Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
413
Views
0
Helpful
2
Replies

VPN can't access remote subnets

aalbrecht27
Level 1
Level 1

‎12-16-2014 12:13 PM

I'm trying to setup a VPN connection from a Cradlepoint 4G wireless hotspot device to our headquarters ASA5510.  The VPN is up, and seems configured correctly, but I'm only able to ping devices on the same subnet that the ASA's inside interface is on: 192.168.0.x/24.  

The ASA's inside interface IP is 192.168.0.2, the remote VPN is using the 192.168.90.x subnet.  The subnets I can't access from the remote VPN connection are 192.168.20.x, 192.168.101.x, 192.168.102.x, which are subnets created on the 4506, but even the DMZ on the ASA can't be reached by 192.168.90.x even though that should be considered inside resources and have access to the DMZ, correct?

I've attached a diagram to give a brief overview of the network and also attached the configs.  I'd also like to be able to access the server in the DMZ from this VPN connection as well.  

I'm not sure if this is a VPN config problem or some routing issue on the ASA5510.  

Labels:
Preview file
30 KB
Preview file
144 KB
0 Helpful
2 Replies 2

aalbrecht27
Level 1
Level 1

‎12-17-2014 11:19 AM

I'm not sure if this is the problem, but it seems weird to me.  I was trying to add a static route for the 192.168.90.0 subnet on the ASA, but when I try to add the config I get the error message below:

ASA(config)# route inside 192.168.90.0 255.255.255.0 192.168.0.1 1
ERROR: Cannot add route entry, conflict with existing routes


Here's the statically configured routes on the ASA:

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.10.0 255.255.255.0 192.168.0.1 1
route inside 192.168.20.0 255.255.255.0 192.168.0.1 1
route inside 192.168.30.0 255.255.255.0 192.168.0.1 1
route inside 192.168.40.0 255.255.255.0 192.168.0.1 1
route inside 192.168.60.0 255.255.255.0 192.168.0.1 1
route inside 192.168.61.0 255.255.255.0 192.168.0.1 1
route inside 192.168.101.0 255.255.255.0 192.168.0.1 1
route inside 192.168.102.0 255.255.255.0 192.168.0.1 1
route inside 192.168.103.0 255.255.255.0 192.168.0.1 1
route inside 192.168.104.0 255.255.255.0 192.168.0.1 1
route inside 192.168.105.0 255.255.255.0 192.168.0.1 1
route inside 192.168.160.0 255.255.255.0 192.168.0.1 1
route inside 192.168.161.0 255.255.255.0 192.168.0.1 1
route inside 192.168.162.0 255.255.255.0 192.168.0.1 1
route inside 192.168.165.0 255.255.255.0 192.168.0.1 1
route inside 192.168.250.0 255.255.255.0 192.168.0.1 1


So the configs don't show any static routes for 192.168.90.0, but the 'show route' output says otherwise:
ASA# sh route
...
S    192.168.90.0 255.255.255.0 [1/0] via x.x.x.x, outside


This route is pointing the 192.168.90.0 subnet to our outside interface, but shouldn't this be pointing to the inside network?  Why is this static route not showing up in the configuration, and how can I change it?


 

 

0 Helpful

aalbrecht27
Level 1
Level 1
In response to aalbrecht27

‎01-28-2015 02:21 PM

I know I posted this a while back, but I'm still not able to access subnets other than what the firewall is on.  Anyone have an idea what could be causing this?  

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents