Hello!

I am having problems with my VPN clients getting access to the networks over a MPLS infrastruture. I can reach these resources form my Core network (172.17.1.0/24) and my Wifi (172.17.100.0/24) but not from my VPN network (172.17.200.0/24). From the VPN I can reach the Wifi network (which is behind a router) and the rule that allows that also allows access to the other networks but for some reason it is not working.

When I ping inside the core network from VPN I can connect and get responses. When I ping to the Wifi network, I can get responses and connect to resources there. A tracert to the wifi network shows it hitting the core switch (a 3750 stack) @ 172.17.1.1, then the Wifi router (172.17.1.3) and then the host. A tracert to a resource on the MPLS network from the VPN shows a single entry (the destination host) and then 29 time outs but will not ping that resource nor connect.

I've posted all the info I can think of below. Any help appreciated.

*** Here is a tracert from a core network machine to the resource we need on the MPLS:

C:\Windows\system32>tracert 10.2.0.125

Tracing route to **************** [10.2.0.125]

over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  172.17.1.1

  2     1 ms    <1 ms    <1 ms  172.17.1.10

  3     5 ms     5 ms     5 ms  192.168.0.13

  4    31 ms    30 ms    31 ms  192.168.0.5

  5    29 ms    30 ms    29 ms  192.168.0.6

  6    29 ms    29 ms    29 ms  192.168.20.4

  7    29 ms    29 ms    29 ms  RV-TPA-CRMPROD [10.2.0.125]

Trace complete.

172.17.1.10 is the mpls router.

**** Here is the routing table (sh ip route) from the 3750 @ 172.17.1.1

Gateway of last resort is 172.17.1.2 to network 0.0.0.0

S    192.168.30.0/24 [1/0] via 172.17.1.10

     172.17.0.0/24 is subnetted, 3 subnets

S       172.17.200.0 [1/0] via 172.17.1.2

C       172.17.1.0 is directly connected, Vlan20

S       172.17.100.0 [1/0] via 172.17.1.3

     172.18.0.0/24 is subnetted, 1 subnets

S       172.18.1.0 [1/0] via 172.17.1.10

S    192.168.11.0/24 [1/0] via 172.17.1.10

     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

S       10.2.0.0/24 [1/0] via 172.17.1.10

S       10.10.10.0/24 [1/0] via 172.17.1.10

S       10.20.0.0/24 [1/0] via 172.17.1.10

S       10.3.0.128/25 [1/0] via 172.17.1.10

S    192.168.1.0/24 [1/0] via 172.17.1.10

S*   0.0.0.0/0 [1/0] via 172.17.1.2

*** Here is the firewall config (5510):

ASA Version 8.4(1)

!

hostname RVGW

domain-name ************

enable password b5aqRk/6.KRmypWW encrypted

passwd 1ems91jznlfZHhfU encrypted

names

!

interface Ethernet0/0

nameif Outside

security-level 10

ip address 5.29.79.10 255.255.255.248

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 172.17.1.2 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 172.19.1.1 255.255.255.0

management-only

!

banner login RedV GW

ftp mode passive

dns server-group DefaultDNS

domain-name RedVector.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network WiFi

subnet 172.17.100.0 255.255.255.0

description WiFi 

object network inside-net

subnet 172.17.1.0 255.255.255.0

object network NOSPAM

host 172.17.1.60

object network BH2

host 172.17.1.60

object network EX2

host 172.17.1.61

description Internal Exchange / Outbound SMTP

object network Mail2

host 5.29.79.11

description Ext EX2

object network NETWORK_OBJ_172.17.1.240_28

subnet 172.17.1.240 255.255.255.240

object network NETWORK_OBJ_172.17.200.0_24

subnet 172.17.200.0 255.255.255.0

object network VPN-CLIENT

subnet 172.17.200.0 255.255.255.0

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_1

network-object object BH2

network-object object NOSPAM

object-group network VPN-CLIENT-PAT-SOURCE

description VPN-CLIENT-PAT-SOURCE

network-object object VPN-CLIENT

object-group network LAN-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.2.0.0 255.255.255.0

network-object 10.3.0.0 255.255.255.0

network-object 172.17.100.0 255.255.255.0

network-object 172.18.1.0 255.255.255.0

network-object 192.168.1.0 255.255.255.0

network-object 192.168.11.0 255.255.255.0

network-object 192.168.30.0 255.255.255.0

object-group network VPN-POOL

network-object 172.17.200.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

access-list Outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq smtp

access-list Outside_access_in extended permit tcp any object BH2 object-group DM_INLINE_TCP_1

access-list global_mpc extended permit ip any any

access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any

pager lines 24

logging enable

logging asdm informational

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export destination Inside 172.17.1.52 9996

mtu Outside 1500

mtu Inside 1500

mtu management 1500

ip local pool VPN 172.17.1.240-172.17.1.250 mask 255.255.255.0

ip local pool VPN2 172.17.200.100-172.17.200.200 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (Inside,Outside) source static EX2 Mail2

nat (Inside,Outside) source static any any destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28

nat (Inside,Outside) source static any any destination static NETWORK_OBJ_172.17.200.0_24 NETWORK_OBJ_172.17.200.0_24

nat (Inside,Outside) source static inside-net inside-net destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28

nat (Inside,Outside) source static LAN-NETWORKS LAN-NETWORKS destination static VPN-POOL VPN-POOL

!

object network inside-net

nat (Inside,Outside) dynamic interface

object network NOSPAM

nat (Inside,Outside) static 5.29.79.12

!

nat (Outside,Outside) after-auto source dynamic VPN-CLIENT-PAT-SOURCE interface

access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 5.29.79.9 1

route Inside 10.2.0.0 255.255.255.0 172.17.1.1 1

route Inside 10.3.0.0 255.255.255.128 172.17.1.1 1

route Inside 10.10.10.0 255.255.255.0 172.17.1.1 1

route Inside 172.17.100.0 255.255.255.0 172.17.1.3 1

route Inside 172.18.1.0 255.255.255.0 172.17.1.1 1

route Inside 192.168.1.0 255.255.255.0 172.17.1.1 1

route Inside 192.168.11.0 255.255.255.0 172.17.1.1 1

route Inside 192.168.30.0 255.255.255.0 172.17.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RedVec protocol ldap

aaa-server RedVec (Inside) host 172.17.1.41

ldap-base-dn DC=adrs1,DC=net

ldap-group-base-dn DC=adrs,DC=net

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=Hanna\, Roger,OU=Humans,OU=WPLAdministrator,DC=adrs1,DC=net

server-type microsoft

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 172.17.1.0 255.255.255.0 Inside

http 24.32.208.223 255.255.255.255 Outside

snmp-server host Inside 172.17.1.52 community *****

snmp-server location Server Room 3010

snmp-server contact Roger Hanna

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto ikev1 enable Outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

telnet 172.17.1.0 255.255.255.0 Inside

telnet timeout 5

ssh 172.17.1.0 255.255.255.0 Inside

ssh timeout 5

console timeout 0

dhcpd address 172.17.1.100-172.17.1.200 Inside

dhcpd dns 172.17.1.41 172.17.1.42 interface Inside

dhcpd lease 100000 interface Inside

dhcpd domain adrs1.net interface Inside

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy RedV internal

group-policy RedV attributes

wins-server value 172.17.1.41

dns-server value 172.17.1.41 172.17.1.42

vpn-tunnel-protocol ikev1

default-domain value ADRS1.NET

group-policy RedV_1 internal

group-policy RedV_1 attributes

wins-server value 172.17.1.41

dns-server value 172.17.1.41 172.17.1.42

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

default-domain value adrs1.net

username rparker password FnbvAdOZxk4r40E5 encrypted privilege 15

username rparker attributes

vpn-group-policy RedV

username mhale password 2reWKpsLC5em3o1P encrypted privilege 0

username mhale attributes

vpn-group-policy RedV

username dcoletto password g53yRiEqpcYkSyYS encrypted privilege 0

username dcoletto attributes

vpn-group-policy RedV

username rhanna password Pd3E3vqnGmV84Ds2 encrypted privilege 15

username rhanna attributes

vpn-group-policy RedV

tunnel-group RedV type remote-access

tunnel-group RedV general-attributes

address-pool VPN2

authentication-server-group RedVec

default-group-policy RedV

tunnel-group RedV ipsec-attributes

ikev1 pre-shared-key *****

!

class-map global-class

match access-list global_mpc

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

class global-class

  flow-export event-type all destination 172.17.1.52

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:202ad58ba009fb24cbd119ed6d7237a9