Can't Connect to VPN Router

We had an issue at a Remote Site where tenants needed to connect to their corporate site using a VPN connection while using our Wireless that we provide and this building.

We have Meraki APs providing DHCP on the subnet which overlaps with their network so I reconfigured the ASA with a "guest" VLAN providing an address to 192.168.2.X and will put the APs in bridge mode.

I am testing this connection in my work space and my laptop does now get a 192.168.2.X address and gets Internet access. But when testing a VPN connection using VPN  the Cisco Client to our VPN Router I can't establish a connection. I noticed when I try to ping our VPN router I don't get a response.


So my question is, what is blocking this? I can ping IPs and access Web Pages but not this IP. I spoke with my Boss and he stated nothing related to our corporate firewall must relate to a configuration on the ASA. Any suggestions of how I can troubleshoot? Opened ASDM --> Logging and Filtered by my Source IP but didn't see any information of blocks. Like I said I don't know where too begin, any guidance would be appreciated.
Tim OBrienSystems EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Did you exclude traffic that source ip address is network when destination network is from NAT? If you can get to internet that traffic is natted (at least when destination ip is in public address space).
Do routers on remote site have route to your network? Every router along path need to know where interesting traffic need to be sent. If there is no more specific route then default route, traffic will be forwarded to internet and since destination address is in private address space ISP will drop such traffic (traffic that is not natted and it's not forwarded through VPN tunnel).
Tim OBrienSystems EngineerAuthor Commented:
I copied most of my configurations from another ASA, I am unsure how all NAT and exclusions are handled not knowledgeable enough yet but will review these.

I still should be able to at least ping this Public IP right? I don't understand what makes this public IP on the VPN router any different than a Public IP or say or
JohnBusiness Consultant (Owner)Commented:
You have introduced a double NAT situation and most VPN cannot navigate this.  I use NCP Secure Entry and that CAN navigate around this.

If this is a long term situation, people should investigate NCP.

Alternatively, you might be able to create a VLAN for tenants that has a simpler internet connection.
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Tim OBrienSystems EngineerAuthor Commented:
I'm not following, I haven't gotten to the point of establishing a VPN connection. I can't even ping the public IP of the outside interface on the VPN router.  I can ping this IP simply being at my house with regular Internet connection and can ping this IP when on other VPN routers. My current issue at the moment is I have some kind of configure error on this ASA which is keeping me from pinging this public IP.  Is there a way to view a log file which would indicate a block or a access-list show command which may help?
JohnBusiness Consultant (Owner)Commented:
If you are talking about the VPN application, you should be able to enable logging on the Cisco unit and see what errors you get.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tim OBrienSystems EngineerAuthor Commented:
I can't figure it out, I realized if I use an internal address of 10.X instead of 192.X I can ping the VPN router. Just going to change the Router to 10.X and consider it good.
JohnBusiness Consultant (Owner)Commented:
@Tim OBrien - Thanks for the update and I was happy to help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.