Cisco routing problem

Posted on 2009-05-12
Last Modified: 2012-05-06
I am having a routing problem. In brief I have a internal network on the range. On this network is a Cisco ASA5055 on IP address and a Cisco 877 on IP address The ASA allows dial-up SSL VPN connections and gives out IP addresses in the range The Cisco 877 has an IPSEC VPN link to a 3G router and the 3G router uses addresses in the range All the usual NAT stuff has been done to ensure that addresses are not translated. SSL VPN clients can ping devices on the 10.0.0.x network and visa-versa. The clients on the 10.5.0.x can also ping devices on the 10.0.0.x network and visa-versa.

The problem comes with allowing a client on a dial-up SSL VPN (10.5.254.x) to ping a device on the 10.5.0.x network. To ensure that this works I have:

1. Added a static route command on the ASA to send packets destined for the 10.5.0.x network to
2. Added a static route command on the 877 to send packets destined for the 10.5.254.x network to
3. Since the ASA is using split tunneling to only send packets destined for the 10.0.0.x network across the VPN, I have added the 10.5.0.x to the list of protected networks and pinging 10.5.0.x addresses from the 10.5.254.x network shows traffic going across the VPN
4. The ASA showed entries in the logs telling me to create a NAT rule as follows:
access-list outside_nat0_outbound extended permit ip
nat (outside) 0 access-list outside_nat0_outbound
I guess this was to ensure that incoming 10.5.254.x addresses destined for 10.5.0.x were not touched by NAT
5. On the 877, I added extra entries wherever there was an access list specifying the 10.0.0.x network and the 10.5.0.x network as follows:

crypto dynamic-map mydynmap 1
 set transform-set my_GPRS_set
 match address 101
ip nat inside source route-map SDM_RMAP1 interface Dialer0 overload
access-list 101 permit ip
access-list 101 permit ip
access-list 110 deny   ip
access-list 110 deny   ip
access-list 110 permit ip any
access-list 110 permit ip any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP1 permit 1
 match ip address 110

Basically I am unable to ping 10.5.0.x hosts from hosts on the 10.5.254.x network (via the 10.0.0.x network) and have failed to work out where the problem lies. I tried to add the equivalent of the nat outside command on the 877 in case the incoming packets from the 10.5.0.x network were being translated. It is not at all clear what processes a packet coming in through a VPN on 877 goes through.

Any help would be appreciated...
Question by:MSutherland25
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24370615
Can you run a trceroute on one of the 10.0 and 10.5 systems to see ehre is the last point that they reach ?
LVL 30

Accepted Solution

Kerem ERSOY earned 500 total points
ID: 24370652
I'm suspecting that the problem might be with the Split Tunneling software. The tunneling software on each client must be sending traffic and 10.5.0/254 traffic to the router. But Is there some rule for them to send the Traffic to the Router and vice versa for the ASA?
I think that they are sending these packages to default gateway instead of the VPN tunnel.
Let me check on my VPN server. I remmebr that  in the past I'd needed to add some extra routing but nut sure whether it was on router on or VPN side.

Author Closing Comment

ID: 31580801
You put me on the right track. I had forgotten to add the 10.5.254.x network to those that should be tunnelled on the 3G router (connected via an IPSEC Site-2-Site VPN to the Cisco 877)

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question