01-09-2012 07:54 PM
Hi all,
I had tried to replace an ASA and configured remote access vpn using cisco VPN client.
The remote access users are not able to access the inside network but have no problems accessing the network across a site to site VPN.
One thing to note is that the remote access VPN users are assigned an ip address of 10.X.3.1-10.X.3.200 mask 255.255.255.0. The inside interface is on 10.X.1.2 255.255.0.0 .
Remote access users will have no problems accessing the inside network if the vpn client pool is changed to 192.168.1.1 to 192.168.1.100.
Errors from ASA
6 Jan 07 2012 16:25:08 302013 10.X.3.1 27724 10.X.1.66 3389 Built inbound TCP connection 20940 for outside:10.X.3.1/27724 (10.X.3.1/27724)(LOCAL\Cisco) to inside:10.X.1.66/3389 (10.X.1.66/3389) (Cisco)
6 Jan 07 2012 16:25:08 106015 10.X.1.66 3389 10.X.3.1 27724 Deny TCP (no connection) from 10.X.1.66/3389 to 10.X.3.1/27724 flags SYN ACK on interface dmz
I understand that overlapping ip range between remote access vpn network and inside interface network will cause routing issues but why is the syn-ack appearing in the DMZ interface? The DMZ interface is on ip address 172.16.Y.1 255.255.255.0.
I do plan to reduce the inside interface to 10.X.0.0 255.255.254.0 if it is indeed a routing issue due to the overlapping IP address but would like to understand why the syn-ack is coming from the dmz interface and the diagnosis of the problem is correct. I did check with customer and was informed that the existing design works on another ASA with no such problems.
Solved! Go to Solution.
01-09-2012 08:53 PM
I agree whatever you said and tried also but this does not work.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#overlap
Solution you already know
Solution
Always make sure that the IP addresses in the pool to be assigned for the VPN clients, the internal network of the head-end device and the VPN Client internal network must be in different networks. You can assign the same major network with different subnets, but sometimes the routing issues occur.
Thanks
Ajay
01-09-2012 08:53 PM
I agree whatever you said and tried also but this does not work.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#overlap
Solution you already know
Solution
Always make sure that the IP addresses in the pool to be assigned for the VPN clients, the internal network of the head-end device and the VPN Client internal network must be in different networks. You can assign the same major network with different subnets, but sometimes the routing issues occur.
Thanks
Ajay
01-09-2012 08:59 PM
Hi Ajay,
Thanks for the reply
I am accessing the servers in the internal network by IP Address. I am still curious why the syn-ack is appearing on the dmz interface.
01-09-2012 09:05 PM
Run a packet tracer and see what result are coming.
01-31-2012 12:12 AM
Another question.
To allow a remote access VPN user to access the network across a L2L VPN, besides doing a
"same-security-traffic permit intra-interface" and nat exemption (e.g
nat (outside,outside) source static vpn_nat vpn_nat destination static vpn_nat vpn_nat), do we need to add on the crypto maps for the L2L VPN (e.g. include the crypto maps which use the Remote Access IP pool as the source IP)?
I have decided to use another non-overlapping IP range for the remote acces VPN user.
Thanks.
01-31-2012 12:26 AM
Those commands are required for hairpinning traffic comes on outside interface and return back over outside for L2L.
See if this help to clarify -https://supportforums.cisco.com/docs/DOC-22428
Thanks
Ajay
01-31-2012 12:33 AM
Hi Ajay,
Thanks again
Regards,
Victor
01-31-2012 12:40 AM
YW Victor- let me know if any more questions here
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide