Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
0
Helpful
1
Replies

Routing to inside network problem with split tunnel on ASA5510

northtexasnetworks
Level 1
Level 1

‎01-20-2014 09:13 PM

Hello Everyone,

My customer has a ASA5510 that I have configured as a remote VPN endpoint for remote laptop users who connect via an IPsec tunnel using Cisco VPN client software.  The remote VPN is configured as a split tunnel VPN.  Once the user connects they have full use of the inside network that is directly connected to the ASA. They can also access the Internet via the split tunnel while connected to the VPN.  However there is another inside network that is sitting behind the first inside network on an ASA5505 that they cannot reach, even though there is a route to it on the 5510.  When they try to reach this second inside network the 5510 does NOT send them to the inside network, instead it sends them to the Internet via the split tunnel.

Here is a diagram:

VPN Client -----> 12.68.156.43 Outside [ASA5510] Inside 172.16.160.0  -------> 172.16.160.200 outside [ASA5505] inside 192.168.100.0                                  ------> Split tunnel --------> Internet

Everything works as expected with the exception of not being able to reach the 192.168.100.0 network.

The static route statement I am using on the 5510 is:

route inside 192.168.100.0 255.255.255.0 172.16.160.200 1

The split tunnel acl is:

access-list split_tunnel_list standard permit 172.16.160.0 255.255.224.0

access-list split_tunnel_list standard permit 192.168.100.0 25.255.255.0

The policy is:

group-policy vpn_group internal

group-policy vpn_group attributes

dns-sever value 172.16.160.10

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

split-dns value xxxxxx.local

I can ping the 192.168.100.x network from the console of the ASA5510 but not from a pc that is connected via the VPN.

Can someone please let me know what I'm missing?

Thanks in advance!

Mitchell Smith

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎01-20-2014 11:16 PM

Hi,

Might need to see both ASAs configurations to determine the cause but here are some ideas

  • Missing NAT0 configuration on ASA5510 for the network behind ASA5505
  • If ASA5505 has another default gateway out of the network it might be missing route towards the VPN Pool that needs to be routed to the ASA5510
  • Missing NAT0 / NAT configurations on the ASA5505 unit for the VPN Pool network
  • Missing ACL configurations on the ASA5505 unit for the VPN Pool network

Without seeing any configurations don't really know what the problem is. Especially when there is 2 firewalls between the client and the destination server/host.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents