Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
531
Views
0
Helpful
1
Replies

Moved network inside (from DMZ) - now cannot access from VPN

iholdings
Level 1
Level 1

‎04-24-2010 02:22 PM

Original configuration:

Remote site VPN (192.168.1.0/24) could terminate tunnel on ASA outside interface - and was then allowed to access network 172.31.1.0/24 across DMZ (DMZ port was reallocated to another Internet connection).  Internal network (*see attachment) 10.0.0.0/12 cold also connect to 172.31/24 via this route.

Moved 172.31/24 into the network (on 10.0.0.0/24 network).  Now 10.0/12 can access 172.31/24 - but remote VPN (192.168.1.0/24) cannot.

Changes made on ASA for this move:

Changed static route from pointing to DMZ for 172.31/24 network.

Added NAT exempt for 172.31/24 to remote VPN network.

From 192.168.1.0/24 - I can ping any host on the 172.16.0.0/16 and 10.0.0.0/12 network - but not 172.31/24

Can ping 172.31/24 from "allowed" host (this is a vendor connection) from 172.16.0.0/16 and from any host on 10.0.0.0/12

Cannot ping 172.31/24 from the ASA.

Can't seem to get my hands around this or know of any tool on the ASA to use to diagnose.  Any ideas?

Labels:
63756-remoteVPN_to_172_31.jpg
Preview file
30 KB
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-24-2010 09:32 PM

Can you share the ASA configuration?

Or at least share the following:

sh run interface

sh run route

sh run nat

sh run static

And any ACL that the above NAT statement refers to.

Also, please double check that the 10.1.7.60 and the other router closer to the 172.31.1.0/24 subnet has route back towards 192.168.1.0/24 which should be going back towards the ASA firewall.

0 Helpful
Top