[Last Call] Learn how to a build a cloud-first strategyRegister Now


how to authorise the subnet mask

Posted on 2008-11-10
Medium Priority
Last Modified: 2012-05-05
hi guys,

i have ASA in head office and ASA 5505 in shop as well, what is happening here is when i do VPN to headoffice through cisco client , i cant access the server in SHOP directly i have to go through an other server in head office and then conect to the server in shop

how can i fix it aur authorise ip rane so that i can directly access the server through RDP in shop
when i connect to vpn i get a ip address like

how can i fix it please help with the command
Question by:ammartahir1978
  • 5
  • 2
  • 2
LVL 28

Expert Comment

ID: 22927451
It sounds like you have the following setup to get to the shop server:

vpn client ---------- Head Office ASA ----------- Shop ASA --------- server

Is this correct?

If so, then you will need to make sure that the Shop ASA is allowing 172.16.x.x addresses inbound to that server.  It would help if you posted both firewall configs and then I can give you exact commands to put in.

Author Comment

ID: 22928774
thats correct batry.

yes this is what hapening : right now but i want to access it directly to the shop server, can i create a vpn connect for shop asa and access it or can you tell me the commend i dotn feel comfitable post the ASA setting here .

can you help beside that
LVL 28

Accepted Solution

batry_boy earned 2000 total points
ID: 22946434
Yes, you can...you will need to allow all (meaning from any source IP on the Internet) UDP 500 and UDP 4500 port traffic inbound through the head office ASA to the shop ASA, and then configure the shop ASA to accept remote access VPN connections such as you have already done on the head office ASA.  Then you should be able to get to the server behind the shop ASA once you have a VPN connection to the shop ASA.

Here are the commands to allow this traffic through the head office ASA:

access-list outside_access_in permit udp any host x.x.x.x eq isakmp
access-list outside_access_in permit udp any host x.x.x.x eq 4500
access-group outside_access_in in interface outside

where x.x.x.x = IP address of outside interface on the shop ASA

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 22948007
thank you Batry,

how can i allow all the trafic,
 can you please give commands for both ?

for head office and for shop side as well thank you


Expert Comment

ID: 22974298
easiest way to fix this is to drop:

sysopt connection permit-vpn (this will allow acl and nat bypass for ipsec/ vpn traffic)

let me know how it goes.

Expert Comment

ID: 22974302
that will be for both head office and shop ASAs..

Author Comment

ID: 23033737
Hi Guys,

I have a vpn connection from the SHOP ASA to HEaD office ASA all the time, it only when i am trying to access the SHOP server it doesnt connect.

the reson is when i connect my VPN from home i get
the following IP : where my head office ip is

all i need is when users connect there VPN client they should be able to access the server in the shop without connecting to a sevrer in Headoffice and then connect to the server in notting hill.

Ammar Tahir


Author Comment

ID: 23033981
here is the screen shot of route

Author Comment

ID: 23042996
what is the command for allowing access-list for 172.16.55.X on shop ASA inbound

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month17 days, 16 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question