05-28-2013 12:06 AM - edited 03-07-2019 01:35 PM
Hi ,
I have a multiple Offices in my location , all my external users are connecting my site using Cisco Client to site VPN and accessing my 2 sites , All users are able to access my 2nd office servers which are in 10.10.0.x pool , i have a diffrent vlan in that same location with 10.10.35.x series and users are not able to access this pool servers , can any one help me on this as i am not much femilar with Routing . i am using ASA 5520 firewall .
Pls help me on this.
Hari
Solved! Go to Solution.
05-28-2013 05:50 AM
I noticed that there is another route on ASA which has nexthop 10.10.1.199. I didn't noticed this IP in interface list on switch. So it is another device between ASA and switch?
All other inside routes are routed via 10.10.10.36 which is IP of switch and this swit routes it to correct VLAN. But network 10.10.0.x and now 10.10.35.x are routed via 10.10.1.199.
What is this IP?
Regards,
Jan
05-28-2013 01:08 AM
Hello Hari,
can you post configuration of your ASA? How ASA is connected to your LAN? Is there some switch or router behind ASA?
Maybe simple picture of your network would be also helpful.
Thanks.
Regards,
Jan
05-28-2013 01:56 AM
Yes , i have a switch l3 cisco 3750 over the ASA , and the default was was 10.10.1.36 , which 1.x network was going through , for vpn users we have assigned 10.10.25.x and if any one connect the 25.x ip will assign to users.
05-28-2013 02:05 AM
Hi Hari,
can you please post output of:
ASA# sh route
ASA# sh interface ip brief
3750# sh ip route
3750# sh ip interface brief
Thanks.
Best regards,
Jan
05-28-2013 02:20 AM
ASA # sh route
Gateway of last resort is 125.62.194.59 to network 0.0.0.0
S 10.10.0.0 255.255.255.0 [1/0] via 10.10.1.199, inside
C 10.10.1.0 255.255.255.0 is directly connected, inside
S 10.10.2.0 255.255.255.0 [1/0] via 10.10.1.36, inside
S 10.10.3.0 255.255.255.0 [1/0] via 10.10.1.36, inside
S 10.10.4.0 255.255.255.0 [1/0] via 10.10.1.36, inside
S 10.10.5.0 255.255.255.0 [1/0] via 10.10.1.36, inside
S 10.10.6.0 255.255.255.0 [1/0] via 10.10.1.36, inside
S 10.10.7.0 255.255.255.0 [1/0] via 10.10.1.36, inside
S 10.10.8.0 255.255.255.0 [1/0] via 10.10.1.36, inside
S 10.10.9.0 255.255.255.0 [1/0] via 10.10.1.36, inside
S 10.10.25.9 255.255.255.255 [1/0] via 125.62.194.59, outside
S 10.10.25.11 255.255.255.255 [1/0] via 125.62.194.59, outside
S 10.10.25.10 255.255.255.255 [1/0] via 125.62.194.59, outside
S 10.10.25.13 255.255.255.255 [1/0] via 125.62.194.59, outside
S 10.10.25.12 255.255.255.255 [1/0] via 125.62.194.59, outside
S 10.10.25.5 255.255.255.255 [1/0] via 125.62.194.59, outside
S 125.62.194.49 255.255.255.255 [1/0] via 125.62.194.59, outside
C 125.62.194.48 255.255.255.240 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 125.62.194.59, outside
---------------------------------------------------------------------------------------------------------
ASA-PHOENIX# sh interface ip brief
Interface IP-Address OK? Method Status Prot
ocol
GigabitEthernet0/0 125.62.xxx.xx YES CONFIG up up
GigabitEthernet0/1 10.10.1.35 YES CONFIG up up
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Management0/0 192.168.254.1 YES CONFIG down down
---------------------------------------------------------------------------------------------------------------------------------
Cisco 3750:
sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.10.1.43 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
S 172.16.20.0 [1/0] via 10.10.1.35
S 192.168.99.0/24 [1/0] via 10.10.1.35
10.0.0.0/24 is subnetted, 16 subnets
S 10.10.0.0 [1/0] via 10.10.1.199
C 10.10.1.0 is directly connected, Vlan1
C 10.10.2.0 is directly connected, Vlan102
C 10.10.3.0 is directly connected, Vlan103
C 10.10.4.0 is directly connected, Vlan104
C 10.10.5.0 is directly connected, Vlan105
C 10.10.6.0 is directly connected, Vlan106
C 10.10.7.0 is directly connected, Vlan107
C 10.10.8.0 is directly connected, Vlan108
C 10.10.9.0 is directly connected, Vlan109
S 10.10.25.0 [1/0] via 10.10.1.35
S 10.10.26.0 [1/0] via 10.10.1.35
S 10.10.32.0 [1/0] via 10.10.1.199
S 10.10.33.0 [1/0] via 10.10.1.199
S 10.10.34.0 [1/0] via 10.10.1.199
S 10.10.35.0 [1/0] via 10.10.1.199
S 192.168.6.0/24 [1/0] via 10.10.1.35
S 192.168.1.0/24 [1/0] via 10.10.1.35
S* 0.0.0.0/0 [1/0] via 10.10.1.43
------------------------------------------------------------------------------------------
Cisco 3750#sh ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan1 10.10.1.36 YES NVRAM up up
Vlan101 unassigned YES NVRAM up up
Vlan102 10.10.2.36 YES NVRAM up up
Vlan103 10.10.3.36 YES NVRAM up up
Vlan104 10.10.4.36 YES NVRAM up up
Vlan105 10.10.5.36 YES NVRAM up up
Vlan106 10.10.6.36 YES NVRAM up up
Vlan107 10.10.7.36 YES NVRAM up up
Vlan108 10.10.8.36 YES NVRAM up up
Vlan109 10.10.9.36 YES NVRAM up up
Vlan175 unassigned YES NVRAM up up
FastEthernet0 unassigned YES NVRAM down down
GigabitEthernet1/0/1 unassigned YES unset up up
GigabitEthernet1/0/2 unassigned YES unset up up
GigabitEthernet1/0/3 unassigned YES unset up up
GigabitEthernet1/0/4 unassigned YES unset up up
GigabitEthernet1/0/5 unassigned YES unset up up
GigabitEthernet1/0/6 unassigned YES unset up up
GigabitEthernet1/0/7 unassigned YES unset up up
GigabitEthernet1/0/8 unassigned YES unset up up
GigabitEthernet1/0/9 unassigned YES unset up up
GigabitEthernet1/0/10 unassigned YES unset up up
GigabitEthernet1/0/11 unassigned YES unset up up
GigabitEthernet1/0/12 unassigned YES unset up up
GigabitEthernet1/0/13 unassigned YES unset up up
GigabitEthernet1/0/14 unassigned YES unset up up
GigabitEthernet1/0/15 unassigned YES unset down down
GigabitEthernet1/0/16 unassigned YES unset down down
GigabitEthernet1/0/17 unassigned YES unset down down
GigabitEthernet1/0/18 unassigned YES unset up up
GigabitEthernet1/0/19 unassigned YES unset up up
GigabitEthernet1/0/20 unassigned YES unset up up
GigabitEthernet1/0/21 unassigned YES unset up up
GigabitEthernet1/0/22 unassigned YES unset up up
GigabitEthernet1/0/23 unassigned YES unset up up
GigabitEthernet1/0/24 unassigned YES unset up up
GigabitEthernet1/1/1 unassigned YES unset down down
GigabitEthernet1/1/2 unassigned YES unset down down
GigabitEthernet1/1/3 unassigned YES unset down down
GigabitEthernet1/1/4 unassigned YES unset down down
Te1/1/1 unassigned YES unset down down
Te1/1/2 unassigned YES unset down down
Thanks
Hari
05-28-2013 02:40 AM
Hi Hari,
it seems that you have missing route to 10.10.35.0 network on ASA.
please add this route to ASA:
ASA# ip route iniside 10.10.35.0 255.255.255.0 10.10.1.199
Regards,
Jan
05-28-2013 02:51 AM
Hi Jan,
i have added that route in my asa but no luck , when i connected using VPN client i am able to access 10.10.0.1 network in that remote site but not 10.10.35.1 or any 35.x hosts , please advise.
Hari
05-28-2013 03:05 AM
Do i need to add 25.x also , because after connecting vpn i am getting 25.x ip .
Hari
05-28-2013 05:50 AM
I noticed that there is another route on ASA which has nexthop 10.10.1.199. I didn't noticed this IP in interface list on switch. So it is another device between ASA and switch?
All other inside routes are routed via 10.10.10.36 which is IP of switch and this swit routes it to correct VLAN. But network 10.10.0.x and now 10.10.35.x are routed via 10.10.1.199.
What is this IP?
Regards,
Jan
05-29-2013 11:48 PM
10.10.1.199 is our router , which was QOS enabled for Our internal telecom as we have open pbx and we are using IP phones , we have used this router to divert the Voip traffic .
Thanks
Hari
05-30-2013 09:38 PM
Jan , i am waiting for your inputs , please help me .
Hari
05-31-2013 08:53 AM
Hi Hari,
so check if your router has route to 10.10.35.x network.
So if you issue show ip route command from your router you will see if there is this network.
I am little bit confused with your topology. Is it like this?
ASA ----router----switch------LAN 10.10.x.x
Regards,
Jan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide