ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
johngo1
New Member
Posts:
6
Joined:
Thu Dec 29, 2011 1:17 pm

Help - VPN Can't access subnets behind 2nd router

Sun Mar 11, 2012 8:51 pm

Hi guys,

Looking for a little help after a day of frustration. I am really new to this and studiying so I know that I am doing something dumb. Anyway, I purchased an ASA 5505 and placed it between my Cable Modem and Cisco 3745 router. The outside interface on the ASA is dhcp, the inside interface is 192.168.100.1. The outside interface of the 3745 is 192.168.100.2 and the inside is 192.168.1.1. The VPN pool is 192.168.200.10 - 192.168.200.10.

Thanks in advance!

Here are the problems...

1. When I establish a VPN session to the ASA, I can ping and access any resources dierectly connected to the ASA's interfaces and on the ASA's internal 192.168.100.0 network. However, I cannot access any resources behind the 3745. I cannot even ping 192.168.1.1. Even directly connected hosts on the ASA cannot access Hosts in the 192.168.1.x subnet. There appears to be no traffic between 192.168.100.0 and 192.168.1.0.

2. Although I believe that I sent up split-tunnel, I cannot U-Turn back to the internet once connected to the VPN.



Here is my network topology as well as my ASA config and Router config.....


ASA ......

ASA Version 8.2(5)

!

hostname poog-fw1

domain-name poog

enable password ********** encrypted

************ encrypted

names

name 192.168.100.2 RouterWAN

name 192.168.100.0 Internal

name 192.168.200.0 VPN

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa825-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 167.206.245.129

name-server 167.206.245.130

domain-name poog

same-security-traffic permit intra-interface

object-group network VPN

object-group network RouterWAN

object-group network RouterWAN-01

object-group network RouterWAN-02

object-group network RouterWAN-03

object-group network RouterWAN-04

object-group network RouterWAN-05

object-group network obj_any

object-group network obj_any-01

object-group network obj-0.0.0.0

object-group network iphone

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit tcp VPN 255.255.255.0 any

access-list outside_access_in remark Telnet to Router

access-list outside_access_in extended permit tcp any interface outside eq telnet

access-list outside_access_in remark IP Cameras

access-list outside_access_in extended permit object-group TCPUDP any interface outside range 1021 1022

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in remark FTP to NAS

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in remark VNC to WX Server

access-list outside_access_in extended permit tcp any interface outside eq 5900

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in remark Telnet to Router

access-list outside_access_in remark IP Cameras

access-list outside_access_in remark FTP to NAS

access-list outside_access_in remark VNC to WX Server

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list inside_nat0_outbound extended permit ip Internal 255.255.255.0 VPN 255.255.255.0

access-list split-tunnel standard permit Internal 255.255.255.0

access-list split-tunnel standard permit host 192.168.1.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNPOOL 192.168.200.10-192.168.200.20 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface telnet RouterWAN telnet netmask 255.255.255.255

static (inside,inside) tcp interface 5900 RouterWAN 5900 netmask 255.255.255.255

static (inside,outside) tcp interface ftp RouterWAN ftp netmask 255.255.255.255

static (inside,outside) tcp interface 1021 RouterWAN 1021 netmask 255.255.255.255

static (inside,inside) tcp interface 1022 RouterWAN 1022 netmask 255.255.255.255

access-group outside_access_in in interface outside

!

router rip

network Internal

default-information originate

version 2

no auto-summary

!

route inside 192.168.1.0 255.255.255.0 RouterWAN 1

route inside VPN 255.255.255.0 192.168.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http Internal 255.255.255.0 inside

http VPN 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet Internal 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address RouterWAN-RouterWAN inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 167.206.245.129

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-network-list value split-tunnel

group-policy Clientless internal

group-policy Clientless attributes

vpn-tunnel-protocol webvpn

webvpn

url-list value VPN_Book_Marks

group-policy AnyConnect internal

group-policy AnyConnect attributes

banner value Welcome To My Network

dns-server value 167.206.245.129

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list none

default-domain value poog

webvpn

url-list value VPN_Book_Marks

svc keep-installer installed

svc ask none default svc

username ogonzalez password 0VrbklOhGRHipw79 encrypted privilege 0

username ogonzalez attributes

vpn-group-policy Clientless

username jgonzalez password ymcpO334smdskkpl encrypted privilege 0

username jgonzalez attributes

vpn-group-policy AnyConnect

tunnel-group RAVPN type remote-access

tunnel-group RAVPN general-attributes

address-pool VPNPOOL

tunnel-group RAVPN webvpn-attributes

group-alias RAVPN enable

group-url https://69.121.142.156/RAVPN enable

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool VPNPOOL

default-group-policy AnyConnect

tunnel-group AnyConnect webvpn-attributes

group-alias AnyConnect enable

group-url https://69.121.142.156/AnyConnect enable

tunnel-group Clientless type remote-access

tunnel-group Clientless general-attributes

default-group-policy Clientless

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/odd ... DCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:7d91e2ad8d7a86c40860fa8a1b117271

: end














Router.....


Current configuration : 1922 bytes

!

version 12.3

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname poog_rtr1

!

boot-start-marker

boot-end-marker

!

no logging buffered

no logging console

no logging monitor

enable secret 5 *************.

!

no aaa new-model

ip subnet-zero

!

!

ip cef

no ip domain lookup

ip dhcp excluded-address 192.168.1.1 192.168.1.150

!

ip dhcp pool DHCP1

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 167.206.245.129 167.206.245.130

!

!

!

!

!

!

!

!

!

!

!

!

username ***** privilege 15 password 0 *****

!

!

!

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

description LAN

ip address 192.168.1.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

description WAN

ip address dhcp

ip nat outside

duplex auto

speed auto

!

router rip

version 2

network 192.168.1.0

network 192.168.100.0

network 192.168.200.0

no auto-summary

!

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.1.100 80 interface FastEthernet0/1 80

ip nat inside source static tcp 192.168.1.13 5900 interface FastEthernet0/1 5900

ip nat inside source static tcp 192.168.1.12 1022 interface FastEthernet0/1 1022

ip nat inside source static tcp 192.168.1.11 1021 interface FastEthernet0/1 1021

ip nat inside source static tcp 192.168.1.100 21 interface FastEthernet0/1 21

ip nat inside source static tcp 192.168.1.1 23 interface FastEthernet0/1 23

ip http server

ip http authentication local

ip classless

ip route 192.168.200.0 255.255.255.0 FastEthernet0/1

!

!

access-list 1 remark SDM_ACL Category=16

access-list 1 permit any

no cdp run

!

!

!

!

!

!

!

dial-peer cor custom

!

!

!

gateway

!

banner motd ^C

***** UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED! *****^C

!

line con 0

line aux 0

line vty 0 4

login local

!

end

Mendlar
Member
Posts:
117
Joined:
Sun Jun 26, 2011 6:22 pm
Certs:
CCNP, CCDA, CCNA Security, CCNA, JNCIS-ENT

Re: Help - VPN Can't access subnets behind 2nd router

Sun Mar 11, 2012 9:21 pm

Few things I see:

1. You're still NAT'ing everything behind your 3745 to its "wan" ip address, is this intended? Since your ASA is now your gateway to the internet, I'd suggest removing the NAT config on it, it doesn't really do anything worth while.

2. In relation to number 1, add the network behind the 3745 to your nat 0 access-list.

3. Assuming that you're using the "RAVPN" tunnel-group for your VPN and therefore using the "DfltGrpPolicy" group-policy, you need to add "split-tunnel-policy tunnelspecified" in addition to the access-list to enable split-tunneling; default behavior is to tunnel everything.

4. If you want to hairpin on your outside interface for internet access (in case you decide NOT to use split-tunneling), add a nat statement on your outside that matches your VPN subnet and link it to the outside's global nat id, i.e. nat (outside) 101 192.168.200.0 255.255.255.0

johngo1
New Member
Posts:
6
Joined:
Thu Dec 29, 2011 1:17 pm

Re: Help - VPN Can't access subnets behind 2nd router

Sun Mar 11, 2012 10:21 pm

1. You're still NAT'ing everything behind your 3745 to its "wan" ip address, is this intended? Since your ASA is now your gateway to the internet, I'd suggest removing the NAT config on it, it doesn't really do anything worth while.

>>> The hosts on 192.168.1.0 still point to the 3745 for their internet gateway since the 3745 is the dhcp server. Should I do this differently?


2. In relation to number 1, add the network behind the 3745 to your nat 0 access-list.

>>> I did this but still can't access 192.168.1.0


4. If you want to hairpin on your outside interface for internet access (in case you decide NOT to use split-tunneling), add a nat statement on your outside that matches your VPN subnet and link it to the outside's global nat id, i.e. nat (outside) 101 192.168.200.0 255.255.255.0

>>> This did the trick to hair pin. Thanks.

Mendlar
Member
Posts:
117
Joined:
Sun Jun 26, 2011 6:22 pm
Certs:
CCNP, CCDA, CCNA Security, CCNA, JNCIS-ENT

Re: Help - VPN Can't access subnets behind 2nd router

Mon Mar 12, 2012 8:11 am

The ASA is most likely dropping the traffic when you try to reach 192.168.1.0/24 from the VPN, because the flow doesn't make sense.

It starts out as src:192.168.200.x to dst:192.168.1.x. When the host responds, it gets NAT'ed to the 3745 fa0/1's address which makes the flow src:192.168.100.2 to dst:192.168.200.x.

In other words, you open a connection to one IP and get a response back from a different IP. I would remove the NAT config completely from the 3745. If you want to access some services from the internet, change your static NATs so that they point to the 192.168.1.0/24 hosts.

johngo1
New Member
Posts:
6
Joined:
Thu Dec 29, 2011 1:17 pm

Re: Help - VPN Can't access subnets behind 2nd router

Mon Mar 12, 2012 3:45 pm

I removed all NAT configs from the router and still no go. Really Really frustrated!!!! Thanks for your help though.

Let me know if you come up with anything else.

Odd thing....

From 192.168.1.234 I CAN ping 192.168.100.10
From 192.168.100.10 I CANNOT ping 192.168.1.234


Here is the current router config without the NAT...



Current configuration : 1350 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname poog_rtr1
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
no logging monitor
enable secret 5 $1$nyJu$pFYfarqMCR.qvPgpLK/cD.
!
no aaa new-model
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip dhcp excluded-address 192.168.1.1 192.168.1.150
!
ip dhcp pool DHCP1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 167.206.245.129 167.206.245.130
!
!
!
!
!
!
!
!
!
!
!
!
username *****privilege 15 password 0 *****
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description WAN
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
network 192.168.1.0
network 192.168.100.0
no auto-summary
!
ip http server
ip http authentication local
ip classless
ip route 192.168.200.0 255.255.255.0 FastEthernet0/1
!
!
access-list 1 remark CCP_ACL Category=16
access-list 1 permit any
!
!
!
!
!
!
!
dial-peer cor custom
!
!
!
gateway
!
banner motd ^C
***** UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED! *****^C
!
line con 0
line aux 0
line vty 0 4
login local
!
end



Here is the current ASA config....

ASA Version 8.2(5)
!
hostname poog-fw1
domain-name poog
enable password ***** encrypted
passwd ****** encrypted
names
name 192.168.100.2 RouterWAN
name 192.168.100.0 Internal
name 192.168.200.0 VPN
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 167.206.245.129
name-server 167.206.245.130
domain-name poog
same-security-traffic permit intra-interface
object-group network VPN
object-group network RouterWAN
object-group network RouterWAN-01
object-group network RouterWAN-02
object-group network RouterWAN-03
object-group network RouterWAN-04
object-group network RouterWAN-05
object-group network obj_any
object-group network obj_any-01
object-group network obj-0.0.0.0
object-group network iphone
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp VPN 255.255.255.0 any
access-list outside_access_in remark Telnet to Router
access-list outside_access_in extended permit tcp any interface outside eq telnet
access-list outside_access_in remark IP Cameras
access-list outside_access_in extended permit object-group TCPUDP any interface outside range 1021 1022
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in remark FTP to NAS
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in remark VNC to WX Server
access-list outside_access_in extended permit tcp any interface outside eq 5900
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in remark Telnet to Router
access-list outside_access_in remark IP Cameras
access-list outside_access_in remark FTP to NAS
access-list outside_access_in remark VNC to WX Server
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list inside_nat0_outbound extended permit ip Internal 255.255.255.0 VPN 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 VPN 255.255.255.0
access-list split-tunnel standard permit Internal 255.255.255.0
access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 192.168.200.10-192.168.200.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (outside) 101 VPN 255.255.255.0
static (inside,outside) tcp interface telnet RouterWAN telnet netmask 255.255.255.255
static (inside,inside) tcp interface 5900 RouterWAN 5900 netmask 255.255.255.255
static (inside,outside) tcp interface ftp RouterWAN ftp netmask 255.255.255.255
static (inside,outside) tcp interface 1021 RouterWAN 1021 netmask 255.255.255.255
static (inside,inside) tcp interface 1022 RouterWAN 1022 netmask 255.255.255.255
access-group outside_access_in in interface outside
!
router rip
network Internal
default-information originate
version 2
no auto-summary
!
route inside 192.168.1.0 255.255.255.0 RouterWAN 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Internal 255.255.255.0 inside
http VPN 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet Internal 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address RouterWAN-RouterWAN inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 167.206.245.129
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-network-list value split-tunnel
group-policy AnyConnect internal
group-policy AnyConnect attributes
banner value You are about to connect via VPN to this network. Unauthorized Access is prohibited and tracked.
dns-server value 167.206.245.129
vpn-tunnel-protocol svc webvpn
default-domain value poog
webvpn
url-list value VPN_Book_Marks
svc keep-installer installed
svc ask none default svc
username ogonzalez password 0VrbklOhGRHipw79 encrypted privilege 0
username jgonzalez password ymcpO334smdskkpl encrypted privilege 0
username jgonzalez attributes
vpn-group-policy AnyConnect
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPNPOOL
default-group-policy AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
group-url https://69.121.142.156/AnyConnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/odd ... DCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e3461977aaca2a70f1af0f7200653080

Mendlar
Member
Posts:
117
Joined:
Sun Jun 26, 2011 6:22 pm
Certs:
CCNP, CCDA, CCNA Security, CCNA, JNCIS-ENT

Re: Help - VPN Can't access subnets behind 2nd router

Mon Mar 12, 2012 4:57 pm

Remote the "ip nat inside" and "ip nat outside" from your interfaces on the 3745.

johngo1
New Member
Posts:
6
Joined:
Thu Dec 29, 2011 1:17 pm

Re: Help - VPN Can't access subnets behind 2nd router

Mon Mar 12, 2012 5:56 pm

I removed the nat statements and VPN can now access all of the inside resources. The only thing that does not work is traffic from hosts on 192.168.100.0 to hosts on 192.168.1.0. The other way around I can ping which s odd.

I do not plan on having hosts on the 192.168.100.0 subnets so I am not worried, just curious.

Any ideas?

Mendlar
Member
Posts:
117
Joined:
Sun Jun 26, 2011 6:22 pm
Certs:
CCNP, CCDA, CCNA Security, CCNA, JNCIS-ENT

Re: Help - VPN Can't access subnets behind 2nd router

Mon Mar 12, 2012 7:29 pm

What gateway did you put for your 192.168.100.0/24 host? If you set it as the ASA's inside IP address, you might get some wonky behavior since you're going to inside interface and being routed out from the inside interface, which ASA's don't allow by default.

You'd have to turn on logging and try again to see what the ASA complains about and fix it accordingly.

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 16 guests