Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1260
Views
0
Helpful
6
Replies

VPN client can't access different internal subnet

Go to solution
1qaz2wsx1qaz
Level 1
Level 1

‎03-15-2006 07:38 PM - edited ‎02-21-2020 02:19 PM

Hi All,

I am using pix 7.0 and vpn client 4.8

When I connect with the vpn client I can see the subnet behind the pix (10.61.1.0)

However there is a router on this subnet that connects to two other sites (10.61.2.0 and 10.72.2.0)

I can ping from the pix command line to these subnets.

When I connect using the vpn client I can only see the subnet behind the pix and not the other two subnets?

I have a route command 10.0.0.0 255.0.0.0 10.61.1.250 (router ip address)on the pix but this does not seem to help?

The response from a ping is request timed out to either or the other subnets.

Any suggestions on what route I need to add or is there an ACL that needs to be added?

Current routes and acls are:

0.0.0.0 0.0.0. ISP router address

10.0.0.0 255.0.0.0 10.61.1.250

access-list Outside_access_in extended permit icmp any any

access-list inside_nat0 extended permit ip 10.61.1.0 255.255.255.0 10.61.1.224 255.255.255.240

nat (inside) 0 access-list inside_nat0

nat (inside) 10 0.0.0.0 0.0.0.0

access-group Outside_access_in in interface Outside

All responses appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jackko
Level 7
Level 7
In response to 1qaz2wsx1qaz

‎03-17-2006 08:32 AM

firstly, and most importantly, the vpn client pool should not be overlapped with the asa inside subnet, or any connected subnet.

internet <--> asa <--> (10.61.1.250) router <--> 10.61.2.0 and 10.72.2.0

access-list inside_nat0 extended permit ip 10.61.1.0 255.255.255.0

access-list inside_nat0 extended permit ip 10.61.2.0 255.255.255.0

access-list inside_nat0 extended permit ip 10.72.2.0 255.255.255.0

access-list Outside_cryptomap_dyn_20 extended permit ip 10.61.1.0 255.255.255.0

access-list Outside_cryptomap_dyn_20 extended permit ip 10.61.2.0 255.255.255.0

access-list Outside_cryptomap_dyn_20 extended permit ip 10.72.2.0 255.255.255.0

further, a static route needs to be configured on the 10.61.1.250 router:

ip route <

View solution in original post

0 Helpful
6 Replies 6

Go to solution
aashish.c
Level 4
Level 4

‎03-16-2006 02:12 AM

Hi

You need to check the following :

1) crypto ACL on the PIX. ACL should include 10.61.2.0 and 10.72.2.0.

2) On router, there should be routes to reach back to VPN client. whatever pool is assigned to VPN clients, router should be able to reach them.

3) In your NAT0 acl also, mention those 2 subnets.

I hope after checking the above mentioned, this issue would be resolved.

regards

aashish C

0 Helpful

Go to solution
1qaz2wsx1qaz
Level 1
Level 1
In response to aashish.c

‎03-16-2006 04:49 PM

Thanks for the tips aashish,

Still not working, I thought to make it easier to troubleshoot I would only work on one other subnet.

I have configured the VPN pool to use ip's from the 10.61.1.0 subnet so as eliminate any routing problems from the router.

Current settings are

Current routes and acls are:

0.0.0.0 0.0.0. ISP router address

10.0.0.0 255.0.0.0 10.61.1.250

access-list Outside_access_in extended permit icmp any any

access-list inside_nat0 extended permit ip 10.61.1.0 255.255.255.0 10.61.1.224 255.255.255.240

access-list inside_nat0 extended permit ip any 10.0.0.0 255.0.0.0

nat (inside) 0 access-list inside_nat0

nat (inside) 10 0.0.0.0 0.0.0.0

access-group Outside_access_in in interface Outside

access-list Outside_cryptomap_dyn_20 extended permit ip any 10.61.1.224 255.255.255.240

access-list Outside_cryptomap_dyn_20 extended permit ip any 10.0.0.0 255.0.0.0

Am I still missing something?

Regards

Ty

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to 1qaz2wsx1qaz

‎03-17-2006 08:32 AM

firstly, and most importantly, the vpn client pool should not be overlapped with the asa inside subnet, or any connected subnet.

internet <--> asa <--> (10.61.1.250) router <--> 10.61.2.0 and 10.72.2.0

access-list inside_nat0 extended permit ip 10.61.1.0 255.255.255.0

access-list inside_nat0 extended permit ip 10.61.2.0 255.255.255.0

access-list inside_nat0 extended permit ip 10.72.2.0 255.255.255.0

access-list Outside_cryptomap_dyn_20 extended permit ip 10.61.1.0 255.255.255.0

access-list Outside_cryptomap_dyn_20 extended permit ip 10.61.2.0 255.255.255.0

access-list Outside_cryptomap_dyn_20 extended permit ip 10.72.2.0 255.255.255.0

further, a static route needs to be configured on the 10.61.1.250 router:

ip route <

0 Helpful

Go to solution
1qaz2wsx1qaz
Level 1
Level 1
In response to jackko

‎03-20-2006 06:35 PM

Hi Jacko,

Thanks for the help, everything is working fine.

Regards

ty

0 Helpful

Go to solution
yana
Level 1
Level 1
In response to jackko

‎04-11-2006 01:17 AM

If vpn client initiate a session to 10.61.2.0,pix can create a xlate for this,so static route to vpn client pool on 10.61.1.250router is not necessary,is it true?

0 Helpful

Go to solution
rico_hao40
Level 1
Level 1
In response to yana

‎05-04-2006 07:16 AM

You need that static route on router. xlate created by pix only for pix checking the back packets and bypassing inside ACL. router still need that static route to send packets back to pix.

0 Helpful
Customers Also Viewed These Support Documents