ASA 5505 VPN Routing

agruber85
agruber85 used Ask the Experts™
on
I have an ASA which is providing VPN connection to my external users. It was working perfectly until we decided to separate the network into Voice, Video, and Data (each has its own subnet). Now my users get their VPN Connection but are not being routed to the router providing the inter vlan routing.

Question: How do I route the VPN traffic to the other 10.10.X.X networks.
VPN/Data is 10.10.1.X
Voice is 10.10.10.X
Video is 10.10.20.x

Also I am using EIGRP and from the ASA itself can ping each subnet on a separate router.
ASA(VPN 10.10.1.1
Router with vlans 10.10.1.2

Configuration
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.X.X.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.1.0 255.255.255.0
access-list vpntunnelgroup_Split_Tunnel standard permit 10.10.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.10.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.1.10-10.10.1.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
!
router eigrp 100
 no auto-summary
 network 10.0.0.0 255.0.0.0
!
route outside 0.0.0.0 0.0.0.0 65.X.X.66 1
route inside 10.10.1.0 255.255.255.0 10.10.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
John MeggersNetwork Architect

Commented:
I suspect you need to expand your split tunneling ACL to list traffic to the other subnets.  You also have a NAT0 access-list but no NAT 0 command entry, so you need to add:

nat (inside) 0 access-list inside_nat0_outbound
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Furthermore I see static and eigrp routes. Are all the needed networks routed correctly?
Top Expert 2011

Commented:
Just to add: make sure devices on other networks have route back to your vpn clients.

Author

Commented:
jmeggers,

You are right, i added the..
 Nat (inside) 0 access-list inside_nat0_outbound line.

I also made the change to the Split Tunnel...
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0

Still I am not able to access the 10.10.10.1 network from the VPN.



Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Does the asa have a route to that network?
Top Expert 2011
Commented:
@agruber85

make sure devices on other networks have route back to your vpn clients network

Author

Commented:
I have run this for all ports connected from the router to the switch

router eigrp 100
network 10.0.0.0 255.0.0.0
no auto-summary

that should cover the route back unless it has to be more specific
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
just to be sure, could you do a 'sh route' on the asa?
Top Expert 2011

Commented:
I suspect your problems is related to routing, since you have configured Slit tunneling and nonat properly.

Author

Commented:
Gateway of last resort is 65.X.X..65 to network 0.0.0.0

C    65.2X.X.64 255.255.255.192 is directly connected, outside
C    10.10.1.0 255.255.255.0 is directly connected, inside
D    10.10.10.0 255.255.255.0 [90/30720] via 10.10.1.2, 0:10:28, inside
S    10.10.1.10 255.255.255.255 [1/0] via 65.210.111.65, outside
D    10.10.20.0 255.255.255.0 [90/30720] via 10.10.1.2, 0:10:28, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 65.210.111.65, outside
Ernie BeekSenior infrastructure engineer
Top Expert 2012
Commented:
Ok.

You added  the Nat (inside) 0 access-list inside_nat0_outbound line.
Did you also add: access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0 etc to exempt the networks from nat?
Top Expert 2011

Commented:
You dont need this route

10.10.1.10 255.255.255.255 [1/0] via 65.210.111.65

Author

Commented:
I did add

access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.20.0 255.255.255.0

Still not able to access those networks through the VPN
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Ok.

When you look at the (ASDM) logging, does something show up?

Author

Commented:
I am not sure how to do that through the command prompt and don't have access to the GUI.

I do have an issue on my 2911 router though. when i run a show ip route eigrp I get  "Gateway of last resort is not set"
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Perhaps its an idea to first set all the routes statically to see if we can get this working and after that have a look at routing protocols (?).

Author

Commented:
I will get the static routes setup and let you know if it is working.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
We'll be waiting :)

Author

Commented:
ok. so I have the static routes made on the ASA to the 10.10.10.0 and 10.10.20.0 subnets and can ping the interfaces from the ASA itself but not from the VPN connection.


interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.XX.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.20.0 255.255.255.0
access-list vpntunnelgroup_Split_Tunnel standard permit 10.10.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.1.10-10.10.1.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.X.X.65 1
route inside 10.10.1.0 255.255.255.0 10.10.1.1 1
route inside 10.10.10.0 255.255.255.0 10.10.1.2 1
route inside 10.10.20.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5

ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
Top Expert 2011

Commented:
What about the router? Have you configured static routes on it?

Author

Commented:
If I can ping it from the ASA then I should be able to do so from the VPN connection correct?
Top Expert 2011
Commented:
Your vpn connection has its own subnet so your router needs to have a route configured for this subnet pointing to asa

Author

Commented:
The VPN subnet is one in the same for my  inside interface (Vlan1) and I was previously able to access the hardware handing off the switch when it was on that schema.

Is that what you were referring to or do I need to setup a different route somehow?
 
 

Author

Commented:
Am I running into this issue because my my vpn ip address range is within the same subnet my inside vlan is onfigured for?
Top Expert 2011

Commented:
Try using different subnet for vpn

Commented:
the Remote access vpn must use a different subnet.  
also,
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.255.0

add in an ip address for the additional subnets in question:
 ip address 10.10.1.1 255.255.255.0
 ip address 10.10.10.1 255.255.255.0 secondary
 ip address 10.10.20.1 255.255.255.0 secondary

Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Looks like you're getting there.

As said, use a different subnet for the vpn range. Because there is a kind of routing between the subnets, you get in trouble when the same subnet is on the in- and outside (vpns terminate on the outside interface).

Author

Commented:
naughton,

I can only assign 1 ip address to my Int Vlan1. Is there another place to add the additional subnets?

Author

Commented:
OK,
For a minute I was able to ping the following from the VPN connection but now it is lost.
10.X
20.X

any ideas what I might have changed?


interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.X.X.X 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.40.0 255.255.255.0
access-list vpntunnelgroup_Split_Tunnel standard permit 10.10.40.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.40.1-10.10.40.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.210.111.65 1
route inside 10.10.1.0 255.255.255.0 10.10.1.1 1
route inside 10.10.10.0 255.255.255.0 10.10.1.2 2
route inside 10.10.20.0 255.255.255.0 10.10.1.2 3
route inside 10.10.40.0 255.255.255.0 10.10.1.1 4

Author

Commented:
Also noticed I cannot ping the routers gateway from the VPN
10.10.1.2
Top Expert 2011
Commented:
route inside 10.10.40.0 255.255.255.0 10.10.1.1 4

You don't need this route.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Assuming 10.10.40.0 is the VPN range, you only need:
access-list inside_nat0_outbound extended permit ip any 10.10.40.0 255.255.255.0
for NAT exempt. Get rid of the others.

Author

Commented:
I made the changes

no route inside 10.10.40.0 255.255.255.0 10.10.1.1 4
no access-list inside_nat0_outbound extended permit ip any 10.10.1.0 255.255.255.0
no access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0
no access-list inside_nat0_outbound extended permit ip any 10.10.20.0 255.255.255.0
no access-list inside_nat0_outbound extended permit ip any 10.10.30.0 255.255.255.0

For some reason I still cannot ping 10.10.1.2 from the VPN

Here is my ASA Sh Route
C    65.X.X.X 255.255.255.192 is directly connected, outside
C    10.10.1.0 255.255.255.0 is directly connected, inside
S    10.10.10.0 255.255.255.0 [2/0] via 10.10.1.2, inside
S    10.10.20.0 255.255.255.0 [3/0] via 10.10.1.2, inside
S    10.10.40.1 255.255.255.255 [1/0] via 65.X.X.65, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 65.X.X.65, outside

Here is the 2900 Sh ip Route
C 10.10.1.0/24 is directly connected
L 10.10.1.2/32 is directly connected
C 10.10.10.0/24 is directly connected
L 10.10.10.1/32 is directly connected
C 10.10.20.0/24 is directly connected
L 10.10.20.1/32 is directly connected
S 10.10.40.0/24 [1/0] via 10.10.1.1
Top Expert 2011
Commented:
Get rid of this route as well

 10.10.40.1 255.255.255.255 [1/0] via 65.X.X.65, outside

You don't need a route on asa for vpn subnet

Author

Commented:
fgasimzade:

10.10.40.1 255.255.255.255 [1/0] via 65.X.X.65, outside

That is my VPN connected client.
Top Expert 2011

Commented:
Oops, sorry, can you post your config again as well as your routers config
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Furthermore, any showing in the log when trying to connect?
Top Expert 2011
Commented:
You would also need to assign an access-list to your outside interface to allow your vpn subnet to enter your network

access-list outside_access_in extended permit ip 10.10.40.0 255.255.255.0 any
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
@fgasimzade: Did I just overlook that? :-~
Top Expert 2011
Commented:
@erniebeek, Actually I was surprised you did not notice it.. :)

@agruber85, dont forget to apply your access-list to you outside interface

access-group outside_access_in in outside

Author

Commented:
ASA Config:

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.X.X.X 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.40.0 255.255.255.0
access-list vpntunnelgroup_Split_Tunnel standard permit 10.10.40.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.40.1-10.10.40.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.X.X.X 1
route inside 10.10.1.0 255.255.255.0 10.10.1.1 1
route inside 10.10.10.0 255.255.255.0 10.10.1.2 2
route inside 10.10.20.0 255.255.255.0 10.10.1.2 3


2900 Config - Not easily cut and pasted as its on a different network
0/0
10.10.1.2 255.255.255.0
Duplex Auto
speed auto
no mop enabled

0/1
10.10.10.1 255.255.255.0
Duplex Auto
speed auto

0/2
10.10.20.1 255.255.255.0
Duplex Auto
speed auto

ip route 10.10.1.0 255.255.255.0 10.10.1.1
ip route 10.10.20.0 255.255.255.0 10.10.1.1
ip route 10.10.40.0 255.255.255.0 10.10.1.1
Top Expert 2011

Commented:
Take a look at my previous post please :)

Author

Commented:
added:
access-list outside_access_in extended permit ip 10.10.40.0 255.255.255.0 any

Wouldn't take
access-group outside_access_in in outside
Top Expert 2011

Commented:
Sorry,

access-group outside_access_in in interface outside

Author

Commented:
I cannot ping my VPN client from the ASA (10.10.1.X Network)
I believe that is where my LARGE problem lies.
Top Expert 2011

Commented:
Have you assigned the access-list to the outside interface?

Author

Commented:
@fgasimzade:

This command took ,
access-group outside_access_in in interface outside

Still not able to ping the 10.10.40.1 client from the ASA or the Router.
I can ping the ASA from the VPN Client but not the 2900 Router (10.10.1.2)
Top Expert 2011

Commented:
I cant see no nat statement

nat (inside) 0 access-list inside_nat0_outbound extended permit ip any 10.10.40.0 255.255.255.0

Author

Commented:
@ erniebeek:

I do not know the log commands to do what you asked. If you tell me what they are I will get the information.

Author

Commented:
fgasimzade:

nat (inside) 0 access-list inside_nat0_outbound extended permit ip any 10.10.40.0 255.255.255.0

The extended posed a problem in the syntax
Top Expert 2011
Commented:
Oh, sorry my friend, it is 45C here outside,

you need only this part


nat (inside) 0 access-list inside_nat0_outbound

Author

Commented:
here is what I have now - Still not able to ping the inside from the VPN client or ping the VPN client from the ASA


interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.X.X.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.40.0 255.255.255.0
access-list vpntunnelgroup_Split_Tunnel standard permit 10.10.40.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
access-list outside_access_in extended permit ip 10.10.40.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.40.1-10.10.40.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 65..X.X 1
route inside 10.10.1.0 255.255.255.0 10.10.1.1 1
route inside 10.10.10.0 255.255.255.0 10.10.1.2 2
route inside 10.10.20.0 255.255.255.0 10.10.1.2 3

Author

Commented:
Sorry, i CAN! ping the interfaces from the VPN client now!!

Cannot pint the VPN client IP from the ASA though, is that normal?
Top Expert 2011

Commented:
Good! Do you have any firewall configured on your vpn client? It might be blocking icmp pings

Author

Commented:
The Windows Firewall is off and the antivirus was turned off as well.

Any other ideas? I am also having an issue pinging a pc that is on the 10.10.20.X network but can hit the 10.10.10.101 Unit I have up.

Possible 2911 routing issue?
Top Expert 2011

Commented:
What is your default gateway on pc in 10.10.20.x

Author

Commented:
it was 10.10.20.1
Top Expert 2011

Commented:
Any firewall installed on this pc?

Author

Commented:
no firewall is installed on the pc.

I seem to be having trouble accessing any machine on the 10.10.20.x network other than being able to ping the 10.10.20.1 gateway/interface..
Top Expert 2011

Commented:
So you can ping 10.10.20.1 but the the PCs in this subnet?

What about PCs in other subnets?

Author

Commented:
I did some troubleshooting and during a tracert I get this. Routing or vlan issue?

H:\>tracert 10.10.10.1
Tracing route to 10.10.10.1 over a maximum of 30 hops
  1     3 ms     2 ms     2 ms  10.10.10.1
Trace complete.

H:\>tracert 10.10.10.101
Tracing route to 10.10.10.101 over a maximum of 30 hops
  1     2 ms     1 ms     1 ms  10.10.1.2
  2     2 ms     2 ms     2 ms  10.10.10.101
Trace complete.

H:\>tracert 10.10.20.1
Tracing route to 10.10.20.1 over a maximum of 30 hops
  1     2 ms     2 ms     1 ms  10.10.20.1
Trace complete.

H:\>tracert 10.10.20.101
Tracing route to 10.10.20.101 over a maximum of 30 hops
  1     2 ms     1 ms     1 ms  10.10.1.2
  2     *     ^C
Top Expert 2011

Commented:
Hm, can you ping PCs in 10.10.20.0 from any other network?
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Ok, I'm back.

Regarding logging, can you access the asdm? That would be the easiest way.

Author

Commented:
ok I added the Laptop to the 10.10.10.x subnet and can ping 10.10.20.1 and 10.10.20.101 successfully!

From the VPN side (10.10.40.x) I can ping 10.10.20.1 but not 10.10.20.101

Author

Commented:
Erniebeek and fgasimzade,

Thanks for all of the support! Since I am able to VPN into the network and reach 75% of my network I am calling this one complete and will open a new question to help my routing issues and switch over to EIGRP.

Thanks again, you guys make it possible for people like me to operate in areas where we are clueless!

-agruber85
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Always glad if we can help :)

Thx for the points.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial