VPN Connectivity to Entire MPLS Network
Posted on 2011-05-11
We have a client who has a nationwide MPLS network and they are looking for a way to provide remote workers with access to the MPLS network.
I had expected to be able to configure SSL VPN on one of the ASAs on the network and that everything else would fall into place. I have a feeling that I am missing a NAT exemption somewhere in my access-lists, but since I have never attempted something like this before, I wanted to make sure this was possible before I went crazy finding what was missing.
The MPLS network uses various /24s on the 192.168.0.0 /16 netblock. 10.0.10.0 /24 is used for MPLS routing between sites by the carrier.
172.16.3.0 /24 is what I currently have configured as the IP pool on the ASA for SSL VPN clients.
In my NAT exemption lists (using double NAT on ASA 8.4.1), I have included the 192.168.0.0 /16 and the 10.0.10.0/24 as the source and 172.16.3.0/24 as the destination.
Same with the split-tunnel access-list.
The VPN tunnel comes up fine, the SSL client indicates all the routes I specified are secured, but I only have connectivity to the network where the ASA I am establishing a VPN connection to is the default gateway.
At first, I thought that this may indicate that what I was looking to accomplish was not possible, however, weird traceroute response has me believing that something may just be misconfigured.
192.168.169.0 /24 is the network the ASA is acting as the gateway for. When tracerouting to a machine on this network, I get one simple response and standard pings work perfectly.
When attempting to tracert to a machine on the 192.168.168.0 /24 network, a tracert returns one successful reply and then continuous failures. Ping attempts return nothing.
Any assistance or input would be appreciated.