Ping a Specific Port

Question

morleyc

Asked: 2012-07-18 07:50:30 +0800 CST2012-07-18 07:50:30 +0800 CST 2012-07-18 07:50:30 +0800 CST

Cisco ASA5505 VPN remote-access user cannot connect to other site-to-site subnet

772

I am connecting to a ASA5505 at from home to the head-office using L2TP VPN.

Head-office then connects to a other-office via a site-to-site IPSEC tunnel.

When in the head-office (192.168.100.0/24) I can ping/access remote-office (192.168.200.0/24) OK.

When connected remotely to head-office, I can ping/access head-office OK from the road-warrior laptop.

My problem is that when connected remotely from home to the head-office I cannot ping/access the other-office subnet

On the home laptop the L2TP VPN connection is set to route all traffic to the VPN connection using the HQ as the internet gateway I can confirm this works.

I cant do traceroute (I get timeouts) as my policy doesnt allow and not sure how to enable this properly on the ASA.

Any ideas what is wrong, config is below:

names
name 192.168.200.0 othersite
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 34.35.36.3 255.255.255.252
!
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 othersite 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 othersite 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 192.168.100.0 255.255.255.0
access-list outside_in_acl extended permit icmp any any echo-reply
access-list outside_in_acl extended permit tcp any interface outside eq smtp
ip local pool VPNLAN 192.168.100.210-192.168.100.240 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.100.0 255.255.255.0
nat (outside) 1 192.168.100.0 255.255.255.0
static (inside,outside) tcp interface smtp 192.168.100.3 smtp netmask 255.255.255.255
access-group outside_in_acl in interface outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.100.3
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1
tunnel-group DefaultRAGroup general-attributes
 address-pool VPNLAN
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
tunnel-group 40.35.36.122 type ipsec-l2l
tunnel-group 40.35.36.122 ipsec-attributes
 pre-shared-key *****

1 Answers

Voted

Shane Madden · Answer 1 · 2012-07-18T19:43:32+08:00

Best Answer

Shane Madden

2012-07-18T19:43:32+08:002012-07-18T19:43:32+08:00

Your split tunnel ACL should encompass the other site's IP addresses, since that traffic should be sent through the VPN by the client.

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 192.168.200.0 255.255.255.0

The config looks good, otherwise. If this doesn't help, then turn up logging on the ASA and see what comes up when you try to send the traffic through.

2

Cisco ASA5505 VPN remote-access user cannot connect to other site-to-site subnet

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?