Tim OBrien
asked on
Can't Connect to VPN Router
We had an issue at a Remote Site where tenants needed to connect to their corporate site using a VPN connection while using our Wireless that we provide and this building.
We have Meraki APs providing DHCP on the 10.0.0.0 subnet which overlaps with their network so I reconfigured the ASA with a "guest" VLAN providing an address to 192.168.2.X and will put the APs in bridge mode.
I am testing this connection in my work space and my laptop does now get a 192.168.2.X address and gets Internet access. But when testing a VPN connection using VPN the Cisco Client to our VPN Router I can't establish a connection. I noticed when I try to ping our VPN router I don't get a response.
So my question is, what is blocking this? I can ping IPs and access Web Pages but not this IP. I spoke with my Boss and he stated nothing related to our corporate firewall must relate to a configuration on the ASA. Any suggestions of how I can troubleshoot? Opened ASDM --> Logging and Filtered by my Source IP but didn't see any information of blocks. Like I said I don't know where too begin, any guidance would be appreciated.
We have Meraki APs providing DHCP on the 10.0.0.0 subnet which overlaps with their network so I reconfigured the ASA with a "guest" VLAN providing an address to 192.168.2.X and will put the APs in bridge mode.
I am testing this connection in my work space and my laptop does now get a 192.168.2.X address and gets Internet access. But when testing a VPN connection using VPN the Cisco Client to our VPN Router I can't establish a connection. I noticed when I try to ping our VPN router I don't get a response.
So my question is, what is blocking this? I can ping IPs and access Web Pages but not this IP. I spoke with my Boss and he stated nothing related to our corporate firewall must relate to a configuration on the ASA. Any suggestions of how I can troubleshoot? Opened ASDM --> Logging and Filtered by my Source IP but didn't see any information of blocks. Like I said I don't know where too begin, any guidance would be appreciated.
ASKER
I copied most of my configurations from another ASA, I am unsure how all NAT and exclusions are handled not knowledgeable enough yet but will review these.
I still should be able to at least ping this Public IP right? I don't understand what makes this public IP on the VPN router any different than a Public IP or say 8.8.8.8 or google.com
I still should be able to at least ping this Public IP right? I don't understand what makes this public IP on the VPN router any different than a Public IP or say 8.8.8.8 or google.com
You have introduced a double NAT situation and most VPN cannot navigate this. I use NCP Secure Entry and that CAN navigate around this.
If this is a long term situation, people should investigate NCP.
Alternatively, you might be able to create a VLAN for tenants that has a simpler internet connection.
If this is a long term situation, people should investigate NCP.
Alternatively, you might be able to create a VLAN for tenants that has a simpler internet connection.
ASKER
I'm not following, I haven't gotten to the point of establishing a VPN connection. I can't even ping the public IP of the outside interface on the VPN router. I can ping this IP simply being at my house with regular Internet connection and can ping this IP when on other VPN routers. My current issue at the moment is I have some kind of configure error on this ASA which is keeping me from pinging this public IP. Is there a way to view a log file which would indicate a block or a access-list show command which may help?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can't figure it out, I realized if I use an internal address of 10.X instead of 192.X I can ping the VPN router. Just going to change the Router to 10.X and consider it good.
@Tim OBrien - Thanks for the update and I was happy to help.
Do routers on remote site have route to your 192.168.2.0 network? Every router along path need to know where interesting traffic need to be sent. If there is no more specific route then default route, traffic will be forwarded to internet and since destination address is in private address space ISP will drop such traffic (traffic that is not natted and it's not forwarded through VPN tunnel).