cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2945
Views
0
Helpful
19
Replies

Cant access other subnets using cisco VPN client

vikas kumar
Level 1
Level 1

Dear all,

we have servers protected by ASA firewall,

server IP range is 2.2.1.0/22, we use Cisco VPN  (split tunneling)  and cisco VPN client to manage server.

when we connect VPN we can only access 2.2.1.0/ 24 Range other range can accesseble.

Routes details in cisco VPN client shows 2.2.1.0/22 but we cant access other subnets ( 2.2.2.0 and 2.2.3.0).

Please help

Regards

vikas kumar

19 Replies 19

nine_2012
Level 1
Level 1

is it possible for you to share ASA config?


Dear Nitin,

Thanks for mail.

I have sent you config on pvt message.

Regards

Vikas

Do the servers on that two subnets know routes back to address range assigned to your VPN-clients?

Dear Anderw

yes all servers on /22 subnet.

If one subnet we can access other should be.

regards

vikas kumar

Dear Anderw,

i have checked, servers on two subnets can reach IP assigned to VPN client Machine.

looks like firewall rule blocking.

please assist.

regards

vikas kumar

Maybe i'd be able to assist if i saw config of your ASA)))

Dear Andrew,

i have sent you config.

please me know any thing else.

Regards

vikas

Hi Vikas,

First of all i need to know if your network envirnment 2.2.1.0/22 is behide L3 device before ASA Inside Interface, is yes you need to have the following static route:

Example:

route INSIDE 2.2.1.0 255.255.252.0 "1.1.1.1" L3 device Interface

After that, you neet to take a look your NAT0:

===> No Nat <===

access-list VPN_NONAT extended permit ip  2.2.1.0 255.255.252.0 192.168.1.0 255.255.255.0 " this is an example to vpn address Pool"

!

nat (INSIDE) 0 access-list VPN_NONAT

Good luck

Fabio Jorge Amorim

Dear Fabio,

thanks for reply.

Please find attached setup diagrame Top of this discusstion.

I have checked configuration

===> No Nat <===

access-list VPN_NONAT extended permit ip  2.2.1.0 255.255.252.0 192.168.1.0 255.255.255.0 " this is an example to vpn address Pool"

!

nat (INSIDE) 0 access-list VPN_NONAT

=================

i am bit confused about routing

please assist.

regards

vikas kumar

Check the client subnet mask with

ipconfig /all

(it's NOT /32)

Then fix the mask in the ASA ip pool config line

Have you checked my tip?

Hi peter.

I am getting /22 subnet on VPN client.

regards

please copy here the pool line from the config

sh run | i pool

hi Peter

please find output

Result of the command: "show run | in pool"

ip local pool new-vpn-pool 2.2.2.8-2.2.2.16 mask 255.255.252.0

  address-pool new-vpn-pool

regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: