12-21-2012 05:14 AM
Dear all,
we have servers protected by ASA firewall,
server IP range is 2.2.1.0/22, we use Cisco VPN (split tunneling) and cisco VPN client to manage server.
when we connect VPN we can only access 2.2.1.0/ 24 Range other range can accesseble.
Routes details in cisco VPN client shows 2.2.1.0/22 but we cant access other subnets ( 2.2.2.0 and 2.2.3.0).
Please help
Regards
vikas kumar
12-21-2012 08:23 AM
is it possible for you to share ASA config?
12-25-2012 03:55 AM
Dear Nitin,
Thanks for mail.
I have sent you config on pvt message.
Regards
Vikas
12-25-2012 10:01 AM
Do the servers on that two subnets know routes back to address range assigned to your VPN-clients?
12-25-2012 11:07 AM
Dear Anderw
yes all servers on /22 subnet.
If one subnet we can access other should be.
regards
vikas kumar
12-29-2012 02:44 AM
Dear Anderw,
i have checked, servers on two subnets can reach IP assigned to VPN client Machine.
looks like firewall rule blocking.
please assist.
regards
vikas kumar
12-29-2012 03:13 AM
Maybe i'd be able to assist if i saw config of your ASA)))
12-29-2012 05:13 AM
Dear Andrew,
i have sent you config.
please me know any thing else.
Regards
vikas
12-29-2012 10:25 AM
Hi Vikas,
First of all i need to know if your network envirnment 2.2.1.0/22 is behide L3 device before ASA Inside Interface, is yes you need to have the following static route:
Example:
route INSIDE 2.2.1.0 255.255.252.0 "1.1.1.1" L3 device Interface
After that, you neet to take a look your NAT0:
===> No Nat <===
access-list VPN_NONAT extended permit ip 2.2.1.0 255.255.252.0 192.168.1.0 255.255.255.0 " this is an example to vpn address Pool"
!
nat (INSIDE) 0 access-list VPN_NONAT
Good luck
Fabio Jorge Amorim
12-31-2012 01:59 AM
Dear Fabio,
thanks for reply.
Please find attached setup diagrame Top of this discusstion.
I have checked configuration
===> No Nat <===
access-list VPN_NONAT extended permit ip 2.2.1.0 255.255.252.0 192.168.1.0 255.255.255.0 " this is an example to vpn address Pool"
!
nat (INSIDE) 0 access-list VPN_NONAT
=================
i am bit confused about routing
please assist.
regards
vikas kumar
12-31-2012 12:19 PM
Check the client subnet mask with
ipconfig /all
(it's NOT /32)
Then fix the mask in the ASA ip pool config line
01-05-2013 01:31 PM
Have you checked my tip?
01-08-2013 02:35 AM
Hi peter.
I am getting /22 subnet on VPN client.
regards
01-10-2013 09:22 AM
please copy here the pool line from the config
sh run | i pool
01-13-2013 05:25 AM
hi Peter
please find output
Result of the command: "show run | in pool"
ip local pool new-vpn-pool 2.2.2.8-2.2.2.16 mask 255.255.252.0
address-pool new-vpn-pool
regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide