[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1308
  • Last Modified:

Cisco VPN and multiple subnets

I have a network that has two subnets, 192.168.1.0 and 192.168.2.0.  I have a Cisco ASA 5510 firewall in place on my network.  The ASA is on the 192.168.1.0 network.  I can access the 192.168.2.0 network when I am on the 192.168.1.0 network, but my VPN clients can only access the 192.168.1.0 network.  I have created access-lists and change my tunnelspecified list to try to fix this, but my VPN clients still cannot ping the 192.168.2.0 network.  What dod i need to do to get my VPN clients to access the 192.168.2.0 network?  Here is a copy of my ASA config:
ASA Version 8.0(4)
!
hostname CAB-ASA
domain-name cab.local
enable password KWs0rgrxU3SGJ30. encrypted
passwd KWs0rgrxU3SGJ30. encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.3 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 
 management-only
!
boot system disk0:/asa804-k8.bin
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone FNT -2
dns server-group DefaultDNS
 domain-name cab.local
access-list CAB_TO_DAKCS_ACL extended permit ip host 10.10.8.1 host 207.109.153.98
access-list nat extended permit ip host 192.168.1.1 host 207.109.153.98
access-list nat extended permit ip host 192.168.1.1 66.133.100.72 255.255.255.248
access-list nat extended permit ip host 192.168.1.1 10.10.98.0 255.255.255.248
access-list nat extended permit ip 66.133.100.72 255.255.255.248 host 192.168.1.1
access-list nat extended permit ip 10.10.98.0 255.255.255.248 host 192.168.1.1
access-list nat extended permit ip 192.168.1.0 255.255.255.0 10.10.98.0 255.255.255.248
access-list nat extended permit ip 10.10.98.0 255.255.255.248 10.10.8.0 255.255.255.0
access-list nat extended permit ip 10.10.98.0 255.255.255.248 192.168.1.0 255.255.255.0
access-list CAB_TO_DAKCS_ACL1 extended permit ip host 10.10.8.1 66.133.100.72 255.255.255.248
access-list CAB_TO_DAKCS_ACL1 extended permit ip host 10.10.8.1 10.10.98.0 255.255.255.248
access-list CAB_TO_DAKCS_ACL1 extended permit ip 10.10.98.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list CAB_TO_DAKCS_ACL1 extended permit ip 10.10.98.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl_out extended permit icmp any any echo-reply
access-list inet_nat extended permit ip 192.168.1.0 255.255.255.0 any
access-list inet_nat extended permit ip 192.168.2.0 255.255.255.0 any
access-list inet_nat extended permit ip 192.168.22.0 255.255.255.0 any
access-list inet_nat extended permit ip any 192.168.22.0 255.255.255.192
access-list inet_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inet_nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list CAB_new_tunnel extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.31.1.16 255.255.255.252
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.31.1.12 255.255.255.252
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.31.1.8 255.255.255.252
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.31.1.4 255.255.255.252
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.11
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.10
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.8
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.3
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.2
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.1
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.4.1
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.3
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.15.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.18.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 172.21.4.5
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.20
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.30
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.9.100
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.22.0 255.255.255.0
access-list nonat extended permit ip any 192.168.22.192 255.255.255.224
access-list Roper extended permit ip 192.168.1.0 255.255.255.0 10.15.0.0 255.255.0.0
access-list Roper extended permit ip 192.168.1.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list Roper extended permit ip 192.168.1.0 255.255.255.0 172.18.0.0 255.255.0.0
access-list Roper extended permit ip 192.168.1.0 255.255.255.0 host 172.21.4.5
access-list Roper extended permit ip 192.168.1.0 255.255.255.0 172.21.4.0 255.255.255.0
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.3
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.4.1
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.1
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.2
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.3
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.10
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.11
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 10.31.1.4 255.255.255.252
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 10.31.1.8 255.255.255.252
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 10.31.1.12 255.255.255.252
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 10.31.1.16 255.255.255.252
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.30
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.20
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.9.100
access-list CHS_NAT_ACL extended permit ip host 192.168.169.64 10.0.0.0 255.0.0.0
access-list CHS_VPN extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list CAB_TO_DAKCS_ACL2 extended permit ip 192.168.1.0 255.255.255.0 10.10.98.0 255.255.255.0
access-list CAB_TO_DAKCS_ACL2 extended permit ip 10.10.98.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list CAB_TO_DAKCS_ACL2 extended permit ip 10.10.98.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list policy-nat extended permit ip host 192.168.1.1 66.133.100.72 255.255.255.248
access-list policy-nat extended permit ip host 192.168.1.1 10.10.98.0 255.255.255.248
access-list vpnnat extended permit ip 192.168.1.0 255.255.255.0 host 10.10.12.10
access-list oconee extended permit ip 192.168.8.0 255.255.255.0 host 10.10.12.10
access-list oconee extended permit ip 192.168.8.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list InternetVPN standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging list VPN level informational
logging buffered debugging
logging asdm informational
logging from-address 
logging recipient-address  level errors
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool-pptp 192.168.22.200-192.168.22.220
ip local pool SSLCABPool 192.168.22.221-192.168.22.241
ip local pool PhoneVPN 192.168.2.245-192.168.2.254
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-615.bin
asdm history enable
arp timeout 14400
global (outside) 3 interface
global (outside) 2 192.168.169.64
nat (inside) 0 access-list nonat
nat (inside) 2 access-list CHS_VPN
nat (inside) 3 access-list inet_nat
nat (inside) 3 0.0.0.0 0.0.0.0
static (inside,outside) 10.10.8.1  access-list policy-nat
static (inside,outside) 192.168.8.0  access-list vpnnat
access-group acl_out in interface outside
route outside 
route inside 192.168.2.1 255.255.255.255 192.168.1.244 1
route inside 192.168.2.2 255.255.255.255 192.168.1.244 1
route inside 192.168.2.3 255.255.255.255 192.168.1.244 1
route inside 192.168.2.4 255.255.255.255 192.168.1.244 1
route inside 192.168.2.5 255.255.255.255 192.168.1.244 1
route inside 192.168.169.64 255.255.255.255 192.168.1.244 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa local authentication attempts max-fail 16
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
crypto ipsec transform-set CAB_TO_DAKCS_SET esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 7 match address NCH_remote
crypto map CAB_TO_DAKCS_MAP 7 set peer 208.60.110.247
crypto map CAB_TO_DAKCS_MAP 7 set transform-set ESP-3DES-MD5
crypto map CAB_TO_DAKCS_MAP 7 set security-association lifetime seconds 28800
crypto map CAB_TO_DAKCS_MAP 7 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 10 match address Roper
crypto map CAB_TO_DAKCS_MAP 10 set peer 208.60.95.35
crypto map CAB_TO_DAKCS_MAP 10 set transform-set ESP-3DES-MD5
crypto map CAB_TO_DAKCS_MAP 10 set security-association lifetime seconds 28800
crypto map CAB_TO_DAKCS_MAP 10 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 20 match address CAB_TO_DAKCS_ACL
crypto map CAB_TO_DAKCS_MAP 20 set peer 207.109.153.102
crypto map CAB_TO_DAKCS_MAP 20 set transform-set CAB_TO_DAKCS_SET
crypto map CAB_TO_DAKCS_MAP 20 set security-association lifetime seconds 28800
crypto map CAB_TO_DAKCS_MAP 20 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 25 match address CAB_TO_DAKCS_ACL1
crypto map CAB_TO_DAKCS_MAP 25 set peer 66.133.100.71
crypto map CAB_TO_DAKCS_MAP 25 set transform-set CAB_TO_DAKCS_SET
crypto map CAB_TO_DAKCS_MAP 25 set security-association lifetime seconds 28800
crypto map CAB_TO_DAKCS_MAP 25 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 30 match address CAB_new_tunnel
crypto map CAB_TO_DAKCS_MAP 30 set peer 63.243.49.34
crypto map CAB_TO_DAKCS_MAP 30 set transform-set CAB_TO_DAKCS_SET
crypto map CAB_TO_DAKCS_MAP 30 set security-association lifetime seconds 28800
crypto map CAB_TO_DAKCS_MAP 30 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 40 match address CHS_NAT_ACL
crypto map CAB_TO_DAKCS_MAP 40 set peer 208.61.250.87
crypto map CAB_TO_DAKCS_MAP 40 set transform-set CAB_TO_DAKCS_SET
crypto map CAB_TO_DAKCS_MAP 40 set security-association lifetime seconds 28800
crypto map CAB_TO_DAKCS_MAP 40 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 45 match address oconee
crypto map CAB_TO_DAKCS_MAP 45 set peer 208.68.223.3
crypto map CAB_TO_DAKCS_MAP 45 set transform-set ESP-3DES-MD5
crypto map CAB_TO_DAKCS_MAP 45 set security-association lifetime seconds 28800
crypto map CAB_TO_DAKCS_MAP 45 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map CAB_TO_DAKCS_MAP interface outside
crypto ca trustpoint CABVPN
 enrollment terminal
 fqdn ASA.CAB.local
 subject-name CN=ASA.CAB.local,OU=CAB,O=CAB,C=US,St=SC,L=Charleston
 keypair CAB
 crl configure
crypto ca trustpoint localtrust
 enrollment self
 fqdn sslvpn.cab.local
 subject-name cn=sslvpn.cab.local
 keypair sslvpnkeypair
 crl configure
crypto ca certificate chain localtrust
 certificate 31
    308201ec 30820155 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
    3c311930 17060355 04031310 73736c76 706e2e63 61622e6c 6f63616c 311f301d
    06092a86 4886f70d 01090216 1073736c 76706e2e 6361622e 6c6f6361 6c301e17
    0d303831 30323831 30333632 335a170d 31383130 32363130 33363233 5a303c31
    19301706 03550403 13107373 6c76706e 2e636162 2e6c6f63 616c311f 301d0609
    2a864886 f70d0109 02161073 736c7670 6e2e6361 622e6c6f 63616c30 819f300d
    06092a86 4886f70d 01010105 0003818d 00308189 02818100 a96f73ce 97e149d7
    8dce256e 17078c59 a9dc8b01 6de3f9b4 76b8e669 e3522d73 618b3252 2f1ee721
    cd981f97 c10204e6 ab7be447 87f9c252 a3fb8643 5b48901b a49f2f9d d2eccb68
    b2ef5bcd 7828a075 ddd2bcdb eba349c3 025f81bb 4b9e607e 1bc725d0 4028ab9f
    2d1b80f4 b2f331f4 8d4e5fe6 2c28dd83 8c25e0b7 27fe73b1 02030100 01300d06
    092a8648 86f70d01 01040500 03818100 389029bd 4a0e984f 59feac07 c01dd10f
    f80b2faa d3b6c42d bc36f218 d2607ab6 993e6e38 1ae99f88 761e91fe a9d94d2c
    7eb8a0d6 b78237f3 9bbd76d7 a7eb6285 8dfff14a 20e21b7b 05537b7a 0476d7f2
    d5415627 4e28387e eb60e898 50d09b20 a6eb3646 7a8f6ffe 14a5c2b3 7eb5308c
    fa983c9a ce24cb77 8aecc301 5740a3b6
  quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 10
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 192.168.1.210 config_backup
ssl trust-point localtrust outside
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy CABVPNusers internal
group-policy CABVPNusers attributes
 vpn-idle-timeout 60
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value InternetVPN
 default-domain value cab.local
group-policy CABPhoneVPNpolicy internal
group-policy CABPhoneVPNpolicy attributes
 dhcp-network-scope 192.168.2.0
 split-tunnel-policy tunnelspecified
 default-domain value cab.local
group-policy DAKCSVPN internal
group-policy DAKCSVPN attributes
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value InternetVPN
 default-domain value cab.local
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value InternetVPN
 webvpn
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask none default svc
group-policy KMKAdmin internal
group-policy KMKAdmin attributes
 vpn-idle-timeout 15
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value InternetVPN
 default-domain value cab.local
group-policy vpnpool-pptp internal
group-policy vpnpool-pptp attributes
 dns-server value 192.168.1.10
 vpn-idle-timeout 60
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value InternetVPN
 default-domain value cab.local
username SSLUSER password XAo6YcFsquXy9Zv6 encrypted
username CABCAB password nKVTkqeFQ/8xH1kb encrypted
username DAKCSuser password dHtpeFCEpUjJ2Paw encrypted
username KMKAdmin password vmhL1.s/9CNT85XW encrypted
tunnel-group CABVPNusers type remote-access
tunnel-group CABVPNusers general-attributes
 address-pool vpnpool-pptp
 default-group-policy vpnpool-pptp
tunnel-group CABVPNusers ipsec-attributes
 pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *
tunnel-group  type ipsec-l2l
tunnel-group  ipsec-attributes
 pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *
tunnel-group KMKAdmin type remote-access
tunnel-group KMKAdmin general-attributes
 address-pool vpnpool-pptp
 default-group-policy vpnpool-pptp
tunnel-group KMKAdmin ipsec-attributes
 pre-shared-key *
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
 default-group-policy vpnpool-pptp
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
 address-pool SSLCABPool
 default-group-policy GroupPolicy1
tunnel-group sslgroup webvpn-attributes
 group-alias sslgroup_users enable
tunnel-group DAKCSVPN type remote-access
tunnel-group DAKCSVPN general-attributes
 address-pool vpnpool-pptp
 default-group-policy vpnpool-pptp
tunnel-group DAKCSVPN ipsec-attributes
 pre-shared-key *
tunnel-group CABPhoneVPN type remote-access
tunnel-group CABPhoneVPN general-attributes
 address-pool PhoneVPN
 default-group-policy CABPhoneVPNpolicy
tunnel-group CABPhoneVPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 
prompt hostname context

Open in new window

0
Bosaloski
Asked:
Bosaloski
  • 2
1 Solution
 
tom_phillyCommented:
Your only routing for 5 address on the 192.168.2.x from the ASA
route inside 192.168.2.1 255.255.255.255 192.168.1.244 1
route inside 192.168.2.2 255.255.255.255 192.168.1.244 1
route inside 192.168.2.3 255.255.255.255 192.168.1.244 1
route inside 192.168.2.4 255.255.255.255 192.168.1.244 1
route inside 192.168.2.5 255.255.255.255 192.168.1.244 1
I would assume that you are trying to reach one of these boxes?

You have address space from the 192.168.2.x on BOTH sides of the ASA...
This could be causing a routing problem. What happens when you traceroute from a VPN client to a 192.168.2.x address?

What is connecting both the 192.168.1.x and the 192.168.128.2x?
Layer3 Switch? Router?
Does that device know about the VPN client Address Pools?
Is the default gateway of this box the ASA?

If you have a /24 configured for that network 192.168.2.0 255.255.255.0 then you need to change the PhoneVPN pool that is configured on the ASA as the address spaces will conflict.

More information would greatly assist.

Tom


0
 
BosaloskiAuthor Commented:
The 192.168.2.x network is for the IP phones.  192.168.2.1 is  an Extreme Network switch and the gateway, 192.168.2.2 is the voicemail server, 192.168.2.3 is the file server and DHCP server, and 192.168.2.5 is  the Call server.  My client wants to be able to take an IP phone home and use Cisco VPN to connect the phone back to the office network.  I figure that the Cisco VPN clientneeds tp ping the 192.168.2.x network in order to communicate with the above IP addresses that I listed.  Thanks for your help.
0
 
tom_phillyCommented:
the phone SHOULD not NEED to be on the 192.168.2.x network. I only needs to be able to connect to which ever VoIP server you are using. If the Extreme switch is referencing a mask of 255.255.255.0 for the 192.168.2.x network then you can not have clients obtaining that address space from the VPN concentrator. This would cause a conflict in your IP scheme. My suggestion would be to try issuing a different address space. (say 192.168.3.x or 172.16.1.x) something that you are not using else where in your network to the IP phones via the VPN. THEN you need to confirm where the VoIP "server" is located (this could be a callmanager or Astrisk or a number of other options, OR you could be using Hosted VoIP so it would only need internet access from the phone). Once you know that confirm that there is routing (even if it's just the default routes) between the networks. confirm that this new address space knows how to reach the 192.168.2.x (or where ever your VoIP server is).

Give this a try then let me know how it goes for you.

Good luck and hope it helped.

Tom
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now