Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
692
Views
4
Helpful
4
Replies

Cisco VPN Client + ASA + remote access + problem with routes

dmeligrana_insud
Level 1
Level 1

‎02-11-2015 12:27 PM

Hello.

 

I'm facing this issue in which a PC connected to an ASA using Cisco VPN client can't reach most of the LAN behind the FW.

Attached, the network's diagram. 

 

Any PC successfully connects, but It can reach only to the printers. They can't reach any other device from the LAN, and vice versa.

The only way I could make it work was adding a route into one computer's routing table so that it reaches the LAN segment through the FW's LAN interface (although it already had that IP address as its default gateway, which apparently was "not working").

I set a capture on the FW, and without that route no packet reaches the ASA (access list on the LAN interface grants traffic)

 

I would appreciate any help you could provide.

 

Thanks in advance.

 

Regards.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Labels:
Preview file
42 KB
0 Helpful
4 Replies 4

johnd2310
Level 8
Level 8

‎02-18-2015 05:30 PM

your diagram is not clear. Is the printer on the same network as the PCs? What do you get when you do a route print on the vpn client in both instances?

Thanks

John

**Please rate posts you find helpful**
0 Helpful

dmeligrana_insud
Level 1
Level 1
In response to johnd2310

‎02-20-2015 08:01 AM

Hello John:

                   When connecting the vpn client the PC gets an IP address belonging to the same IP addresses pool. (.90.98), so, the answer is "yes". And what worries me is that I have two printers in the same LAN. The graphic shows only one of them. Both printers answers ping and are reachable, letting the PC user open their web interfaces. But I can't reach the rest of the subnet.

What the graphic neither show is that there is a router, connected to an MPLS cloud. But, there is no route in the router that makes the packet go through the MPLS link.

I thought that regarding the fact that the PC, connected with vpn client, gets an IP from the same VLAN, there would not be necesary anything else.

A temporary solution was adding to that router (wich by the way is not the default gw for any device in that LAN) routes pointing to the ASA, so that devices in LAN can reach the external PC (wich wasn't necessary with the printers - they worked before adding those routes).

 

0 Helpful

rizwanr74
Level 7
Level 7
In response to dmeligrana_insud

‎03-08-2015 08:35 AM

Have your resolved the issue?

 

0 Helpful

dmeligrana_insud
Level 1
Level 1
In response to rizwanr74

‎09-17-2015 09:58 AM

What I finally did is to change the IP addresses pool for VPN remote clients. Sth with that caused problems. A new dedicated subnet worked.

 

Thank you very much, and sorry for not answering before.

Customers Also Viewed These Support Documents