Anu,

I was going to paste the full command line config but that was way to long, so i went with the cfg file. The subnet that I cannot reach is the 192.168.61.0/24. If you cannot read the cfg file I will post the whole thing next.

Thank you

Mike

Hi Mike,

Could you try:

access-list private_nat0_outbound line 1 extended permit ip 192.168.61.0 255.255.255.0 any

Let me know.

Regards,

Anu

Anu,

I added the access list and retested and I still cannot reach it when I'm using the VPN. I have attached an updated config, I relocated the putty.exe and was able to copy it to a text file. It is one of the weirdest problems, the subnet is accessable from within the network but not when remote users use their vpn client from outside, but they can remote to a machine on our 192.168.32.0 subnet and then remote to the 192.168.61.0/24 subnet.

Hi Mike,

I see that there is no static route for traffic going to 192.168.61.0 network. Could you put that in and test?

Let me know.

Regards,

Anu

P.S. Please mark this post as answered if it has been resolved. Do rate helpful posts.

Anu'

I tried adding the route but it gives an error saying  "cannot add route connected route exists". I have attached a list of the static routes.

What groups are having the issue and what networks can't they access? Also you may have to go through and change your pre shared keys for all your tunnel groups, because the configuration you posted showed them in clear text.

I might be confused on what is meant by groups, but when I log in to the vpn my client has a pcf file that specifies which connection profile I use once I have successfully logged in, and that pool is assigned a range of addresses to use, mine in this case is the TKG_NetAdmin. The addresses for the profile pool is 172.10.11.0/24 and I am having trouble reaching the 192.168.61.0/24 network. Another thing that I have noticed is that the person who set this up assigned quite a few 172.10.x.x dhcp pools in this ASA, my understanding is that those are publically routable addresses, not the 172.16.0.0 - 172.31.0.0 range reserved for private networks, and I'm not sure if that is causing an issue, because when I log in and try to access anything on the 192.168.32.64/27 it works just fine. I went and took down the configs that I posted because of what you said and that is a good point, but when I looked at it again all the pre shared keys were *** characters.

The group I was speakig of is the one you used for the connection profile. I have not checked your configuration in depth but it looks. Is that you are only able to access 192.168.61.0/24?

To me it seems like it may be a routing issue based on your routing output and your split tunnel ACL for the TKG_NetAdmin group. The networks you have access to according to the split tunnel are not in the routing table for example the split tunnel allows you access to 192.168.51.0/24 however there is no route in the routing table which means this traffic will be sent out the Internet. You should also ensure that the 51 network can route back to the vpn pool. Look into that and let us know.

I do not have access to 192.168.61.0/24 network when I vpn to the ASA. I have attached a text file with all the ACL’s, static routes and the show route output in the ASA. The 192.168.61.0/24 network has a route, is included in the ACL and shows as a connected network. I see what you are saying about the 192.168.51.0/24 subnet being in the ACL but having no route, I think that is part of an old config that didn’t get erased when they made changes a while back.

KWillacey,

The advice for routing traffic BACK to the vpn pool was the answer. There were routes in the switch, on the 192.168.61.0/24 subnet that was pointing the vpn subnet to an interface on the firewall that had an ACL, blocking that kind of traffic. I pointed the return traffic at the correct firewall interface and then created an ACL to allow the traffic I need on that interface and everything works now. I was totally over looking routes for the return traffic.

Thank You

Great, glad I could help