cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1551
Views
0
Helpful
19
Replies
Highlighted
Beginner

Cant access other subnets using cisco VPN client

Dear all,

we have servers protected by ASA firewall,

server IP range is 2.2.1.0/22, we use Cisco VPN  (split tunneling)  and cisco VPN client to manage server.

when we connect VPN we can only access 2.2.1.0/ 24 Range other range can accesseble.

Routes details in cisco VPN client shows 2.2.1.0/22 but we cant access other subnets ( 2.2.2.0 and 2.2.3.0).

Please help

Regards

vikas kumar

19 REPLIES 19
Highlighted
Beginner

is it possible for you to share ASA config?

Highlighted


Dear Nitin,

Thanks for mail.

I have sent you config on pvt message.

Regards

Vikas

Highlighted

Do the servers on that two subnets know routes back to address range assigned to your VPN-clients?

Highlighted

Dear Anderw

yes all servers on /22 subnet.

If one subnet we can access other should be.

regards

vikas kumar

Highlighted

Dear Anderw,

i have checked, servers on two subnets can reach IP assigned to VPN client Machine.

looks like firewall rule blocking.

please assist.

regards

vikas kumar

Highlighted

Maybe i'd be able to assist if i saw config of your ASA)))

Highlighted

Dear Andrew,

i have sent you config.

please me know any thing else.

Regards

vikas

Highlighted

Hi Vikas,

First of all i need to know if your network envirnment 2.2.1.0/22 is behide L3 device before ASA Inside Interface, is yes you need to have the following static route:

Example:

route INSIDE 2.2.1.0 255.255.252.0 "1.1.1.1" L3 device Interface

After that, you neet to take a look your NAT0:

===> No Nat <===

access-list VPN_NONAT extended permit ip  2.2.1.0 255.255.252.0 192.168.1.0 255.255.255.0 " this is an example to vpn address Pool"

!

nat (INSIDE) 0 access-list VPN_NONAT

Good luck

Fabio Jorge Amorim

Highlighted

Dear Fabio,

thanks for reply.

Please find attached setup diagrame Top of this discusstion.

I have checked configuration

===> No Nat <===

access-list VPN_NONAT extended permit ip  2.2.1.0 255.255.252.0 192.168.1.0 255.255.255.0 " this is an example to vpn address Pool"

!

nat (INSIDE) 0 access-list VPN_NONAT

=================

i am bit confused about routing

please assist.

regards

vikas kumar

Highlighted

Check the client subnet mask with

ipconfig /all

(it's NOT /32)

Then fix the mask in the ASA ip pool config line

Highlighted

Have you checked my tip?

Highlighted

Hi peter.

I am getting /22 subnet on VPN client.

regards

Highlighted

please copy here the pool line from the config

sh run | i pool

Highlighted

hi Peter

please find output

Result of the command: "show run | in pool"

ip local pool new-vpn-pool 2.2.2.8-2.2.2.16 mask 255.255.252.0

  address-pool new-vpn-pool

regards