Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
649
Views
0
Helpful
6
Replies

Very weird issue when VPN remote access internal network

Joe Z
Level 1
Level 1

‎01-27-2016 03:22 PM

I did setup remote access VPN on several other Cisco ASA 5505 in the past. It was working fine. But now I am trying to setup a remote access VPN on a new Cisco ASA 5505, and experiencing a very weird problem. The problem is:

For the VPN address pool, I have to use 192.168.1.x, when I use 192.168.1.x as address pool, the VPN remote access worked fine, and can access remote internal network computers (192.168.2.x). But when I use any other address pools, I tried 192.168.3.x, 192.168.5.x, 192.168.15.x, I can still make VPN connection, but can not access any remote internal network computers.

I attached the running config files. "works" is when I use 192.168.1.x vpn address pool, "noworking" is when I use 192.168.3.x vpn address pool. They are almost identical except for address pool.

It's so weird. I spent lots of time, still could not find out why.

Please help. Thanks.

Labels:
Preview file
8 KB
Preview file
8 KB
0 Helpful
6 Replies 6

Hieu Cao
Level 4
Level 4

‎01-28-2016 11:24 AM

Do you have internal subnets 192.168.3.x, 192.168.5.x, 192.168.15.x? If you do, your VPN IP ranges are in conflict with the internal networks. Try reducing the range and ensure that you've proper routing in place for those subnets.
0 Helpful

Joe Z
Level 1
Level 1
In response to Hieu Cao

‎01-28-2016 11:30 AM

Many thanks for your reply, Hieu. I don't have internal subnets like 192.168.3.x, 192.168.5.x, 192.168.15.x. This is a testing network, I tried to make it simple.

0 Helpful

Hieu Cao
Level 4
Level 4
In response to Joe Z

‎01-28-2016 11:50 AM

I see your internal networks are on .1x and 2x subnets. 

Try adding "route inside 192.168.0.0 255.255.0.0 Gateway" to see if that works.  If that does not not work, pls. post your router and switch configs.

0 Helpful

Joe Z
Level 1
Level 1
In response to Hieu Cao

‎01-28-2016 01:50 PM

Thank you Hieu. The 1x network I put in the configuration was to allow 1x network management access, that's for future use. Currently in my test network there is no 1x subnet. I have only two computers and this ASA. 

The good news is I just digged out the root cause of the problem -- the McAfee installed on the internal computer blocked the traffic somehow. Still don't know why 1x vpn address pool worked but any other address pool didn't work, there is no relevant settings. At lease now we know it's not ASA VPN configuration problem.

0 Helpful

Samer R. Saleem
Level 4
Level 4

‎02-14-2016 12:26 AM

HI,

do you have access-list configured to allow 192.168.3.X  to reach the internal IP [ 192.168.2.x ] ?

kind regards,

0 Helpful

Samer R. Saleem
Level 4
Level 4

‎02-14-2016 12:30 AM

Hi,

also i see the pool used for tunnelgroup when you are using 192.168.3.x which is pool3 is not the same

if this is the right name for the tunnel group name then it should have address pool of pool3 not pool1

right?

tunnel-group emvpn2 general-attributes
 address-pool AddressPool1
 default-group-policy emvpn2
0 Helpful
Customers Also Viewed These Support Documents