0

I work with a Cisco ASA 5510.

I have enabled remote VPN connection with radius Authentication to two different internals networks:

  • 10.1.0.0/16
  • 10.10.0.0/16 from mobile VPN pool 192.168.111.0/24.

The setup work perfectly on 10.1.0.0/16 and totally fail on 10.10.0.0/16 (vpn) even if I setup both in the very same way.

I enabled debug icmp trace:

  • When I ping from VPN 192.168.111.1 to 10.1.2.2 I see the ping and the reply going through gateway.
  • When I ping 10.10.2.2 from 192.168.111.1 the ping doesn't even show on the trace. It is lost before the gateway, but the route on the remote client exists and is well configured by cisco vpn software.

It drives me crazy. Any guidance appreciated.

My configuration can be read from:

  • here (I've only hide public IP and password on it.)
CitizenInsane
  • 101
  • 1
  • Do you have NAT exempt rules to avoid NAT'ing the traffic? – pauska Oct 03 '13 at 14:59
  • Yes we have NAT exempt rules on both ... please check the configuration file for more details: https://gist.github.com/CitizenInsane/63f4b1c1a20a83b56a79 – CitizenInsane Oct 03 '13 at 15:03

1 Answers1

0

We have found a solution for why it was not working from someone how had exactly the same kind of issue:

Right now, I can connect, the authentication works, the split tunneling works, but I can't access the inside LAN. I see the packets go in but they can't get out. I've been looking around for a while I can't figure out how to permit the packets back on the tunnel.

Reported solution is:

no ip local pool Local_IPs 192.168.1.200-192.168.1.220 mask 255.255.255.0 
no access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0 

ip local pool Local_IPs 192.168.2.1-192.168.2.15 mask 255.255.255.240 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.240 

nat (inside) 0 access-list inside_nat0_outbound

Extracted from:

http://www.networking-forum.com/viewtopic.php?p=41812

CitizenInsane
  • 101
  • 1