cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2584
Views
0
Helpful
11
Replies

Unable to Reach Vlan System while connecting from Cisco VPN

Hari Kumar Raja
Level 1
Level 1

Hi ,

I have a multiple Offices in my location , all my external users are connecting my site using Cisco Client to site VPN and accessing my 2 sites , All users are able to access my 2nd office servers which are in 10.10.0.x pool , i have a diffrent vlan in that same location with 10.10.35.x series and users are not able to access this pool servers , can any one help me on this as i am not much femilar with Routing . i am using ASA 5520 firewall .

Pls help me on this.

Hari

1 Accepted Solution

Accepted Solutions

I noticed that there is another route on ASA which has nexthop 10.10.1.199. I didn't noticed this IP in interface list on switch. So it is another device between ASA and switch?

All other inside routes are routed via 10.10.10.36 which is IP of switch and this swit routes it to correct VLAN. But network 10.10.0.x and now 10.10.35.x are routed via 10.10.1.199.

What is this IP?

Regards,

Jan

View solution in original post

11 Replies 11

Jan Rolny
Level 3
Level 3

Hello Hari,

can you post configuration of your ASA? How ASA is connected to your LAN? Is there some switch or router behind ASA?

Maybe simple picture of your network would be also helpful.

Thanks.

Regards,

Jan

Yes , i have a switch l3 cisco 3750 over the ASA , and the default was was 10.10.1.36 , which 1.x network was going through , for vpn users we have assigned 10.10.25.x and if any one connect the 25.x ip will assign to users.

Hi Hari,

can you please post output of:

ASA# sh route

ASA# sh interface ip brief

3750# sh ip route

3750# sh ip interface brief

Thanks.

Best regards,

Jan

ASA # sh route

Gateway of last resort is 125.62.194.59 to network 0.0.0.0

S    10.10.0.0 255.255.255.0 [1/0] via 10.10.1.199, inside

C    10.10.1.0 255.255.255.0 is directly connected, inside

S    10.10.2.0 255.255.255.0 [1/0] via 10.10.1.36, inside

S    10.10.3.0 255.255.255.0 [1/0] via 10.10.1.36, inside

S    10.10.4.0 255.255.255.0 [1/0] via 10.10.1.36, inside

S    10.10.5.0 255.255.255.0 [1/0] via 10.10.1.36, inside

S    10.10.6.0 255.255.255.0 [1/0] via 10.10.1.36, inside

S    10.10.7.0 255.255.255.0 [1/0] via 10.10.1.36, inside

S    10.10.8.0 255.255.255.0 [1/0] via 10.10.1.36, inside

S    10.10.9.0 255.255.255.0 [1/0] via 10.10.1.36, inside

S    10.10.25.9 255.255.255.255 [1/0] via 125.62.194.59, outside

S    10.10.25.11 255.255.255.255 [1/0] via 125.62.194.59, outside

S    10.10.25.10 255.255.255.255 [1/0] via 125.62.194.59, outside

S    10.10.25.13 255.255.255.255 [1/0] via 125.62.194.59, outside

S    10.10.25.12 255.255.255.255 [1/0] via 125.62.194.59, outside

S    10.10.25.5 255.255.255.255 [1/0] via 125.62.194.59, outside

S    125.62.194.49 255.255.255.255 [1/0] via 125.62.194.59, outside

C    125.62.194.48 255.255.255.240 is directly connected, outside

S*   0.0.0.0 0.0.0.0 [1/0] via 125.62.194.59, outside

---------------------------------------------------------------------------------------------------------

ASA-PHOENIX# sh interface ip brief

Interface                  IP-Address      OK? Method Status                Prot

ocol

GigabitEthernet0/0         125.62.xxx.xx   YES CONFIG up                    up

GigabitEthernet0/1         10.10.1.35      YES CONFIG up                    up

GigabitEthernet0/2         unassigned      YES unset  administratively down down

GigabitEthernet0/3         unassigned      YES unset  administratively down down

Internal-Control0/0        127.0.1.1       YES unset  up                    up

Internal-Data0/0           unassigned      YES unset  up                    up

Management0/0              192.168.254.1   YES CONFIG down                  down

---------------------------------------------------------------------------------------------------------------------------------

Cisco 3750:

sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.10.1.43 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 1 subnets

S       172.16.20.0 [1/0] via 10.10.1.35

S    192.168.99.0/24 [1/0] via 10.10.1.35

     10.0.0.0/24 is subnetted, 16 subnets

S       10.10.0.0 [1/0] via 10.10.1.199

C       10.10.1.0 is directly connected, Vlan1

C       10.10.2.0 is directly connected, Vlan102

C       10.10.3.0 is directly connected, Vlan103

C       10.10.4.0 is directly connected, Vlan104

C       10.10.5.0 is directly connected, Vlan105

C       10.10.6.0 is directly connected, Vlan106

C       10.10.7.0 is directly connected, Vlan107

C       10.10.8.0 is directly connected, Vlan108

C       10.10.9.0 is directly connected, Vlan109

S       10.10.25.0 [1/0] via 10.10.1.35

S       10.10.26.0 [1/0] via 10.10.1.35

S       10.10.32.0 [1/0] via 10.10.1.199

S       10.10.33.0 [1/0] via 10.10.1.199

S       10.10.34.0 [1/0] via 10.10.1.199

S       10.10.35.0 [1/0] via 10.10.1.199

S    192.168.6.0/24 [1/0] via 10.10.1.35

S    192.168.1.0/24 [1/0] via 10.10.1.35

S*   0.0.0.0/0 [1/0] via 10.10.1.43

------------------------------------------------------------------------------------------

Cisco 3750#sh ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

Vlan1                  10.10.1.36      YES NVRAM  up                    up

Vlan101                unassigned      YES NVRAM  up                    up

Vlan102                10.10.2.36      YES NVRAM  up                    up

Vlan103                10.10.3.36      YES NVRAM  up                    up

Vlan104                10.10.4.36      YES NVRAM  up                    up

Vlan105                10.10.5.36      YES NVRAM  up                    up

Vlan106                10.10.6.36      YES NVRAM  up                    up

Vlan107                10.10.7.36      YES NVRAM  up                    up

Vlan108                10.10.8.36      YES NVRAM  up                    up

Vlan109                10.10.9.36      YES NVRAM  up                    up

Vlan175                unassigned      YES NVRAM  up                    up

FastEthernet0          unassigned      YES NVRAM  down                  down

GigabitEthernet1/0/1   unassigned      YES unset  up                    up

GigabitEthernet1/0/2   unassigned      YES unset  up                    up

GigabitEthernet1/0/3   unassigned      YES unset  up                    up

GigabitEthernet1/0/4   unassigned      YES unset  up                    up

GigabitEthernet1/0/5   unassigned      YES unset  up                    up

GigabitEthernet1/0/6   unassigned      YES unset  up                    up

GigabitEthernet1/0/7   unassigned      YES unset  up                    up

GigabitEthernet1/0/8   unassigned      YES unset  up                    up

GigabitEthernet1/0/9   unassigned      YES unset  up                    up

GigabitEthernet1/0/10  unassigned      YES unset  up                    up

GigabitEthernet1/0/11  unassigned      YES unset  up                    up

GigabitEthernet1/0/12  unassigned      YES unset  up                    up

GigabitEthernet1/0/13  unassigned      YES unset  up                    up

GigabitEthernet1/0/14  unassigned      YES unset  up                    up

GigabitEthernet1/0/15  unassigned      YES unset  down                  down

GigabitEthernet1/0/16  unassigned      YES unset  down                  down

GigabitEthernet1/0/17  unassigned      YES unset  down                  down

GigabitEthernet1/0/18  unassigned      YES unset  up                    up

GigabitEthernet1/0/19  unassigned      YES unset  up                    up

GigabitEthernet1/0/20  unassigned      YES unset  up                    up

GigabitEthernet1/0/21  unassigned      YES unset  up                    up

GigabitEthernet1/0/22  unassigned      YES unset  up                    up

GigabitEthernet1/0/23  unassigned      YES unset  up                    up

GigabitEthernet1/0/24  unassigned      YES unset  up                    up

GigabitEthernet1/1/1   unassigned      YES unset  down                  down

GigabitEthernet1/1/2   unassigned      YES unset  down                  down

GigabitEthernet1/1/3   unassigned      YES unset  down                  down

GigabitEthernet1/1/4   unassigned      YES unset  down                  down

Te1/1/1                unassigned      YES unset  down                  down

Te1/1/2                unassigned      YES unset  down                  down

Thanks

Hari

Hi Hari,

it seems that you have missing route to 10.10.35.0 network on ASA.

please add this route to ASA:

ASA# ip route iniside 10.10.35.0 255.255.255.0 10.10.1.199

Regards,

Jan

Hi Jan,

i have added that route in my asa but no luck , when i connected using VPN client i am able to access 10.10.0.1 network in that remote site but not 10.10.35.1 or any 35.x hosts , please advise.

Hari

Do i need to add 25.x also , because after connecting vpn i am getting 25.x ip .

Hari

I noticed that there is another route on ASA which has nexthop 10.10.1.199. I didn't noticed this IP in interface list on switch. So it is another device between ASA and switch?

All other inside routes are routed via 10.10.10.36 which is IP of switch and this swit routes it to correct VLAN. But network 10.10.0.x and now 10.10.35.x are routed via 10.10.1.199.

What is this IP?

Regards,

Jan

10.10.1.199 is our router , which was QOS enabled for Our internal telecom as we have open pbx and we are using IP phones , we have used this router to divert the Voip traffic .

Thanks

Hari

Jan , i am waiting for your inputs , please help me .

Hari

Hi Hari,

so check if your router has route to 10.10.35.x network.

So if you issue show ip route command from your router you will see if there is this network.

I am little bit confused with your topology. Is it like this?

ASA ----router----switch------LAN 10.10.x.x

      

Regards,

Jan