Cisco routing problem

Posted on 2009-05-12
Last Modified: 2012-05-06
I am having a routing problem. In brief I have a internal network on the range. On this network is a Cisco ASA5055 on IP address and a Cisco 877 on IP address The ASA allows dial-up SSL VPN connections and gives out IP addresses in the range The Cisco 877 has an IPSEC VPN link to a 3G router and the 3G router uses addresses in the range All the usual NAT stuff has been done to ensure that addresses are not translated. SSL VPN clients can ping devices on the 10.0.0.x network and visa-versa. The clients on the 10.5.0.x can also ping devices on the 10.0.0.x network and visa-versa.

The problem comes with allowing a client on a dial-up SSL VPN (10.5.254.x) to ping a device on the 10.5.0.x network. To ensure that this works I have:

1. Added a static route command on the ASA to send packets destined for the 10.5.0.x network to
2. Added a static route command on the 877 to send packets destined for the 10.5.254.x network to
3. Since the ASA is using split tunneling to only send packets destined for the 10.0.0.x network across the VPN, I have added the 10.5.0.x to the list of protected networks and pinging 10.5.0.x addresses from the 10.5.254.x network shows traffic going across the VPN
4. The ASA showed entries in the logs telling me to create a NAT rule as follows:
access-list outside_nat0_outbound extended permit ip
nat (outside) 0 access-list outside_nat0_outbound
I guess this was to ensure that incoming 10.5.254.x addresses destined for 10.5.0.x were not touched by NAT
5. On the 877, I added extra entries wherever there was an access list specifying the 10.0.0.x network and the 10.5.0.x network as follows:

crypto dynamic-map mydynmap 1
 set transform-set my_GPRS_set
 match address 101
ip nat inside source route-map SDM_RMAP1 interface Dialer0 overload
access-list 101 permit ip
access-list 101 permit ip
access-list 110 deny   ip
access-list 110 deny   ip
access-list 110 permit ip any
access-list 110 permit ip any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP1 permit 1
 match ip address 110

Basically I am unable to ping 10.5.0.x hosts from hosts on the 10.5.254.x network (via the 10.0.0.x network) and have failed to work out where the problem lies. I tried to add the equivalent of the nat outside command on the 877 in case the incoming packets from the 10.5.0.x network were being translated. It is not at all clear what processes a packet coming in through a VPN on 877 goes through.

Any help would be appreciated...
Question by:MSutherland25
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24370615
Can you run a trceroute on one of the 10.0 and 10.5 systems to see ehre is the last point that they reach ?
LVL 30

Accepted Solution

Kerem ERSOY earned 500 total points
ID: 24370652
I'm suspecting that the problem might be with the Split Tunneling software. The tunneling software on each client must be sending traffic and 10.5.0/254 traffic to the router. But Is there some rule for them to send the Traffic to the Router and vice versa for the ASA?
I think that they are sending these packages to default gateway instead of the VPN tunnel.
Let me check on my VPN server. I remmebr that  in the past I'd needed to add some extra routing but nut sure whether it was on router on or VPN side.

Author Closing Comment

ID: 31580801
You put me on the right track. I had forgotten to add the 10.5.254.x network to those that should be tunnelled on the 3G router (connected via an IPSEC Site-2-Site VPN to the Cisco 877)

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Failover for DMVPN 3 59
List IP by send / recieved size in Fortigate 5 34
Layer 3 Switch Configuration 12 87
wifi security 11 46
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question