Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
887
Views
0
Helpful
4
Replies

New vlan not accessible from the vpn

Go to solution
mlinval
Level 1
Level 1

‎04-08-2011 06:34 AM

Cisco ASA 5510 with static routes.  I created a new internal vlan and added the correct route to the ASA.  Internally the vlan is fully accessible but when I connect to the VPN I cannot communicate with systems on it.


The dynamic access policy and associated ACL are fine. A system associated with this policy but not on the new vlan is accessible thru this policy.

What am I missing?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andamani
Cisco Employee
Cisco Employee

‎04-08-2011 08:24 AM

Hi,

Please let us know what kind of tunnel are you talking about:

1. lan to lan tunnel

2. site to site tunnel

you need to ensure that the new vlan is a part of interesting traffic and is nat exempted.

Adding the new vlan to interesting traffic will ensure that the tunnel is trigged for the new vlan.

Making the new vlan a part of nat exemption ensures that the traffic is passed over the tunnel and not natted and routed to the internet and hence lost.

Also you can check if the encaps and decaps for the tunnel are increasing or not when you try passing the traffic from the new vlan. you can check that form the "sh cry ips sa peer ."

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered, if you feel your query is resolved. Do rate helpful posts.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-08-2011 06:49 AM

Hi,

I think it would be an issue with nat exemption, since the subnet of the new vlan, should be exempted when trying to communicate over the VPN.

If you post the config of the ASA, I think it would be easier to locate what exactly is missing.

-Shrikant

0 Helpful

Go to solution
mlinval
Level 1
Level 1
In response to Shrikant Sundaresh

‎04-08-2011 07:11 AM

And what if we do not NAT thru the ASA?  I cannot post the config at this time.

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee

‎04-08-2011 08:24 AM

Hi,

Please let us know what kind of tunnel are you talking about:

1. lan to lan tunnel

2. site to site tunnel

you need to ensure that the new vlan is a part of interesting traffic and is nat exempted.

Adding the new vlan to interesting traffic will ensure that the tunnel is trigged for the new vlan.

Making the new vlan a part of nat exemption ensures that the traffic is passed over the tunnel and not natted and routed to the internet and hence lost.

Also you can check if the encaps and decaps for the tunnel are increasing or not when you try passing the traffic from the new vlan. you can check that form the "sh cry ips sa peer ."

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered, if you feel your query is resolved. Do rate helpful posts.

0 Helpful

Go to solution
mlinval
Level 1
Level 1
In response to andamani

‎04-08-2011 11:29 AM

Figured it out, thanks for the help.

0 Helpful
Customers Also Viewed These Support Documents