Cisco ASA VPN Routing Issue

Posted on 2011-02-24
Last Modified: 2012-05-11
I have a Cisco ASA firewall and I am having some very slight issues with my VPN clients.

I have several internal networks, all connected by point-to-point private T1's... They are the networks located at:


The ASA is located at The VPN clients are given addresses from a pool at 192.168.4.x

Here is the problem... When a client is connected via VPN they can reach ANY of the internal networks (p.s. all the routers are at 192.168.x.254)... EXCEPT the devices on the 192.168.0.x network.....

Here is the (pertinant) portion of the running config:

: Saved
ASA Version 8.2(2)
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address
interface Ethernet0/1
 nameif vacant
 security-level 75
 no ip address
interface Ethernet0/2
 nameif dmz
 security-level 25
 ip address
interface Ethernet0/3
 nameif outside
 security-level 0
 ip address
ftp mode passive
dns server-group DefaultDNS
access-list outbound extended permit ip any any
access-list inside_nat0_outbound extended permit ip any
access-list to-dmz extended permit icmp any any
access-list dmz-in extended permit ip DMZ-Net any
access-list dmz-in extended permit icmp any any
access-list inside extended deny udp any any eq 135
access-list inside extended permit udp any any eq tftp
access-list inside extended deny udp any any eq netbios-ns
access-list inside extended deny udp any any eq netbios-dgm
access-list inside extended deny udp any any eq 139
access-list inside extended deny tcp any any eq 135
access-list inside extended deny tcp any any eq 137
access-list inside extended deny tcp any any eq 138
access-list inside extended deny tcp any any eq netbios-ssn
access-list inside extended deny tcp any any eq 445
access-list inside extended deny tcp any any eq 593
access-list inside extended deny tcp any any eq 4444
access-list inside extended permit ip any any
ip local pool VPN-Pool mask
global (dmz) 10 interface
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10
access-group inside in interface inside
access-group dmz-in in interface dmz
access-group to-dmz in interface outside
route outside 1
route inside 1
route inside 1
route inside 1
route inside 1
route inside 1
group-policy unity internal
group-policy unity attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec
 default-domain value
username unity password txOP8663574s9f6 encrypted privilege 0
username unity attributes
 vpn-group-policy unity
tunnel-group unity type remote-access
tunnel-group unity general-attributes
 address-pool VPN-Pool
 default-group-policy unity
tunnel-group unity ipsec-attributes
 pre-shared-key *****
Question by:ThePhreakshow
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 34976115
The router located at is aware of all of the networks and has no problem getting to devices on the 192.168.0.x network and vice-versa
LVL 79

Expert Comment

ID: 34976853
What about the router on the 192.168.0.x end of the P2P T1?
Does it have a route to pointing the wrong direction?
LVL 33

Expert Comment

ID: 34982290
Can the VPN client tracert into 192.168.0.x?   Do you see the router as as a 'hop'?   If you do, then I think you can eliminate the ASA as the source of the issue.    

As lrmoore mentioned, check the route on the router.   I would also mention to look at any ACL on the router as well.  

Prevent Ransomware with Total Security Suite

With recent ransomware attacks topping the headlines, it might seem like there'e no hope in the battle against these advanced threats. Learn more about how WatchGuard's Total Security Suite can effectively prevent ransomware attacks including Petya 2.0 and WannaCry!


Author Comment

ID: 34982867
It does NOT see the router as a hop, and times out straight away.

When I try ANY of the other networks (3.x, 5.x, 6.x, 7.x) from a VPN client, the first hop in the route is the router which is also on the same local private segment as the inside interface of the ASA.

The router at is "managed" (poorly) by our new AT&T PTP services, so despite many attempts to get them to give me at least a show run from that router have failed.

Author Comment

ID: 34982965
what is strange, however is that the routers at 3.254, 5.254, 6.254 and 7.254 are all the same routers as the problem child at 0.254... They are all "managed" by AT&T and were all installed at the same time.

Again I will reiterate that the only problem I am having is with VPN clients that get something out of the 192.168.4.x pool. Otherwise connectivity from end to end on the PTP connections works fine.
LVL 33

Expert Comment

ID: 34983503
From the ASA CLI, can you ping into that subnet?  

Can we see the entire sanitized config from the ASA also...
LVL 30

Accepted Solution

Britt Thompson earned 500 total points
ID: 34987038
Have you verified that these particular VPN clients are not connecting from an internet connection where their internal private subnet is 192.168.0.x? 192.168.0.x is a very common internal subnet and may very easily be their subnet if they are using the VPN client from home or from another office. This will prevent their routing to the .0.x subnet.

Author Closing Comment

ID: 35203972
That was EXACTLY the problem... The far away place that I had was using a private IP range that was in conflict with one of the networks behind my VPN.. I changed the network I was on to a far off IP range unrelated to my work network and it worked perfect.

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question