01-30-2014 05:29 AM
I have a cisco asa 5505 set up to be a VPN gateway. I can dial into the VPN using the anyconnect client. The remote user is assigned an IP address according to my specifications. However... The remote user cannot access ANY network resources such as networked drives or the fax server. I have done all I can to set the right NAT and ACL settings, but to no avail. I am posting my config... if anyone can spot the issue. It would be appreciated!
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name cisco
enable password xxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxx
names
name 68.191.xxx.xxx outside
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.201.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address outside 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.201.1
domain-name cisco
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network obj-192.168.201.0
access-list NAT-EXEMPT extended permit ip 192.168.201.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list NAT-EXEMPT extended permit ip any 192.168.202.0 255.255.255.0
access-list NAT-EXEMPT extended permit ip 192.168.202.0 255.255.255.0 any
access-list NAT-EXEMPT extended permit icmp any any
access-list any extended permit ip any any
access-list any extended permit object-group TCPUDP any any
access-list any extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group TCPUDP any any
access-list outside_access_in extended permit icmp any any
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.201.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list inside_nat0_outbound extended permit icmp any any
access-list inside_nat0_outbound_1 extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool KunduVPN 192.168.202.1-192.168.202.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 192.168.201.0 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 192.168.201.1 1
route inside 0.0.0.0 255.255.255.255 outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.201.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair xxx
proxy-ldc-issuer
crl configure
xxxxxxxxxxxxxxxxxxxxxxxx
quit
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.201.1
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value cisco
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc ask enable
group-policy KunduVPN internal
group-policy KunduVPN attributes
wins-server none
dns-server value 192.168.201.1
vpn-tunnel-protocol svc webvpn
default-domain value cisco
username xxxx
username xxxxx
vpn-group-policy DfltGrpPolicy
tunnel-group DefaultRAGroup general-attributes
address-pool VPNIP
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group KunduVPN type remote-access
tunnel-group KunduVPN general-attributes
address-pool (inside) VPNIP
address-pool KunduVPN
authentication-server-group (inside) LOCAL
default-group-policy KunduVPN
tunnel-group KunduVPN webvpn-attributes
group-alias KunduVPN enable
group-url https://68.191.xxx.xxx/KunduVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c0e4540d4a07f2c544f0eddb653627cc
: end
no asdm history enable
Solved! Go to Solution.
01-30-2014 07:14 AM
Hi,
What is the gateway IP address of the LAN hosts/servers?
If its not the ASA "inside" interface IP address then I would presume that the problem with the VPN is simply routing.
If for example your LAN hosts/servers use the Wireless router as their gateway of the LAN then the following would happen to your VPN Clients connections.
So if the above presumption would be correct then you would atleast need a route configuration on the Wireless Router that tells that device to forward traffic towards network 192.168.202.0/24 towards the gateway IP address of 192.168.201.200 (which is the ASA)
Let me know if the setup is as described above.
- Jouni
01-30-2014 05:37 AM
Hi,
Some observations from the configuration.
The "route" commands dont really make sense
route inside 0.0.0.0 0.0.0.0 192.168.201.1 1
route inside 0.0.0.0 255.255.255.255 outside 1
The default route points to your LAN and the other "route" seems useless also
You should have
route outside 0.0.0.0 0.0.0.0
You also seem to have a NAT0 configuration that is supposed to prevent the ASA doing NAT for any traffic which seems strange
I would suggest
access-list INSIDE-NAT0 remark NAT0 for VPN
access-list INSIDE-NAT0 permit ip 192.168.201.0 255.255.255.0 192.168.202.0 255.255.255.0
no nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 0 access-list INSIDE-NAT0
Though I am kinda wondering how this ASA can operate at all for any host since the default route and NAT0 are configured this way.
Can you check the above things.
Hope this helps
- Jouni
01-30-2014 05:40 AM
A lot of the garbage in that config is from hours of trying to just "make things work" i'm modifying my config in the way you suggested. Some of it may be due to the fact that i've had to use my "inside" interface for the tunnel by fowarding port 443 on the router it is connected to. I know that it's not a very good set up, but because this network was poorly managed over the years, it seems like any changes I make have a ripple effect that brings the whole office to it's knees. I'm trying you fixes now, and i'll let you know.
01-30-2014 05:54 AM
Ok. I removed the two offending routes and added the one you suggested. i also changed the acl. I'll post a new config. Still no connection. When i try to ping 192.168.201.60 from 192.168.202.2 it just fails.
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name cisco
enable password xxx encrypted
passwd xxx encrypted
names
name 68.191.xxx.xxx outside
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.201.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address outside 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.201.1
domain-name cisco
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network obj-192.168.201.0
access-list NAT-EXEMPT extended permit ip 192.168.201.0 255.255.255.0 192.168.201.0 255.255.255.0 inactive
access-list NAT-EXEMPT extended permit ip any 192.168.202.0 255.255.255.0 inactive
access-list NAT-EXEMPT extended permit ip 192.168.202.0 255.255.255.0 any inactive
access-list NAT-EXEMPT extended permit icmp any any inactive
access-list any extended permit ip any any inactive
access-list any extended permit object-group TCPUDP any any inactive
access-list any extended permit icmp any any inactive
access-list inside_access_in extended permit ip any any inactive
access-list inside_access_in extended permit object-group TCPUDP any any inactive
access-list inside_access_in extended permit icmp any any inactive
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in extended permit object-group TCPUDP any any inactive
access-list outside_access_in extended permit icmp any any inactive
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.201.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0 inactive
access-list inside_nat0_outbound extended permit icmp any any inactive
access-list inside_nat0_outbound_1 extended permit ip any any inactive
access-list INSIDE-NAT0 remark NAT0 for VPN
access-list INSIDE-NAT0 extended permit ip 192.168.201.0 255.255.255.0 192.168.202.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNIP 192.168.201.201-192.168.201.250 mask 255.255.255.0
ip local pool KunduVPN 192.168.202.1-192.168.202.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list INSIDE-NAT0
nat (inside) 1 192.168.201.0 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 68.191.229.121 1
route outside 0.0.0.0 255.255.255.255 68.191.229.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.201.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
quit
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.201.1
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value cisco
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc ask enable
group-policy KunduVPN internal
group-policy KunduVPN attributes
wins-server none
dns-server value 192.168.201.1
vpn-tunnel-protocol svc webvpn
default-domain value cisco
username test password P4ttSyrm33SV8TYp encrypted
username RomaT password Bj5wAxjI5c95ZBqu encrypted privilege 0
username RomaT attributes
vpn-group-policy DfltGrpPolicy
tunnel-group DefaultRAGroup general-attributes
address-pool VPNIP
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group KunduVPN type remote-access
tunnel-group KunduVPN general-attributes
address-pool (inside) VPNIP
address-pool KunduVPN
authentication-server-group (inside) LOCAL
default-group-policy KunduVPN
tunnel-group KunduVPN webvpn-attributes
group-alias KunduVPN enable
group-url https://68.191.229.122/KunduVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8f3ab6d716ea47e853c8cd55ba5be3e4
: end
no asdm history enable
01-30-2014 06:06 AM
Ok,
Some things to try/check
You could add the command
management-access inside
This would enable connections through the VPN to the "inside" interface IP address directly. You could for example try to send ICMP to the interface IP address of 192.168.201.200 directly and see if that works. If it works this would confirm that the VPN is atleast forwarding the traffic to the ASA.
You could naturally also configure traffic capture for the ICMP traffic and confirm that the ASA sees ICMP Echo from the VPN Client leaving through the "inside" interface and if it sees anything coming back.
access-list VPN-CAP permit icmp 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list VPN-CAP permit icmp 192.168.201.0 255.255.255.0 192.168.202.0 255.255.255.0
capture VPN-CAP type raw-data access-list VPN-CAP interface inside buffer 1000000 circular-buffer
You could then connect with the VPN Client and try ICMP and then issue the command
show capture
This should tell us if any traffic is capture. If you see traffic captured then you can issue the following command
show capture VPN-CAP
This should tell us what the ASA has actually captured and would show us if the internal host replies to the ICMP
You could also send the capture to a host and open it with Wireshark for example
copy /pcap capture:VPN-CAP tftp://x.x.x.x/VPN-CAP.pcap
Though if you cant access any LAN host then I guess you might be able to maybe even send it to your VPN Client
You can remove the capture and its data with the command (this wont remove the ACL)
no capture VPN-CAP
- Jouni
01-30-2014 06:23 AM
I just noticed I am now also getting error messages, which is new. They are as follows.
3 Jan 30 2014 09:10:06 710003 71.87.x.x 49672 192.168.201.200 80 TCP access denied by ACL from 71.87.X.x/49672 to inside:192.168.201.200/80
and
6 Jan 30 2014 09:11:20 110003 192.168.201.200 443 71.87.x.x 49675 Routing failed to locate next hop for TCP from inside:192.168.201.200/443 to inside:71.87.x.x/49675
the 71.87.x.x ip is the remote user ip address.
also, since making your initial changes, I can now no longer get to the anyconnect log in screen
01-30-2014 06:30 AM
Hi,
Is there actually anything connected to your "outside" interface then? If these connections are coming from behind the "inside" interface then this is truly a strange setup.
You can confirm if anything is connected behind the "outside" interface with the command
show arp
It should show ARP of the devices directly connected to the ASA or through some other L2 device.
If your users gateway out of the LAN network truly is located behind the "inside" interface then you probably need to add the old default route back to the configuration instead of the one poiting to the "outside".
The NAT0 configuration should still apply.
- Jouni
01-30-2014 06:33 AM
Also,
Is the ASA gateway for your LAN users or some other device?
Just wondering if the original NAT0 configuration is actually required if all your traffic just take a turn at the ASA before heading to some other gateway device out of the network.
- Jouni
01-30-2014 07:00 AM
This is how the network was set up when i got to it. There is an broadband modem/gateway connected to a charter cable connection. This gateway seems to be functioning as a bridge which hands all traffic over to a common wireless router. The router has a connection to a 16 port switch that all the office pcs are connected to. Some PC's have static IPs, some are DHCP. There is also an application file server and a fax server on the 16 port switch. Because they have so many ports forwarded to random machines, and static IPs that make no sense orginizationally. When I attempted to connect the ASA directly to the Broadband modem/gateway... I could not get any traffic from the outside world into the ASA. Moving it behind the router seemed to fix that. However, the router was still blocking SSL traffic. So I forwarded port 443 on the router to the inside interface and turned VPN access on on the inside interface. This finally gave me outside VPN access, but i still couldn't get access to networked drives through the VPN.
01-30-2014 07:14 AM
Hi,
What is the gateway IP address of the LAN hosts/servers?
If its not the ASA "inside" interface IP address then I would presume that the problem with the VPN is simply routing.
If for example your LAN hosts/servers use the Wireless router as their gateway of the LAN then the following would happen to your VPN Clients connections.
So if the above presumption would be correct then you would atleast need a route configuration on the Wireless Router that tells that device to forward traffic towards network 192.168.202.0/24 towards the gateway IP address of 192.168.201.200 (which is the ASA)
Let me know if the setup is as described above.
- Jouni
01-30-2014 07:17 AM
The office has started their business day so I can not access the networks again until later today when the doctors have gone home. I will get all the info I can when they pack up for the day
01-30-2014 03:01 PM
I'm pretty sure you've hit the nail on the head. Routing has got to be the issue. Later tonight I'm going to try to put the asa between the gateway and the router and reconfigure. I didn't want to do something that high up on the network infrastructure, but the router cannot route traffic to any subnet besides it's own so this is my only choice. If I hit problems I'll probably post another reply on here. Thank you so much for your help so far JouniForss!
02-02-2014 06:52 PM
You were absolutely right. I had to bite the bullet and restructure the network. Once I put it together in a logical, organized manner, I had no issues. Thank you Jouni!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide