Paolo,

Paolo Piutz · ‎07-13-2016

Hi,

I have a question:

VPN clients are able to reach net A

Net B,C,D are correctly routed to A, to go outside.

I would like VPN users can reach also Net B,C,D: is it possible?

Thank you.

Paolo.

mdussana · ‎07-13-2016

Hi Paolo,

B,C and D know how to reach A, but do they know how to reach your remote users pool? Please confirm you are sending that traffic back to the ASA and you have the proper NATing (NAT Exemptions Probably).

Paolo Piutz · ‎07-14-2016

Hi,

I cannot manage B,C,D: they are customer network, I cannot verify the device (layer 3 switch)

Can you suggest mandatory configuration on the asa?

Thank you.

mdussana · ‎07-14-2016

Paolo,

Let imagine your remote subnet is X, it knows how to reach A because it is directly connected, it should know how to reach B,C and D because there most be a route on the ASA pointing to them, BUT if the core-switch has a default gateway different than the ASA, whenever B,C or D want to send traffic to X, the core-switch will use it's default route (if does not have a more specific route) to answer.

Now, if the core-switch is actually sending the traffic back to the ASA, the ASA should have the proper NAT Exemption statements. If you prefer share your configuration with me (you can hide ip addresses).

Paolo Piutz · ‎07-15-2016

Hi mdussana,

Monday 18 I send you the configuration, thank you.

Paolo.

Dina Odeh · ‎07-15-2016

Hi Paolo,

Yeah you can do that. Add networks B,C and D to be accessible from VPN users using the split-tunnel. Add the Nat for them also.

The best way to help you isolate if you have an issue in your ASA or after that, is to build captures on ASA internal interface where we have the B, C and D networks connected like this:

Cap capin interface <int_name> match ip <VPN_ network> <subnet_mask> <B_network> <subnet_mask>

You can send a traffic for netwrok B and if you can see the traffic leaving ASA and nothing back this you need to check routing between ASA and network B

route for VPN Client