ASA 5500 VPN cannot ping LAN

Unanswered Question
Jul 20th, 2007
User Badges:

Trying to connect a remote client using SSL VPN through web interface. When attempting to ping LAN side (192.168.1.2) through inside interface I am getting this in the log -

Deny icmp src inside:192.168.1.2 dst outside 192.168.50.1 (type 0,code 0) by access-group "inside_access_in" [0x0,0x0]


The VPN pool is using 192.168.50.0/24 and the inside LAN is 192.168.1.0/24. I am connecting to the WAN interface and the SSL VPN connects with no problem. Any suggestions?


Thanks,

Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Loading.
Jon Marshall Fri, 07/20/2007 - 21:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Mike


Could you post the config (minus any sensitive info).


The access-list inside_access_in is blocking the traffic. Is there an access-list on your inside interface.


Jon

ggilbert Sun, 07/22/2007 - 07:47
User Badges:
  • Cisco Employee,

Mike,


Like Jon said, if you could post the config. It will help out.


Also, can you do send the output of the following, if you cant post the config.


sh run sysopt


sh run nat



Thanks

Gilbert

acomiskey Mon, 07/23/2007 - 09:21
User Badges:
  • Green, 3000 points or more

If you were going to allow this traffic in the acl you need to write it like this, yours is backwards.


access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0


The way you currently have your inside_access_in acl written, you are pretty much stopping all traffic originated from the inside. Is this what you want? I recommend removing the acl entirely.


Please rate helpful posts.

mtrout12345678 Mon, 07/23/2007 - 12:55
User Badges:

Thanks, that fixed the problem. I had to also create a rule on the access-list outside to let the traffic out to the VPN clients. Many thanks for your help.

Actions

This Discussion