?
Solved

RAS VPN, users cannot access resources

Posted on 2009-04-27
26
Medium Priority
?
762 Views
Last Modified: 2012-06-27
Three subnets
172.16.1.0/24
172.16.10.0/24
172.16.101.0/24

remote vpn users:
172.16.201.0    255.255.255.0

issue: remote vpn users can authenticate into VPN, but they cannot access any resources. I thought I did the crypto isakmp nat-traversal command and sysopt connection command, but still nothing.

Thanks in advance
crypto ipsec transform-set aes128 esp-aes esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set aes128
 
crypto map mymap 20 ipsec-isakmp dynamic dynmap
 
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
 
 
 
access-list outside-to-inside extended permit icmp any any
access-list outside-to-inside extended permit tcp any host 75.150.145.226 eq smtp
access-list citrus-acl extended permit ip object-group sl-ipsec-net object-group Citrus
access-list Easton-acl extended permit ip object-group sl-ipsec-net object-group Easton
access-list deny-ospf-out standard permit 172.16.0.0 255.255.0.0
access-list deny-ospf-out standard permit 10.80.8.0 255.255.255.0
access-list deny-ospf-out standard permit 192.168.100.0 255.255.255.0
access-list permit-ospf-out standard permit any
access-list private-inbound extended deny ip any 10.10.10.0 255.255.255.0
access-list private-inbound extended permit ip 172.16.0.0 255.255.0.0 any
access-list honeybrook-acl extended permit ip object-group sl-ipsec-net object-group Honeybrook
access-list oceanview-acl extended permit ip object-group sl-ipsec-net object-group Oceanview
access-list georgetown-acl extended permit ip object-group sl-ipsec-net object-group georgetown-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group georgetown-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group Bell-Haven-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group tcp-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group wh-ipsec-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group smyrna
access-list nonat extended permit ip object-group sl-ipsec-net object-group Allentown
access-list nonat extended permit ip object-group sl-ipsec-net object-group Chincoteague
access-list nonat extended permit ip object-group sl-ipsec-net object-group Citrus
access-list nonat extended permit ip object-group sl-ipsec-net object-group Easton
access-list nonat extended permit ip object-group sl-ipsec-net object-group Honeybrook
access-list nonat extended permit ip object-group sl-ipsec-net object-group Oceanview
access-list nonat extended permit ip object-group wh-ipsec-net object-group tcp-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group Bravepoint
access-list nonat extended permit ip object-group sl-ipsec-net object-group RAS
access-list bellhaven-acl extended permit ip object-group sl-ipsec-net object-group Bell-Haven-net
access-list wh_to_tcp-acl extended permit ip object-group wh-ipsec-net object-group tcp-net
access-list bravepoint-acl extended permit ip object-group corporate_to_bravepoint object-group Bravepoint
access-list tcp-acl extended permit ip object-group sl-ipsec-net object-group tcp-net
access-list wh-acl extended permit ip object-group sl-ipsec-net object-group wh-ipsec-net
access-list ryan-acl extended permit ip object-group sl-ipsec-net object-group smyrna
access-list allentown-acl extended permit ip object-group sl-ipsec-net object-group Allentown
access-list Chincoteague-acl extended permit ip object-group sl-ipsec-net object-group Chincoteague
access-list split_tunnel_list standard permit 172.16.1.0 255.255.255.0
access-list split_tunnel_list standard permit 172.16.10.0 255.255.255.0
access-list split_tunnel_list standard permit 172.16.0.0 255.255.0.0

Open in new window

0
Comment
Question by:dissolved
  • 14
  • 12
26 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24245033
Can you post the full config?
0
 

Author Comment

by:dissolved
ID: 24245271


ASA Version 8.0(3)
!
hostname ColoASA
domain-name cpk.chpk.com
enable password odfQnoVkJM3R6uNm encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.101.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.140.145.225 255.255.255.240
!
interface Vlan3
 shutdown
 nameif dmz
 security-level 50
 ip address 10.10.11.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd /jDqcmU1oIx7745D encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name cpk.chpk.com
object-group network georgetown-net
 network-object 172.16.36.0 255.255.255.0
object-group network sl-ipsec-net
 network-object 172.16.1.0 255.255.255.0
 network-object 172.16.10.0 255.255.255.0
 network-object 172.16.101.0 255.255.255.0
object-group network Bell-Haven-net
 network-object 172.16.65.0 255.255.255.0
object-group network tcp-net
 network-object 172.16.54.0 255.255.255.0
object-group network wh-ipsec-net
 network-object 172.16.50.0 255.255.255.0
object-group network smyrna
 network-object 192.168.3.0 255.255.255.0
object-group network Allentown
 network-object 172.16.71.0 255.255.255.0
object-group network Chincoteague
 network-object 172.16.60.0 255.255.255.0
object-group network Citrus
 network-object 172.16.57.0 255.255.255.0
object-group network Easton
 network-object 172.16.25.0 255.255.255.0
object-group network Honeybrook
 network-object 172.16.70.0 255.255.255.0
object-group network Oceanview
 network-object 172.16.37.0 255.255.255.0
object-group network RAS
 network-object 172.16.201.0 255.255.255.0
object-group network Bravepoint
 network-object 10.80.8.0 255.255.255.0
 network-object 10.80.8.0 255.255.254.0
 network-object 10.80.9.0 255.255.255.0
object-group network corporate_to_bravepoint
 network-object 172.16.0.0 255.255.0.0
 network-object 172.16.10.0 255.255.255.0
 network-object 172.16.101.0 255.255.255.0
 network-object 172.16.1.0 255.255.255.0
access-list outside-to-inside extended permit icmp any any
access-list outside-to-inside extended permit tcp any host 75.150.145.226 eq smtp
access-list citrus-acl extended permit ip object-group sl-ipsec-net object-group Citrus
access-list Easton-acl extended permit ip object-group sl-ipsec-net object-group Easton
access-list deny-ospf-out standard permit 172.16.0.0 255.255.0.0
access-list deny-ospf-out standard permit 10.80.8.0 255.255.255.0
access-list deny-ospf-out standard permit 192.168.100.0 255.255.255.0
access-list permit-ospf-out standard permit any
access-list private-inbound extended deny ip any 10.10.10.0 255.255.255.0
access-list private-inbound extended permit ip 172.16.0.0 255.255.0.0 any
access-list honeybrook-acl extended permit ip object-group sl-ipsec-net object-group Honeybrook
access-list oceanview-acl extended permit ip object-group sl-ipsec-net object-group Oceanview
access-list georgetown-acl extended permit ip object-group sl-ipsec-net object-group georgetown-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group georgetown-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group Bell-Haven-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group tcp-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group wh-ipsec-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group smyrna
access-list nonat extended permit ip object-group sl-ipsec-net object-group Allentown
access-list nonat extended permit ip object-group sl-ipsec-net object-group Chincoteague
access-list nonat extended permit ip object-group sl-ipsec-net object-group Citrus
access-list nonat extended permit ip object-group sl-ipsec-net object-group Easton
access-list nonat extended permit ip object-group sl-ipsec-net object-group Honeybrook
access-list nonat extended permit ip object-group sl-ipsec-net object-group Oceanview
access-list nonat extended permit ip object-group wh-ipsec-net object-group tcp-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group Bravepoint
access-list nonat extended permit ip object-group sl-ipsec-net object-group RAS
access-list bellhaven-acl extended permit ip object-group sl-ipsec-net object-group Bell-Haven-net
access-list wh_to_tcp-acl extended permit ip object-group wh-ipsec-net object-group tcp-net
access-list bravepoint-acl extended permit ip object-group corporate_to_bravepoint object-group Bravepoint
access-list tcp-acl extended permit ip object-group sl-ipsec-net object-group tcp-net
access-list wh-acl extended permit ip object-group sl-ipsec-net object-group wh-ipsec-net
access-list ryan-acl extended permit ip object-group sl-ipsec-net object-group smyrna
access-list allentown-acl extended permit ip object-group sl-ipsec-net object-group Allentown
access-list Chincoteague-acl extended permit ip object-group sl-ipsec-net object-group Chincoteague
access-list split_tunnel_list standard permit 172.16.1.0 255.255.255.0
access-list split_tunnel_list standard permit 172.16.10.0 255.255.255.0
access-list split_tunnel_list standard permit 172.16.0.0 255.255.0.0
pager lines 24
logging enable
logging buffer-size 16384
logging asdm-buffer-size 512
logging buffered informational
logging trap emergencies
logging history informational
logging asdm emergencies
logging from-address ColoASA@chpk.com
logging host inside 172.16.1.20
logging flash-bufferwrap
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN_Subnet 172.16.201.10-172.16.201.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 172.16.1.20 inside
icmp permit any inside
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (inside,dmz) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
static (dmz,outside) 75.150.145.228 10.10.11.12 netmask 255.255.255.255
static (dmz,outside) 75.150.145.227 10.10.11.11 netmask 255.255.255.255
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
static (outside,dmz) 172.16.53.0 172.16.53.0 netmask 255.255.255.0
static (dmz,outside) 75.150.145.230 10.10.11.14 netmask 255.255.255.255
static (dmz,outside) 75.150.145.229 10.10.11.10 netmask 255.255.255.255
static (inside,outside) 75.150.145.226 172.16.101.49 netmask 255.255.255.255
access-group private-inbound in interface inside
access-group outside-to-inside in interface outside
 
route-map ospf-out deny 10
 match ip address deny-ospf-out
!
route-map ospf-out permit 20
 match ip address permit-ospf-out
 set metric 100
 set metric-type type-1
!
!
router ospf 1
 router-id 172.16.101.254
 network 172.16.101.0 255.255.255.0 area 2
 log-adj-changes
 redistribute static subnets route-map ospf-out
 default-information originate
!
route outside 0.0.0.0 0.0.0.0 75.150.145.238 1
route outside 10.80.8.0 255.255.255.0 75.150.145.238 1
route outside 172.16.25.0 255.255.255.0 75.150.145.238 1
route outside 172.16.35.0 255.255.255.0 75.150.145.238 1
route outside 172.16.36.0 255.255.255.0 75.150.145.238 1
route outside 172.16.37.0 255.255.255.0 75.150.145.238 1
route outside 172.16.53.0 255.255.255.0 75.150.145.238 1
route outside 172.16.54.0 255.255.255.0 75.150.145.238 1
route outside 172.16.57.0 255.255.255.0 75.150.145.238 1
route outside 172.16.60.0 255.255.255.0 75.150.145.238 1
route outside 172.16.65.0 255.255.255.0 75.150.145.238 1
route outside 172.16.70.0 255.255.255.0 75.150.145.238 1
route outside 172.16.71.0 255.255.255.0 75.150.145.238 1
route outside 172.16.201.0 255.255.255.0 75.150.145.238 1
route outside 192.168.3.0 255.255.255.0 75.150.145.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server DC_Radius protocol radius
aaa-server DC_Radius host 172.16.101.23
 timeout 5
 key silverlake
aaa authentication ssh console LOCAL
http server enable
snmp-server host inside 172.16.1.20 community n@tg@s version 2c
snmp-server location Colo
snmp-server contact Helpdesk@chpk.com
snmp-server community n@tg@s
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set aes128 esp-aes esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set aes128
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 10
ssh 172.16.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
management-access inside
dhcpd dns 68.87.64.146 68.87.75.194
dhcpd auto_config outside
dhcpd update dns both
!
 
threat-detection basic-threat
threat-detection statistics access-list
group-policy chesapeake internal
group-policy chesapeake attributes
 wins-server value 172.16.101.23
 dns-server value 172.16.101.23
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel_list
 default-domain value cpk.chpk.com
 
tunnel-group chesapeake type remote-access
tunnel-group chesapeake general-attributes
 address-pool VPN_Subnet
 authentication-server-group (outside) DC_Radius
 default-group-policy chesapeake
tunnel-group chesapeake ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:aa70af446bd54ac3dd29b11cf1379f98
: end

Open in new window

0
 

Author Comment

by:dissolved
ID: 24246181
I was told by cisco that I needed to put a static route like this:

route outside 172.16.201.0 255.255.255.0   172.16.101.254

where 172.16.201.0 is the ras vpn users and 172.16.101.254 is the inside int of the asa

Is that correct?
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24247066
No, I'm not sure why they would tell you that.  You want the route to the outside or have it use the default route.

I don't see anything wrong with your config.

The VPN client connects successfully but you can't access anything on the network?  On the VPN client tab, are the inbound/outbound statistics incrementing?  What are you trying to access from the VPN client?  Can you ping the DNS server? 172.16.101.23...

This ASA is the only default path to the Internet, right?  Your OSPF filter is not allowing the 172.16.201.0/24 subnet to be redistributed but as long as there is only a default route via this ASA, it doesn't matter.
0
 

Author Comment

by:dissolved
ID: 24251341
The ASA is set to route all unknown traffic towards the internet yes.  When I vew the client side staticstics, the bytes received is very low compared to the bytes sent.

I am unable to ping the dns server from the RAS client
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24251398
Is 172.16.101.254 the DNS servers default gateway?

Can you post a "show cry ipsec sa" when the client is connected.
0
 

Author Comment

by:dissolved
ID: 24251465
ColoASA# sh cry ipsec sa
interface: outside
    Crypto map tag: dynmap, seq num: 30, local addr: 75.150.145.225

      local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
      current_peer: 71.200.37.168

      #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
      #pkts decaps: 170, #pkts decrypt: 170, #pkts verify: 170
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.150.145.225, remote crypto endpt.: 71.200.37.168

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 7324102C

    inbound esp sas:
      spi: 0x8B2DD24E (2335035982)
         transform: esp-aes esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: dynmap
         sa timing: remaining key lifetime (kB/sec): (4274949/24129)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x7324102C (1931743276)
         transform: esp-aes esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: dynmap
         sa timing: remaining key lifetime (kB/sec): (4274999/24127)
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: dynmap, seq num: 30, local addr: 75.150.145.225

      local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
      current_peer: 71.200.37.168

      #pkts encaps: 8720, #pkts encrypt: 8720, #pkts digest: 8720
      #pkts decaps: 9538, #pkts decrypt: 9538, #pkts verify: 9538
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 8720, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.150.145.225, remote crypto endpt.: 71.200.37.168

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: A4A664BD

    inbound esp sas:
      spi: 0xD41609D2 (3558214098)
         transform: esp-aes esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: dynmap
         sa timing: remaining key lifetime (kB/sec): (4271719/24113)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xA4A664BD (2762368189)
         transform: esp-aes esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: dynmap
         sa timing: remaining key lifetime (kB/sec): (4274329/24113)
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: dynmap, seq num: 30, local addr: 75.150.145.225

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.201.10/255.255.255.255/0/0)
      current_peer: 75.145.11.189, username: rsebastian
      dynamic allocated peer ip: 172.16.201.10

      #pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6
      #pkts decaps: 567, #pkts decrypt: 567, #pkts verify: 567
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 6, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.150.145.225/4500, remote crypto endpt.: 75.145.11.189/1070
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: A3C15047

    inbound esp sas:
      spi: 0xCA27670F (3391579919)
         transform: esp-aes esp-md5-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 20480, crypto-map: dynmap
         sa timing: remaining key lifetime (sec): 27977
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xA3C15047 (2747355207)
         transform: esp-aes esp-md5-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 20480, crypto-map: dynmap
         sa timing: remaining key lifetime (sec): 27977
         IV size: 16 bytes
         replay detection support: Y

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24251494
Was that from your ASA or from the headend?  I would expect to see a 172.16.201.x IP?
0
 

Author Comment

by:dissolved
ID: 24251768
that was from the headend, which is an ASA.

The remote ciient was dialed in and had a 172.16.201.10 address
0
 

Author Comment

by:dissolved
ID: 24251821
i am showing that the user is connected:


1   IKE Peer: 71.200.37.168
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 75.145.11.189
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE


Crypto map tag: dynmap, seq num: 30, local addr: 75.150.145.225

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.201.10/255.255.255.255/0/0)
      current_peer: 75.145.11.189, username: *****
      dynamic allocated peer ip: 172.16.201.10
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24251826
Okay, did you remove the split tunneling?

Can you ping the inside of the ASA? 172.16.101.254
0
 

Author Comment

by:dissolved
ID: 24262572
yes, i can ping the inside of the asa. The split tunneling should still be there. I can surf the web while VPN'd in
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24262683
Hmm, well the tunnel is working fine.  What is the default gateway of the DNS server?  Is it 172.16.101.254? or something else?
0
 

Author Comment

by:dissolved
ID: 24263825
That I am not sure. I'd have to ask the SysAdmin
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24263892
Double check that since it appears your VPN config is okay but it might be a return routing issue.
0
 

Author Comment

by:dissolved
ID: 24263997
the gateway of the DC/DNS server is 172.16.101.1. Which is a L3 core switch.  
PS: Can you look at this: http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24366832.html
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24264025
Does that L3 switch have a default route via 172.16.101.254? or something else?  You can add a route to 172.16.201.0/24 on the L3 switch via 172.16.101.254 if not.
0
 

Author Comment

by:dissolved
ID: 24264271
here's the sh ip route of the 3750. Should I add a route to get to the vpn users 172.16.201.0/24 ?



COLO_3750#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
 
Gateway of last resort is 172.16.101.254 to network 0.0.0.0
 
     172.17.0.0/24 is subnetted, 1 subnets
C       172.17.1.0 is directly connected, FastEthernet1/0/45
     172.16.0.0/16 is variably subnetted, 27 subnets, 3 masks
O E1    172.16.232.0/24 [110/102] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O E1    172.16.200.0/24 [110/102] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O E1    172.16.60.0/24 [110/102] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O E1    172.16.58.0/24 [110/102] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O E1    172.16.53.0/24 [110/102] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O E1    172.16.54.0/24 [110/102] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O E1    172.16.36.0/24 [110/102] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O E1    172.16.37.0/24 [110/102] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O IA    172.16.32.0/24 [110/2] via 172.17.1.31, 1d07h, FastEthernet1/0/45
O IA    172.16.33.0/24 [110/2] via 172.17.1.33, 1d07h, FastEthernet1/0/45
O IA    172.16.34.0/24 [110/2] via 172.17.1.33, 1d07h, FastEthernet1/0/45
O E1    172.16.35.0/24 [110/22] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O IA    172.16.31.0/24 [110/2] via 172.17.1.31, 1d07h, FastEthernet1/0/45
O E1    172.16.25.0/24 [110/102] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O IA    172.16.10.0/24 [110/2] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O IA    172.16.11.0/24 [110/2] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O E1    172.16.0.0/16 [110/22] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O IA    172.16.1.0/24 [110/2] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O IA    172.16.2.0/24 [110/2] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O IA    172.16.3.0/24 [110/2] via 172.17.1.1, 1d07h, FastEthernet1/0/45
C       172.16.100.0/30 is directly connected, FastEthernet1/0/48
C       172.16.101.0/24 is directly connected, Vlan101
C       172.16.102.0/24 is directly connected, Vlan102
C       172.16.103.0/24 is directly connected, Vlan103
O E1    172.16.70.0/24 [110/102] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O E1    172.16.71.0/24 [110/102] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O E1    172.16.65.0/24 [110/102] via 172.17.1.1, 1d07h, FastEthernet1/0/45
     10.0.0.0/24 is subnetted, 2 subnets
O E1    10.80.8.0 [110/102] via 172.17.1.1, 1d07h, FastEthernet1/0/45
O E1    10.80.9.0 [110/102] via 172.17.1.1, 1d07h, FastEthernet1/0/45
S    192.168.3.0/24 [1/0] via 172.16.101.254
S*   0.0.0.0/0 [1/0] via 172.16.101.254
COLO_3750#

Open in new window

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24264721
Yeah, you need to add a route as you have a 172.16.0.0/16 pointed somewhere else.  Add this:

ip route 172.16.201.0 255.255.255.0 172.16.101.254
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24266212
Actually, instead of the static route on the core, add this to the ASA to advertise into OSPF.

conf t
access-list deny-ospf-out line 1 standard deny 172.16.201.0 255.255.255.0
0
 

Author Comment

by:dissolved
ID: 24266382
Ok I added the route. I will test it out tomorrow. Just for learning purposes, what does that ACL do?  If we are using a deny ACL, how is it advertising into OSPF?
Thanks man
0
 

Author Comment

by:dissolved
ID: 24266385
btw: Why wouldn't the static route in the core have worked?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24266434
The static route would work but only as long as everything funneled back to the core 3750.  If it does, you can use the static route on the core but if not, go the OSPF route.  The deny access-list entry is a "don't match" rule for the "deny" route-map policy.  The route should then match the "permit any" rule and redistribute.
0
 

Author Comment

by:dissolved
ID: 24269352
i tried both the static route first and it didnt work. I took it out and added the ospf command it didnt work either.
0
 

Author Comment

by:dissolved
ID: 24269373
i take that back, static route worked. But I cant ping the 172.16.1.0 network. Should I add a static route in the 172.16.1.1 core switch telling it to
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24269514
Yes, the 172.16.1.0 router will need a route to 172.16.201.0/24 via the 3750 (172.17.1.x).
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question