Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
0
Helpful
2
Replies

ASA routing issue

Colin Higgins
Level 2
Level 2

‎02-15-2011 07:20 AM - edited ‎03-06-2019 03:33 PM

I has an ASA 5510 with a DMZ and remote access VPN confguration

The ASA is set up with EIGRP to advertise the following networks:

172.16.100.0 /24 the DMZ

172.16.101.0 /24 the VPN pool

0.0.0.0

The internal network is 10.6.1.0 /24 and a static route is configured on the core switch that points to the VPN pool (172.16.101.0) through the ASA.

A static route is also configured on the ASA that points to 10.0.0.0 /8 through the core switch.

I have noticed several things:

1. The EIGRP routes are advertised from the ASA, but the VPN pool (172.16.101.0) is NOT being advertised.

2.Even though I have allowed the 10.0.0.0 /8 network to access the VPN pool (all protocols), I am getting an access list block when I try to ping from the VPN pool to subnets outside the directly connected (10.6.1.0) network.

Because I can't do a packet trace from the VPN pool (no interface to select), I am having a tough time troubleshooting this. I'm also not sure why the 172.16.101.0 /24 (VPN pool) is not being advertised by the ASA.

Any advice would be appreciated.

Labels:
0 Helpful
2 Replies 2

dalamdiz
Level 1
Level 1

‎02-15-2011 08:06 AM

Do you have the rules setup on VPN to allow the remote network access to ALL internal networks? Can you upload the config, minus the passwords? Also, try adding 172.16.101.0/24 to the EIGRP table on the core. Even though you have a static route, all other devices need to know that traffic for that network has to come through the core that has the network in its EIGRP table.

0 Helpful

Colin Higgins
Level 2
Level 2
In response to dalamdiz

‎02-15-2011 12:46 PM

I have a rule setup that allows the internal networks to access the vpn pool, and I also set up a NAT exemptio

n.

I can connect to the the vpn and ping devices on the same subnet as the internal interface, and I can use one-way communication with devices on remote networks (telnet, etc.)

I enablee reverse-route injection in hopes of advertising the VPN pool via EIGRP, but it didn't work.

The strange this is, even though I have rules set up for the internal networks to be able to ping the VPN pool (172.16.101.0/24) and the DMZ (172.16.100.0/24), and the DMZ interface, if I do a packet trace from ASDM, it immediately fails before even doing a lookup. It just presents question marks for the interface, etc. (other traces from inside and outside work fine).

Not sure what the issue is here

0 Helpful
Customers Also Viewed These Support Documents