Cisco routing problem

I am having a routing problem. In brief I have a internal network on the range. On this network is a Cisco ASA5055 on IP address and a Cisco 877 on IP address The ASA allows dial-up SSL VPN connections and gives out IP addresses in the range The Cisco 877 has an IPSEC VPN link to a 3G router and the 3G router uses addresses in the range All the usual NAT stuff has been done to ensure that addresses are not translated. SSL VPN clients can ping devices on the 10.0.0.x network and visa-versa. The clients on the 10.5.0.x can also ping devices on the 10.0.0.x network and visa-versa.

The problem comes with allowing a client on a dial-up SSL VPN (10.5.254.x) to ping a device on the 10.5.0.x network. To ensure that this works I have:

1. Added a static route command on the ASA to send packets destined for the 10.5.0.x network to
2. Added a static route command on the 877 to send packets destined for the 10.5.254.x network to
3. Since the ASA is using split tunneling to only send packets destined for the 10.0.0.x network across the VPN, I have added the 10.5.0.x to the list of protected networks and pinging 10.5.0.x addresses from the 10.5.254.x network shows traffic going across the VPN
4. The ASA showed entries in the logs telling me to create a NAT rule as follows:
access-list outside_nat0_outbound extended permit ip
nat (outside) 0 access-list outside_nat0_outbound
I guess this was to ensure that incoming 10.5.254.x addresses destined for 10.5.0.x were not touched by NAT
5. On the 877, I added extra entries wherever there was an access list specifying the 10.0.0.x network and the 10.5.0.x network as follows:

crypto dynamic-map mydynmap 1
 set transform-set my_GPRS_set
 match address 101
ip nat inside source route-map SDM_RMAP1 interface Dialer0 overload
access-list 101 permit ip
access-list 101 permit ip
access-list 110 deny   ip
access-list 110 deny   ip
access-list 110 permit ip any
access-list 110 permit ip any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP1 permit 1
 match ip address 110

Basically I am unable to ping 10.5.0.x hosts from hosts on the 10.5.254.x network (via the 10.0.0.x network) and have failed to work out where the problem lies. I tried to add the equivalent of the nat outside command on the 877 in case the incoming packets from the 10.5.0.x network were being translated. It is not at all clear what processes a packet coming in through a VPN on 877 goes through.

Any help would be appreciated...
Who is Participating?
Kerem ERSOYPresidentCommented:
I'm suspecting that the problem might be with the Split Tunneling software. The tunneling software on each client must be sending traffic and 10.5.0/254 traffic to the router. But Is there some rule for them to send the Traffic to the Router and vice versa for the ASA?
I think that they are sending these packages to default gateway instead of the VPN tunnel.
Let me check on my VPN server. I remmebr that  in the past I'd needed to add some extra routing but nut sure whether it was on router on or VPN side.
Kerem ERSOYPresidentCommented:
Can you run a trceroute on one of the 10.0 and 10.5 systems to see ehre is the last point that they reach ?
MSutherland25Author Commented:
You put me on the right track. I had forgotten to add the 10.5.254.x network to those that should be tunnelled on the 3G router (connected via an IPSEC Site-2-Site VPN to the Cisco 877)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.