Solved

Cisco routing problem

Posted on 2009-05-12
3
352 Views
Last Modified: 2012-05-06
I am having a routing problem. In brief I have a internal network on the 10.0.0.0/24 range. On this network is a Cisco ASA5055 on IP address 10.0.0.9 and a Cisco 877 on IP address 10.0.0.254. The ASA allows dial-up SSL VPN connections and gives out IP addresses in the range 10.5.254.1-254. The Cisco 877 has an IPSEC VPN link to a 3G router and the 3G router uses addresses in the range 10.5.0.1-254. All the usual NAT stuff has been done to ensure that addresses are not translated. SSL VPN clients can ping devices on the 10.0.0.x network and visa-versa. The clients on the 10.5.0.x can also ping devices on the 10.0.0.x network and visa-versa.

The problem comes with allowing a client on a dial-up SSL VPN (10.5.254.x) to ping a device on the 10.5.0.x network. To ensure that this works I have:

1. Added a static route command on the ASA to send packets destined for the 10.5.0.x network to 10.0.0.254
2. Added a static route command on the 877 to send packets destined for the 10.5.254.x network to 10.0.0.9
3. Since the ASA is using split tunneling to only send packets destined for the 10.0.0.x network across the VPN, I have added the 10.5.0.x to the list of protected networks and pinging 10.5.0.x addresses from the 10.5.254.x network shows traffic going across the VPN
4. The ASA showed entries in the logs telling me to create a NAT rule as follows:
access-list outside_nat0_outbound extended permit ip 10.5.254.0 255.255.255.0 10.5.0.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
I guess this was to ensure that incoming 10.5.254.x addresses destined for 10.5.0.x were not touched by NAT
5. On the 877, I added extra entries wherever there was an access list specifying the 10.0.0.x network and the 10.5.0.x network as follows:

crypto dynamic-map mydynmap 1
 set transform-set my_GPRS_set
 match address 101
ip nat inside source route-map SDM_RMAP1 interface Dialer0 overload
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.5.0.0 0.0.0.255
access-list 101 permit ip 10.5.254.0 0.0.0.255 10.5.0.0 0.0.0.255
access-list 110 deny   ip 10.0.0.0 0.0.0.255 10.5.0.0 0.0.0.255
access-list 110 deny   ip 10.5.254.0 0.0.0.255 10.5.0.0 0.0.0.255
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
access-list 110 permit ip 10.5.254.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP1 permit 1
 match ip address 110

Basically I am unable to ping 10.5.0.x hosts from hosts on the 10.5.254.x network (via the 10.0.0.x network) and have failed to work out where the problem lies. I tried to add the equivalent of the nat outside command on the 877 in case the incoming packets from the 10.5.0.x network were being translated. It is not at all clear what processes a packet coming in through a VPN on 877 goes through.

Any help would be appreciated...
0
Comment
Question by:MSutherland25
  • 2
3 Comments
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24370615
Can you run a trceroute on one of the 10.0 and 10.5 systems to see ehre is the last point that they reach ?
0
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 500 total points
ID: 24370652
I'm suspecting that the problem might be with the Split Tunneling software. The tunneling software on each client must be sending 10.0.0.0/24 traffic and 10.5.0/254 traffic to the router. But Is there some rule for them to send the 10.5.254.0/24 Traffic to the Router and vice versa for the ASA?
I think that they are sending these packages to default gateway instead of the VPN tunnel.
Let me check on my VPN server. I remmebr that  in the past I'd needed to add some extra routing but nut sure whether it was on router on or VPN side.
0
 

Author Closing Comment

by:MSutherland25
ID: 31580801
You put me on the right track. I had forgotten to add the 10.5.254.x network to those that should be tunnelled on the 3G router (connected via an IPSEC Site-2-Site VPN to the Cisco 877)
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now