cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
239
Views
0
Helpful
11
Replies
Highlighted
Beginner

Routing issue

Good day,

VPN Client issue here. User authenticates agains the firewall(gets IP from a pool) and can access everything fine and dandy on the directly connected lan. He goes to access a lan in another building that but cant.

the lan in the other building is connected by a 100mb lan extension so it has a router on the other side.

The router on that side has a route back to the ip pool that is used for the remote users. Weird thing is from router in the network he can not reach I can ping the ip he has been assigned from the pool.

when I look at the live logs via asdm i filter for his IP but can not see any traffic coming in from him to the network he is trying to reach.

when he does a traceroute to the network directly connected it gets there in one hop however when he does a traceroute the network that isnt working it tries to go out over various gateways on the internet.

i should point out Im relativly new to PIX but the fact that from the network the user cant access I can succesfully ping the remote user but not vice versa suggest that routing is OK??

Please help!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

Re: Routing issue

It should. Only I wouls switch those ACEs to standard instead of extended.

access-list 101 standard permit 10.50.20.0 255.255.255.0

View solution in original post

11 REPLIES 11
Highlighted
Rising star

Re: Routing issue

Check split-tinneling access-list.

Is the lan in another building included in the ACL?

Highlighted
Beginner

Re: Routing issue

thanks for the reply.

how can I check the spit tunneling acl

normal users on both networks have problems connecting to each other its just the remote client vpn users

Highlighted
Beginner

Re: Routing issue

Hello,

Try putting a route on your PIX firewall for the network that is not directly connected to the router.

For example:-

PIX connected LAN is 10.0.0.0/24 - Router network is 10.0.1.0/24. The router has a connected interface into the 10.0.0.0/24 and sends out of Eth1 for example and connected to eth1 is the 10.0.0.0/24 hence it works. The Client pool is 192.168.1.0/24. You also have a route on the router for 192.168.1.0/24 to go out of eth1. You need a route on the PIX anything for 10.0.1.0/24 go to Eth1 Ip address on the Router.

If this does not make sence let me know.

Cheers

Steven

Highlighted
Beginner

Re: Routing issue

Hi Steven,

Thanks for the reply.

I have a route on the pix already, the weird thing is I can ping the remote vpn client's pool IP address from the lan not directly connected. Could it be something to do with IPSEC rules?

Highlighted
Rising star

Re: Routing issue

Highlighted
Rising star

Re: Routing issue

Highlighted
Beginner

Re: Routing issue

Thanks for the reply.

I have that option configured however I dont see a rule for on the inside interface which would basically say

allow 192.168.10.0 get to 10.50.20.0 IP permit

Although I can ping the vpn client from 10.50.20.0 network it doesnt make sense to me that if i was to add this rule all would be well.

what do you think

Highlighted
VIP Mentor

Re: Routing issue

It sounds like your split tunnel is in need of some help.

If you posted your config it would help but I can probably guess what you have/need.

CLI only:

look for a section in your group-policy that specifies the split-tunnel-policy and split-tunnel-network-list value.

set your policy to tunnelspecified and your network-list value to the ACL that defines the split tunnel traffic.

your split tunnel ACL should look something like this:

access-list 101 standard permit 192.168.1.0 255.255.255.0

access-list 101 standard permit 172.16.1.0 255.255.255.0

Where 192.168.1.0/24 is your local LAN that you can access now, and 172.16.1.0/24 is the LAN in the other building.

Highlighted
Beginner

Re: Routing issue

I think you might have it there my friend.

here is the config from the CLI. there is not access list for the 10.50.20.0/24 network which the remove vpn client can not get to.

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 100

access-list 100 extended permit ip 160.100.50.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 100 extended permit ip 160.100.0.0 255.255.0.0 192.168.10.0 255.255.255.0

so tomorrow I will add

access-list 100 extended permit ip 10.50.20.0 255.255.255.0 192.168.10.0

255.255.255.0

which should do the trick yeah?

Highlighted
VIP Mentor

Re: Routing issue

It should. Only I wouls switch those ACEs to standard instead of extended.

access-list 101 standard permit 10.50.20.0 255.255.255.0

View solution in original post

Highlighted
Beginner

Re: Routing issue

your a star that done the job. just had to add a no nat rule aswell

thanks a mill