acomiskey Sat, 01/05/2008 - 06:03
User Badges:
  • Green, 3000 points or more

Can't see your config but might be a nat-t problem. Add isakmp nat-traversal or crypto isakmp nat-traversal.

acomiskey Sat, 01/05/2008 - 08:29
User Badges:
  • Green, 3000 points or more

I only see about the last 30 lines of the config.

acomiskey Sat, 01/05/2008 - 12:53
User Badges:
  • Green, 3000 points or more

add this command...

isakmp nat-traversal

chicagotech Sat, 01/05/2008 - 16:48
User Badges:

Thank you. Will try that Monday and post back with the result.

chicagotech Tue, 01/08/2008 - 11:51
User Badges:

Still doesn't work. From the ASA I can ping inside computer by IP, but can't ping from the VPN client. Any other suggestions?

acomiskey Tue, 01/08/2008 - 12:03
User Badges:
  • Green, 3000 points or more

You don't need these...

no access-list inside_nat0_inbound extended permit ip any 255.255.255


no access-list inside_nat0_inbound extended permit tcp

no nat (inside) 0 access-list inside_nat0_inbound outside

chicagotech Tue, 01/08/2008 - 12:39
User Badges:

Thank you for the quick reply. I took those lines off, but still can't ping. here are part of configuration:

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.198


interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address


interface Ethernet0/2

nameif DMZ

security-level 50

ip address


interface Management0/0

nameif management

security-level 100

ip address



ftp mode passive

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip 192.168


access-list DMZ_nat0_outbound extended permit ip 192.168.


access-list test_splitTunnelAcl standard permit any

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

ip local pool vpn198 mask

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (DMZ) 10

route outside x.x.x.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy test internal

group-policy test attributes

wins-server value

dns-server value

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test_splitTunnelAcl

default-domain value


group-policy CBGVPN198 internal

group-policy CBGVPN198 attributes

wins-server value

dns-server value

split-tunnel-policy tunnelall

default-domain value


group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value inside_nat0_inbound

default-domain none

split-dns none

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

client-firewall none

client-access-rule none


functions url-entry

port-forward-name value Application Access

vpn-group-policy CBGVPN198

chicagotech Tue, 01/08/2008 - 12:53
User Badges:

Sorry, it work. The problem is all inside computers' default gateway is pointing to a PIX firewall. If I change the computer default gateway to the ASA, the VPN client can ping the computer. We don't have plan to replace the PIX as default gateway. We just want to this ASA as VPN server. How can we configure it so that VPN client access access the LAN resources? Should we make the VPN IP pool to

acomiskey Tue, 01/08/2008 - 13:33
User Badges:
  • Green, 3000 points or more

Do you have an inside router?

What version is the pix?

You don't want the address pool to be the same as the inside.

All else fails you would have to create persistant routes on your inside hosts to the vpn client subnet.

chicagotech Tue, 01/08/2008 - 13:59
User Badges:

I also tried to use inside DHCP server to assign IP to the VPN client. The VPN client receives all TCP/IP settings such as IP, DNS, WINS, DHCP server except the default gateway. The default gateway is the VPN client IP. After that, the inside computers can ping the VPN client, but VPN client can't ping the inside computers. Why? Does the VPN client should use itself IP as default gateway? If not, how do you fix it?

chicagotech Tue, 01/08/2008 - 17:52
User Badges:

OK, I think we had a network problem after I added inside IP pool or used inside DHCP. Some of computers could not access their Outlook. So, I should use inside IP. right?

Can I add a route command on the PIX to route all VPN traffic to the ASA? If yes, what's the command?


This Discussion