Cisco VPN :: 3745 - Can't Access Internal Subnets Behind 2nd Router
Mar 10, 2012
I am really new to this and studiying so I know that I am doing something dumb. Anyway, I purchased an ASA 5505 and placed it between my Cable Modem and Cisco 3745 router. The outside interface on the ASA is dhcp, the inside interface is 192.168.100.1. The outside interface of the 3745 is 192.168.100.2 and the inside is 192.168.1.1. The VPN pool is 192.168.200.10 - 192.168.200.10.
Here's are the problems...
1. When I establish a VPN session to the ASA, I can ping and access any resources dierectly connected to the ASA's interfaces and on the ASA's internal 192.168.100.0 network. However, I cannot access any resources behind the 3745. I cannot even ping 192.168.1.1.
2. Although I believe that I sent up split-tunnel, I cannot U-Turn back to the internet once connected to the VPN.
View 11 Replies
ADVERTISEMENT
Jan 23, 2012
We have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520. There are no routes for it to be allowed access to the internal subnets. So it can only access the internet. This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource. Is that as clear as mud?
I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require. And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.
View 8 Replies
View Related
May 17, 2012
Having trouble with a couple items. First of all, should I be able to ping the inside interface of the ASA from all internal subnets assuming all of these subnets/vlans are directly connected to the same L3 switch? I can ping the ASA inside interface from our L3 switch, but I cannot ping the inside interface from a host on a different internal subnet. I have setup static routing on the ASA [
route inside 10.10.96.0 255.255.248.0 10.30.1.1 1]and verified that I can ping the host [10.10.96.212] from the ASA inside interface [10.30.1.5]. The inside interface is on the 10.30.1.x/24 subnet. My host is on the 10.10.96.x/21 subnet. From the ASA I can ping 10.10.96.212, but I cannot ping 10.30.1.5 from 10.10.96.212. I can however ping 10.30.1.1 from 10.10.96.212.
This leads to my next issue, which is trying to setup the ASA to work concurrently with our current firewall. I'm doing this in order to transition to the ASA. I'd much prefer to cutover inbound NAT a little at a time vs. doing it all at once. Our current firewall is setup at 10.30.1.2 and this is the default route on our L3 switch (0.0.0.0 0.0.0.0 10.30.1.2). So my question is, if I setup an inbound NAT to one of our web servers on the 10.10.96.x subnet, will I be able to get it to route back to the ASA as opposed to ending up in asymmetric routing **** since the default route points back to our other firewall?
View 2 Replies
View Related
Mar 11, 2012
I purchased an ASA 5505 and placed it between my Cable Modem and Cisco 3745 router. The outside interface on the ASA is dhcp, the inside interface is 192.168.100.1. The outside interface of the 3745 is 192.168.100.2 and the inside is 192.168.1.1. The VPN pool is 192.168.200.10 - 192.168.200.10.
1. When I establish a VPN session to the ASA, I can ping and access any resources dierectly connected to the ASA's interfaces and on the ASA's internal 192.168.100.0 network. However, I cannot access any resources behind the 3745. I cannot even ping 192.168.1.1. Even directly connected hosts on the ASA cannot access Hosts in the 192.168.1.x subnet. There appears to be no traffic between 192.168.100.0 and 192.168.1.0.
2. Although I believe that I sent up split-tunnel, I cannot U-Turn back to the internet once connected to the VPN.
Here is my network topology as well as my ASA config and Router config.....
ASA ......
ASA Version 8.2(5)
!
hostname poog-fw1
domain-name poog
[code]....
View 7 Replies
View Related
Sep 3, 2012
I have been using an 877 to provide DSL access and wireless access point from two separate wired subnets. The idea is that traffic from one subnet will be routed to the DSL connection. The other subnet provides a bridged connection to wireless clients. Both subnets being isolated from each other. In the former case the router acts as DHCP server, whilst in the latter case a separate DHCP server is used. Despite all apparently working, recent introduction of a wireless client did not work and seemed to be acquring a DHCP lease from the router rather than the external DHCP server. It seems that broadcast traffic from the router DHCP server was traversing to the wrong interfaces, despite (I hope) only the wireless and the second wired subnet being in the bridge group.
The salient parts of my config are enclosed below. I have anonymized the public addresses using q1.q2.q3 therein.
!dot11 ssid MYSSID authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa guest-mode!no ip source-routeip cefno ip dhcp use vrf connectedip dhcp excluded-address 10.10.10.1ip dhcp excluded-address q1.q2.q3.15 q1.q2.q3.254ip dhcp excluded-address q1.q2.q3.1 q1.q2.q3.8!ip dhcp pool sdm-pool1 import all network q1.q2.q3.0 255.255.255.0 domain-name
[Code]....
View 4 Replies
View Related
Feb 11, 2012
We have a 3745 LNS router, currently there are less number of users connected.when a user dials request authenticated and one virtual-access interface is formed in LNS router.Now the user is disconnected the vpn and connected to VPN again in this case, whether the user is connected to the same virtual-access interface which was assigned before disconnecting or different virtual-access interface is created.
View 0 Replies
View Related
Dec 31, 2012
I am aware that we can allow external admins to telnet over a custom port to the internal router. Even i was allowed to connect to a remote router via the remote firewall. The way i was accessing the router is by telnet to the remote ASA address on port 8023.I am not sure how exactly we can configure this on a ASA.
View 2 Replies
View Related
Sep 13, 2012
I had an Linksys WRT54GS and this wireless is connected to a switch in an internal enviroment but i want connect guest users without them see my internal network and can't access to any internal server....how can i configure this?
View 1 Replies
View Related
Jan 15, 2012
There is no special requirements, just need new hardware with some reserve availability. As for now it's 3745 EOL and I assume to use 3945.
View 4 Replies
View Related
Aug 15, 2012
I need to NAT some subnets to one IP and other subnets to another IP. The range command want work because some of the subnets are out of order.For example subnets 192.168.1.0 - 192.168.7.0 and 192.168.25.0, 192.168.28.0 nat'd to 1.1.1.1. subnet 192.168.26.0-192.168.27.0 nat'd to 1.1.1.2
View 2 Replies
View Related
Sep 28, 2011
One of my clients has an older 3745 running IOS 12.3 and we are looking at replacing it with a new 3945 that runs IOS 15.0. This router is also configured with CME. Is it possible to migrate the current 12.3 config to load on the new 15.0 IOS? This will be my first encounter with 15.0 so I don't know what I am up against at this time. I am just hoping I don't have to retype all the ephone config, dial-peers, etc
View 2 Replies
View Related
Jun 5, 2011
trying to establish a connection on an ibm 3745 controller via two IBM 5822 modems to a cisco 2600 router using sdlc encapsulation secondary bridging data from the serial port to the E/Net port to run the 3270 client ???
View 19 Replies
View Related
Sep 14, 2011
Have an ADSL router (887) at a site which has a GRE tunnel to to a 3745.The GRE tunnel is setup with default ip mtu of 1476.If I ping from the 3745 to the ADSL router (or in the reverse direction)with a packet size of 1500 bytes this works fine.However if I ping from a router (R1) that is directly connected to 3745 to the ADSL router with a pkt size of1500 bytes then the first ping succeeds while the subsequent pings fail.Pkt sizes less than or equal to 1476 work okay.Pinging between R1 and the 3745 with a packet size of 1500 bytes works fine.If I set the tunnel ip mtu size to 1500 bytes then it works.This is obviously something to do with fragmentation, but I don't undertsand why itdoesn't work with the default mtu set to 1476.
View 11 Replies
View Related
Oct 30, 2010
I have a subnet (vlan 104) working great across a WAN. At site 1, Router A (3745) has the L2TPv3 tunnel configured while Router B (7204) has a routed interface on vlan 104.
The only thing router A is doing is the tunnel, so I'd like put the tunnel on Router B and eliminate Router A.
The trouble is, when I move the configs to Router B, the tunnel comes up, but the far side does not receive traffic over the tunnel.
Router B shows sending and receiving packets (per the 'sh l2tun session all' command). The far end router shows sending packets but receiving 0.
Is it a problem to have both the vlan 104's L2TPv3 xconnect interface and the vlan 104's routed inteface on the SAME router?
View 10 Replies
View Related
Jan 1, 2013
I've encountered a problem when using PPTP VPN to access my network. I can connect in and able to ping the hosts connected to the RV110W. [code] On the local network, I am able to ping the hosts in 192.168.250.x from 192.168.251.x and vice versa.Static routes are configured to ensure that all networks are reachable.The problem comes when I tried to VPN (PPTP) in from a remote location using the Windows XP's built in default VPN dialer.When connected, I can ping all the hosts on 192.168.254.xxx segments, but when I tried to ping the hosts in 192.168.250.xxx and 192.168.251.xxx segments, I get a request timeout.
The routing table on the RV110W shows the gateway for 192.168.254.240 (the VPN IP address) as 0.0.0.0 and interface is WAN.What am I missing and how should I configure the RV110W so that I can access the other subnets through VPN?
View 6 Replies
View Related
Jun 6, 2011
I need to make sure I have a router available to work with DS3 circuit on remote site. A remote field technician tells me there is a 3745 router with "HSSI" and external Adtran CSU/DSU available. Is that an indication this can work with DS-3 circuit?Which specific Adtran CSU/DSU do I need in order to make it work with DS3?
View 1 Replies
View Related
Dec 31, 2012
I've came across a very odd topology to deal with where everything is connected to everything, without proper utilization of VLANs.
- I've an L3 SW and a 3745 RTR at core
- Both are carrying same subnet to an L2 distribution switch that connects server farm within the same subnet (i.e. 1.1.3.x subnet)
- The L2 switch works as a passive switch, hence another network say, 1.1.2.x has been plugged into it as well.
- This L2 switch extends to other switches without configuration of any VLANs or STP and distributes 1.1.3.x network.
Periodically and unexpectedly, the router starts hanging and utilization goes beyond 80%, and there's nothing at all that is observed in "sh proc cpu" to be eating router resources. Its quite difficult to observe the pattern, as its random.
View 5 Replies
View Related
Nov 27, 2011
We have RV 042 deployed for internet access/firewall purposes. Due to growing number for Wireless devices and also to separate WLAN traffic from wired devices, we have created a separate VLAN/IP Subnet for the wifi devices. We are having trouble accessing the internet from the WiFi VLAN/IP Subnet. Cisco 3750 is layer 2 and layer 3 device. We have VLAN 1 (10.10.10.0/255.255.255.0), all wired devices and RV 042 are part of VLAN 1. Connectivity to internet from VLAN 1 is good. VLAN 2 (192.168.1.0 / 255.255.255.0) was created for wifi devices, 3750 does the inter-vlan routing, I have enabled the multiple subnet feature on the RV 042 and added 192.168.1.2 / 24 to the subnet list, we still have issues accessing internet from vlan 2 devices.
As a workaround, I shutdown vlan 2 and added 192.168.1.0/24 as secondary address to the VLAN 1 interface on 3750 and i was able to access internet from 192.168.1.0/24 network with wifi devices also on vlan 1, we want wifi devices to be on separate vlan / ip subnet. Looking at the documentation for RV series routers, it talks about supporting multiple subnets access to internet by enabling multiple subnet feature but it doesn't seem to work.Are there restrictions on having multiple vlans?
View 4 Replies
View Related
Mar 20, 2012
Currently i am having a scenario where i have setup RV042 and which is connected to Microsoft Forefront 2010. PPTP works fine only on rv042 subnet but i am not able to access the "internal" network of TMG.RV042 (172.16.1.1) ---> TMG [external] (172.16.1.2) ---> TMG [internal] (192.168.1.1) Is there any way through static route to access the TMG internal network through RV042 pptp server?
View 1 Replies
View Related
May 7, 2012
I have created remote access vpn in my ASA 5505. The tunnel is established but i am not able to access the internal network.
View 3 Replies
View Related
May 18, 2012
I am having a problem getting serial interfaces to show up with a NM4A/S card in a 3745 router. It worked at first but now the serial interfaces don't show up in running-config but show diag shows the card is present but says "Port adapter is disabled deactivated". I have tried the card in 3 different slots and of course turned off power when moving card around (left power cord in for grounding). Again, it was once working (serial interfaces were showing up in running-config) so if I damaged the slot somehow, however I was very careful when seating card. Have been searching the learning network and google for days now to no avail. Have tried to find something similar to the card type command thinking the port adapter needs to be activated but have not found any documentation about that. Hope card isn't bad all of a sudden but really don't think it is since it worked before and it seems to be recognized just not showing serial interfaces in running-config/sh ip int b (on ios/cli). Really think it's something along the lines of activating card, but not sure.
View 1 Replies
View Related
Mar 17, 2013
I am almost new to the networking field, hence I might have lacking some basic knowledge. I like to know the impact if the ground of any router get disconnect. WIll the router stops work? We have two peripheral router in my organization, both are connect with the MPLS cloud through the MUX. One router (3745) have ground connection, where as the other (3845) don't. Recently the 3745 router start generating CRC error on the WAN interface. Once we remove the patch cord connecting with the MUX for loop test and reconnect later, the interface did not come back again. FInaly someone advice me to check the ground connection. I found it was loose. Once I fix it properly and reboot the router the interface become up. The person told me that some cisco router send the reference signal through the ground to the MUX connecting with it, if the MUX and router failed to exchange the reference signal the router will not work, is this true ?
View 2 Replies
View Related
Jan 4, 2013
I cannot access Internal network to DMZ with public ip but i can access public servers in DMZ with External network.
View 1 Replies
View Related
May 9, 2012
We have gotten our anyconnect clients to connect to the VPN with no issues and verifying credentials with RADIUS. Remote users however cannot access internal resources through the VPN. I know I need to setup an NAT Exempt statement for my VPN Pool to the Internal Network,
View 5 Replies
View Related
Oct 28, 2012
I seem to be having an issue with my PIX configuration. I can ping the VPN client from the the internal network, but can cannot access any resources from the vpn client. [code]
View 4 Replies
View Related
May 18, 2011
We have ASA5510s and I've configured an SSL VPN using AnyConnect.. The VPN address pool is 10.10.10.0/24 and our internal network is 10.10.20..0/24. After successful login, using LDAP. the client receives a 10.10.10.0/24 address from the pool, but cannot access anything on the internal 10.10.20.0/24 network. I've toyed with access lists and NAT exemption, but to no avail. What do I need to do?
View 8 Replies
View Related
Sep 4, 2012
Currently, we allow /24 into our DMZ as follow: [code] Now, if we need to extended the /24 to a bigger scope ( range of 15 class C networks ) : can I just re-used the static route or should I use a ACL to allow traffic? This is on a ASA5585
View 1 Replies
View Related
Mar 26, 2012
For a config on a 2821 router with IOS 15.1?I've setup an internal web server and am able to acccess it from outside our network but not from inside (on a separate internal LAN - 192.168.10.0). When on the internal LAN - DNS points to the Public IP for the web server - so we'd need to route through the Public IP to access the web server.
What is the best way to allow access to the web server XX.XX.XX.231 from 192.168.10.0 network?
Related Config Lines to Allow Access to Web Server
NAT
ip nat inside source static tcp 192.168.1.230 80 XX.XX.XX.231 80 extendable
ip nat inside source static tcp 192.168.1.230 443 XX.XX.XX.231 443 extendable
ACL
ip access-list extended WAN
permit tcp any host XX.XX.XX.231 eq 443
permit tcp any host XX.XX.XX.231 eq www
[code]....
View 2 Replies
View Related
Aug 30, 2011
Have a new DIR-825 setup at home for coverage to another part of the house. I want to completely restrict clients using this WAP from accessing a couple internal IP's (that I use for work-related things). Restriction meaning filesharing, ping, RDP, etc - everything. Can this be done on the router side?
View 3 Replies
View Related
Sep 6, 2011
This might be ridiculously bad for security but I'll ask anyway. Is it ok to have two routers on the same subnet? One router/firewall will do NAT for hosts that don't need a real IP/or care to manage their own firewall and the outward facing router.
View 2 Replies
View Related
Sep 27, 2011
we have a ASA 5510 firewall and i have created remote vpn user who connects the internal network via vpn any connect after connecting i want him to only access his internal PC via rdp and not access other internal website or shared folders without connecting to the RDP however now he can access the internal website wihtout connecting to RDP?
View 3 Replies
View Related
Mar 14, 2011
I am trying to build a remote vpn in ASA 5520 Software Version 8.3(1). I am using ASDM 6.3(1) for the configuration. I went through the SSL VPN wizard and did the configuration. I tried connecting to the ASA using anyconnect VPN and I could successfully connect the VPN. My home laptop takes an IP 192.168.60.21 (which I have defined in the wizard). Now my issue is, I can't access any office internal network from this laptop (none of the internal IP is ping ing even). Meanwhile, I could ping and rdp to this laptop(which is connectd by anyconnect VPN) from my office network. One thing I noticed is that when I give a traceroute to an internal IP from the laptop, the first hop goes to my home ISP router.
View 8 Replies
View Related
Mar 20, 2011
ASA 5510I'm trying to add a static NAT for to allow access to an internal webserver on my DMZ. I've added the config, however i'm still unable to get to it from the outside. I'm able to ping and browse the server from the LAN and I'm also able to ping the external interafce from the outside, but just unable to browse.I've turned on logging and the error I'm getting is "Inbound TCP connection denied...flags SYN on interface outside"
View 0 Replies
View Related
