Question:
I have been asked to take Cisco 3560 Switch a look at correcting a configuration that I am unfamiliar with. Previously here when VPN'd in they were able to reach sites at other locations in other subnets via the WAN. Currently, they have to remote a PC in the data center's subnet then access a site on the WAN that way. I am not sure if the problem is in the ASA or with the routing at either the data center or the remote site. Would anyone be kind enough to give me a sample ASA config that will pass that VPN traffic or can you direct me to a resource that I can do some comparison to?
Answer:
*Assuming we are talking about remote-access VPNs
Start at the top. In the ASA's configuration, there will be an access list refered to in the VPN's group-policy attributes. Verify that the access list contains the correct subnet information.
Example:
access-list VPN_ACL standard permit 1.1.1.0 255.255.255.0
access-list VPN_ACL standard permit 2.2.2.0 255.255.255.0
(where 1.1.1.1 is your datacenter and 2.2.2.2 is the remote network)
Once that is verified, connect to the VPN via a remote workstation and look at the local machine's routing table (Start > Run > netstat -r)
Are the remote site's subnets in the workstation's routing table when VPN'd?
If so, perform a traceroute from the VPN'd workstation to an IP address on one of the remote sites WS-C3560X-24T-L to see where the failure is.
没有评论:
发表评论