Cisco ASA 5505 – VPN not able to access certain network

First of all, I have fairly basic knowledge of Cisco ASAs, but I'm attempting to look into something that is bugging me.

I am working through the ASDM as opposed to the CLI.

We have a Cisco ASA5505 router that has 192.168.1.x network on linking on Ethernet Port 0. We also have a set of switches which are linked to the ASA through Ethernet Port 3 on 192.168.71.x.

The connectivity between the 2 is functioning without a hitch. My issue is currently with users that VPN in. When users VPN in they obtain a 192.168.73.x address given by the ASA. They are able to access anything on the 192.168.1.x through Ethernet 0 but unable to access anything on the 192.168.71.x network through Ethernet 3.

So, in a brief summary, no issues talking to either network when inside of the ASA but when connecting to the ASA through VPN only access to 192.168.1.x network on Ethernet 0.

Any pointers or information on where I should be looking for answers would be much appreciated, and if you need any more information to help, then by all means I can try and explain as best I can!

UPDATE:

Visit www.fresh.co.uk/CiscoConfiguration/Cisco.txt for Configuration of Cisco ASA.

Also, have an issue on here which could well be part of the issue. Under VPN > Connection Gateway, there is an Entry in there for the 71.x network (the network needed access) which is pointing to the incorrect gateway. I attempted to change this to the correct gateway (71.253), but an error for Cannot Remove Connected route and Cannot add route, Connected route exists.

object network {REMOTE_VPN_USER_SUBNET} subnet 10.0.1.0 255.255.255.0 object network {EXISTING_VPN_ACCESSIBLE_SUBNET_1} subnet 10.0.2.0 255.255.255.0 object network {NEW_VPN_ACCESSIBLE_SUBNET_2} subnet 10.0.3.0 255.255.254.0 object network {NEW_VPN_ACCESSIBLE_SUBNET_3} subnet 10.0.4.0 255.255.255.0 split-tunnel-network-list value {YOUR_SPLIT-TUNNEL_LIST} access-list {YOUR_SPLIT-TUNNEL_LIST} standard permit 10.0.1.0 255.255.255.0 access-list {YOUR_SPLIT-TUNNEL_LIST} standard permit 10.0.2.0 255.255.255.0 access-list {YOUR_SPLIT-TUNNEL_LIST} standard permit 10.0.3.0 255.255.255.0 nat (RELEVANT_INTERFACE_OR_VLAN_NAME,outside) source static {EXISTING_VPN_ACCESSIBLE_SUBNET_1} {EXISTING_VPN_ACCESSIBLE_SUBNET_1} destination static {REMOTE_VPN_USER_SUBNET} {REMOTE_VPN_USER_SUBNET} no-proxy-arp route-lookup nat (RELEVANT_INTERFACE_OR_VLAN_NAME,outside) source static {NEW_VPN_ACCESSIBLE_SUBNET_2} {NEW_VPN_ACCESSIBLE_SUBNET_2} destination static {REMOTE_VPN_USER_SUBNET} {REMOTE_VPN_USER_SUBNET} no-proxy-arp route-lookup nat (RELEVANT_INTERFACE_OR_VLAN_NAME,outside) source static {NEW_VPN_ACCESSIBLE_SUBNET_3} {NEW_VPN_ACCESSIBLE_SUBNET_3} destination static {REMOTE_VPN_USER_SUBNET} {REMOTE_VPN_USER_SUBNET} no-proxy-arp route-lookup

Best Answer

I had to make a similar change recently. I needed to add two additional subnets. Though I used CLI rather than ASDM. With version 9.1, I created some new objects for the subnets and then it was just a matter of adding the additional subnets to the split-tunnel ACL (if used) as well as adding additional NAT rules.

For example:

Best Answer

Related Solutions

Nat – Enabled VPN — Site to site — Cannot access internet now .. Cisco ASA 5505

Vpn – Routing from home VPN to other VPN (ASA 5505)

Related Topic