Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

2 subnets behind 1 interface of ASA 5505

Status
Not open for further replies.
bioffice

bioffice

Technical User
Oct 17, 2010
2
HU
Hi,

I have an OpenVPN server in LAN subnet.
In gateway the tcp port is simple forwarded to the server.
Let's say, I have the following subnets:
- LAN - 192.168.1.0 / 24
- OpenVPN - 192.168.9.0 / 24
Open VPN server has 192.168.1.16 eth0, and 192.168.9.1 tap0.
Via OpenVPN I want to access the entire LAN subnet.

Using a C1812 it was easy, just an ip route command, telling who is the router for subnet.
ip route 192.168.9.0 255.255.255.0 192.168.1.16
In this way the communication is OK to and from OpenVPN network.

Using ASA5505 - on other site - I can't solve it.
I have:
route inside 192.168.9.0 255.255.255.0 192.168.1.16 1
nat (inside) 0 access-list nat0_outbound
access-list nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list nat0_outbound extended permit ip 192.168.9.0 255.255.255.0 192.168.1.0 255.255.255.0
icmp permit 192.168.9.0 255.255.255.0 inside

In this way connected to OpenVPN
- I have full access to 192.168.1.16 - OpenVPN server
- I can ping the ASA - 192.168.1.253

But I can't access other server on LAN.
I get:
192.168.1.181 192.168.9.193 Deny TCP (no connection) from 192.168.1.181/22 to 192.168.9.193/36846 flags SYN ACK on interface inside

Any comment would be appreciated
 
Sort by date Sort by votes
you should post this in the Cisco ASA forum.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Try adding : same-security-traffic permit intra-interface

To the asa
 
Upvote 0 Downvote
I have already

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
 
Upvote 0 Downvote

/

Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
Technical Support: Copyright (c) 1523-2010 by Cisco Systems, Inc.
Compiled Thu 11-Feb-1539 23:02 by ßµ®†Šß€€Š

ROM: System Bootstrap, Version 12.2(7r) [ÝØÝØMØÑ], RELEASE SOFTWARE (fc1)

Edge uptime is 469¼
 
Upvote 0 Downvote
Can you ping the server instead of trying to ssh to it?

/

Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
Technical Support: Copyright (c) 1523-2010 by Cisco Systems, Inc.
Compiled Thu 11-Feb-1539 23:02 by ßµ®†Šß€€Š

ROM: System Bootstrap, Version 12.2(7r) [ÝØÝØMØÑ], RELEASE SOFTWARE (fc1)

Edge uptime is 469¼
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
178
bdk76
bdk76
Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
123
Zero6
Zero6
NavinNet
  • Locked
  • Question
Why 2 different mac addresses of a server are being shown of CISCO 6509E Layer-3 Switch ?
Replies
0
Views
71
NavinNet
NavinNet
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
67
quazimotto
quazimotto
inlsp05
  • Locked
  • Question
2811&2960 48 volts wiring diagram
Replies
1
Views
130
BOKA
BOKA

Part and Inventory Search

Sponsor

Back
Top