ASA 5500 VPN cannot ping LAN

Unanswered Question
Jul 20th, 2007

Trying to connect a remote client using SSL VPN through web interface. When attempting to ping LAN side (192.168.1.2) through inside interface I am getting this in the log -

Deny icmp src inside:192.168.1.2 dst outside 192.168.50.1 (type 0,code 0) by access-group "inside_access_in" [0x0,0x0]

The VPN pool is using 192.168.50.0/24 and the inside LAN is 192.168.1.0/24. I am connecting to the WAN interface and the SSL VPN connects with no problem. Any suggestions?

Thanks,

Mike

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Loading.
Jon Marshall Fri, 07/20/2007 - 21:00

Hi Mike

Could you post the config (minus any sensitive info).

The access-list inside_access_in is blocking the traffic. Is there an access-list on your inside interface.

Jon

ggilbert Sun, 07/22/2007 - 07:47

Mike,

Like Jon said, if you could post the config. It will help out.

Also, can you do send the output of the following, if you cant post the config.

sh run sysopt

sh run nat

Thanks

Gilbert

acomiskey Mon, 07/23/2007 - 09:21

If you were going to allow this traffic in the acl you need to write it like this, yours is backwards.

access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

The way you currently have your inside_access_in acl written, you are pretty much stopping all traffic originated from the inside. Is this what you want? I recommend removing the acl entirely.

Please rate helpful posts.

mtrout12345678 Mon, 07/23/2007 - 12:55

Thanks, that fixed the problem. I had to also create a rule on the access-list outside to let the traffic out to the VPN clients. Many thanks for your help.

Actions

This Discussion