Remote access VPN client gets connected fails on hosts in LAN

asirajahmed · ‎11-28-2013

Hi,

VPN client gets connected fine, I have a inter VLAN routing happening on the switch in the LAN so all the LAN hosts have gateway IP on the switch, I have the defult route pointing to ASA inside interface on the switch, the switch I can reach after Remote Access VPN is connected how ever I cannot ping/connect to other hosts in the LAN and if I make the gateway point to the ASA then that host is accessible, any suggestions? I really want to have gateway to be the Switch as I have other networks reachable through the Switch (Intranet routing)

malshbou · ‎11-28-2013

Hi Siraj,

Please provide:

route print (from an internal PC)

show ip route (from the switch)

show route (from the ASA)

Traceroute from an internal PC to a VPN client IP.

and let's know about the VPN pool subnet, and the internal subnet.

Regards.

Mashal Shboul

------------------ Mashal Shboul

asirajahmed · ‎11-29-2013

Hi Mashal,

Thanks for your time,

VPN Pool(Client) 192.168.100.0/24

Internal Subnets 192.9.200.0/24(VLAN 4000) and 192.168.2.0/24 (VLAN 1000)

=============

On the Switch

=============

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.2.5 to network 0.0.0.0

172.32.0.0/24 is subnetted, 1 subnets

C 172.32.0.0 is directly connected, Vlan101

C 192.168.200.0/24 is directly connected, Vlan2000

C 192.9.200.0/24 is directly connected, Vlan4000

S 192.168.250.0/24 [1/0] via 192.9.200.125

S 192.168.1.0/24 [1/0] via 192.9.200.125

C 192.168.2.0/24 is directly connected, Vlan1000

S 192.168.252.0/24 [1/0] via 192.9.200.125

S* 0.0.0.0/0 [1/0] via 192.168.2.5

===============

On ASA

===============

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 172.32.0.2 to network 0.0.0.0

C 172.32.0.0 255.255.255.0 is directly connected, outside

C 192.9.200.0 255.255.255.0 is directly connected, inside

C 192.168.168.0 255.255.255.0 is directly connected, failover

C 192.168.2.0 255.255.255.0 is directly connected, MGMT

S 192.168.100.2 255.255.255.255 [1/0] via 172.32.0.2, outside

S 192.168.100.3 255.255.255.255 [1/0] via 172.32.0.2, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 172.32.0.2, outside

-----------------------------------------------------------------------------------------------------------------------

We don't need route print on the PC for now as I can explain what is happening I can get complete access to the 192.168.2.0/24 (VLAN 1000) but for 192.9.200.0/24 (VLAN 4000) above from the switch I can only ping IP's on the switches/pair but cannot have any tcp connections, which explains the default route being pointed on the switch is on VLAN 1000, now my issue is How do I get access to VLAN 4000 as you can see these two are on different Interfaces/zones on the ASA and please note with default gateway pointing to ASA I will have access to both the VLAN's it is only when I move the gateway pointing to Switch I loose tcp connections to one VLAN depending on the default route on the being pointing to on the switch.

So we are left to do with how to on the switch with default route.

malshbou · ‎11-29-2013

Hi Siraj,

It looks like the problem you described in the reply is different from the VPN problem.

For the problem of not being able to successfully exchange TCP while ICMP is working, this is most likely because of asymmetric routing between the two vlans, where the vlans have different gateways (one is ASA and the other is switch). The ASA will not allow this TCP connection unless TCP-state-bypass is enabled.

You should fix the routing so that both VLANs have the same gateway (either switch or the ASA), and of course if the ASA is used as a gateway, you need to have the necessary access-rules to allow the traffic between them.

Regards.
Mashal Shboul

------------------ Mashal Shboul

asirajahmed · ‎11-29-2013

Hi Mashal,

1) Initially both VLAN 1000 and 4000 gateway's was pointing to ASA (I had access to both VLAN's)

2) We wanted some inter-vlan routing and HSRP etc so we moved the gateways for both VLAN's to Switch/router

My Issue is from VPN client I need access to both VLAN's after the move which is not happening, If on the switch I use the default route to point to VLAN 1000 interface I get access to entire VLAN 1000 not to 4000 and vice-versa.