Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Cisco routing problem

Posted on 2009-05-12
Medium Priority
Last Modified: 2012-05-06
I am having a routing problem. In brief I have a internal network on the range. On this network is a Cisco ASA5055 on IP address and a Cisco 877 on IP address The ASA allows dial-up SSL VPN connections and gives out IP addresses in the range The Cisco 877 has an IPSEC VPN link to a 3G router and the 3G router uses addresses in the range All the usual NAT stuff has been done to ensure that addresses are not translated. SSL VPN clients can ping devices on the 10.0.0.x network and visa-versa. The clients on the 10.5.0.x can also ping devices on the 10.0.0.x network and visa-versa.

The problem comes with allowing a client on a dial-up SSL VPN (10.5.254.x) to ping a device on the 10.5.0.x network. To ensure that this works I have:

1. Added a static route command on the ASA to send packets destined for the 10.5.0.x network to
2. Added a static route command on the 877 to send packets destined for the 10.5.254.x network to
3. Since the ASA is using split tunneling to only send packets destined for the 10.0.0.x network across the VPN, I have added the 10.5.0.x to the list of protected networks and pinging 10.5.0.x addresses from the 10.5.254.x network shows traffic going across the VPN
4. The ASA showed entries in the logs telling me to create a NAT rule as follows:
access-list outside_nat0_outbound extended permit ip
nat (outside) 0 access-list outside_nat0_outbound
I guess this was to ensure that incoming 10.5.254.x addresses destined for 10.5.0.x were not touched by NAT
5. On the 877, I added extra entries wherever there was an access list specifying the 10.0.0.x network and the 10.5.0.x network as follows:

crypto dynamic-map mydynmap 1
 set transform-set my_GPRS_set
 match address 101
ip nat inside source route-map SDM_RMAP1 interface Dialer0 overload
access-list 101 permit ip
access-list 101 permit ip
access-list 110 deny   ip
access-list 110 deny   ip
access-list 110 permit ip any
access-list 110 permit ip any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP1 permit 1
 match ip address 110

Basically I am unable to ping 10.5.0.x hosts from hosts on the 10.5.254.x network (via the 10.0.0.x network) and have failed to work out where the problem lies. I tried to add the equivalent of the nat outside command on the 877 in case the incoming packets from the 10.5.0.x network were being translated. It is not at all clear what processes a packet coming in through a VPN on 877 goes through.

Any help would be appreciated...
Question by:MSutherland25
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24370615
Can you run a trceroute on one of the 10.0 and 10.5 systems to see ehre is the last point that they reach ?
LVL 30

Accepted Solution

Kerem ERSOY earned 1500 total points
ID: 24370652
I'm suspecting that the problem might be with the Split Tunneling software. The tunneling software on each client must be sending traffic and 10.5.0/254 traffic to the router. But Is there some rule for them to send the Traffic to the Router and vice versa for the ASA?
I think that they are sending these packages to default gateway instead of the VPN tunnel.
Let me check on my VPN server. I remmebr that  in the past I'd needed to add some extra routing but nut sure whether it was on router on or VPN side.

Author Closing Comment

ID: 31580801
You put me on the right track. I had forgotten to add the 10.5.254.x network to those that should be tunnelled on the 3G router (connected via an IPSEC Site-2-Site VPN to the Cisco 877)

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question