01-27-2016 03:22 PM
I did setup remote access VPN on several other Cisco ASA 5505 in the past. It was working fine. But now I am trying to setup a remote access VPN on a new Cisco ASA 5505, and experiencing a very weird problem. The problem is:
For the VPN address pool, I have to use 192.168.1.x, when I use 192.168.1.x as address pool, the VPN remote access worked fine, and can access remote internal network computers (192.168.2.x). But when I use any other address pools, I tried 192.168.3.x, 192.168.5.x, 192.168.15.x, I can still make VPN connection, but can not access any remote internal network computers.
I attached the running config files. "works" is when I use 192.168.1.x vpn address pool, "noworking" is when I use 192.168.3.x vpn address pool. They are almost identical except for address pool.
It's so weird. I spent lots of time, still could not find out why.
Please help. Thanks.
01-28-2016 11:24 AM
01-28-2016 11:30 AM
Many thanks for your reply, Hieu. I don't have internal subnets like 192.168.3.x, 192.168.5.x, 192.168.15.x. This is a testing network, I tried to make it simple.
01-28-2016 11:50 AM
I see your internal networks are on .1x and 2x subnets.
Try adding "route inside 192.168.0.0 255.255.0.0 Gateway" to see if that works. If that does not not work, pls. post your router and switch configs.
01-28-2016 01:50 PM
Thank you Hieu. The 1x network I put in the configuration was to allow 1x network management access, that's for future use. Currently in my test network there is no 1x subnet. I have only two computers and this ASA.
The good news is I just digged out the root cause of the problem -- the McAfee installed on the internal computer blocked the traffic somehow. Still don't know why 1x vpn address pool worked but any other address pool didn't work, there is no relevant settings. At lease now we know it's not ASA VPN configuration problem.
02-14-2016 12:26 AM
HI,
do you have access-list configured to allow 192.168.3.X to reach the internal IP [ 192.168.2.x ] ?
kind regards,
02-14-2016 12:30 AM
Hi,
also i see the pool used for tunnelgroup when you are using 192.168.3.x which is pool3 is not the same
if this is the right name for the tunnel group name then it should have address pool of pool3 not pool1
right?
tunnel-group emvpn2 general-attributes address-pool AddressPool1 default-group-policy emvpn2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide