04-28-2010 07:50 AM
Hi,
Can someone advise me on this;
We are having issue's with external suppliers accessing servers using the Cisco IPSec client (ver 5). The clients can vpn into the ASA and they receive an IP address from the address pool. When the supplier tries to RDP to the servers at the site they receive an error that they cannot connect.
The IP Address range on the inside network is 10.0.0.0/8 and frequently the suppliers are using this for some part of their network as well. We suspect a routing issue but we have been unable to find a way to force the traffic (typically a server somewhere on the 10.20.0.0 subnet) down the VPN tunnel
When they dial in from other network (ie home broadband) they can RDP into the servers without any issue.
So we are assuming that the clients office address range is what is causing the problem.
We have tried SSL and Anyconnect with more success but it is not reliable
Thanks
04-28-2010 08:03 AM
Hi,
The internal network behind the ASA is 10.0.0.0/8
The VPN clients presenting problems are when they reside somewhere on a segment of the 10.0.0.0/8 as well?
The VPN pool belongs to the 10.0.0.0/8?
You say you have seen the problem only when clients attempt to connect from a segment belonging to the 10.0.0.0/8 and accessing a particular server?
Sometimes you can NAT your VPN traffic to avoid overlapping issues.
Federico.
04-28-2010 08:39 AM
Hi Fedrico,
I am not sure exactly what the clients address is, but the user did say they were on a Segment 10 address.
The VPN pool that has been allocated is 10.20.28.X
Only clients that are accessing from a Segment 10 address experience this problem, I have tried from an ADSL using the users credentials and i have no problem accessing the servers via RDP. The server is also behind a 10.0.0.0/8.
Can you give me example of NATING VPN traffic for users who are coming from Segment 10 address?
Thanks
04-28-2010 08:49 AM
Let's say that you have a problem accesing an internal server 10.9.9.9
You can create a NAT rule for that server:
static (in,out) x.x.x.x 10.9.9.9
The above rule will statically translate the internal server 10.9.9.9 to x.x.x.x
To make this work, 10.9.9.9 should be excluded from the NAT0 statement for the entire 10.0.0.0/8 since NAT0 will ACL takes precedence over static NAT.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide