.1.0 255.255.255.0
access-list VPN_ACL standard permit 2.2.2.0 255.255.255.0
(where 1.1.1.1 is your datacenter and 2.2.2.2 is the remote network)
Once that is verified, connect to the VPN via a remote workstation and look at the local machine's routing table (Start > Run > netstat -r)
Are the remote site's subnets in the workstation's routing table when VPN'd?
If so, perform a traceroute from the VPN'd workstation to an IP address on one of the remote sites to see where the failure is.
05-28-2013 01:29 PM
Hmm, I see. The access-list extened permit line was incorrectly entered. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide