remote VPN client cannot access LAN.

Unanswered Question
Jan 10th, 2008
User Badges:

HI All,

I am using ASA5520 8.0(2) and my VPN client can establish a connection with the firewall. When I tried to ping from my VPN client to inside LAN servers, the traffic did research LAN Servers.

However the problem is that the return traffic is never delivered to VPN Client and got "teardown".

Here is my current configuration files. Any comment is appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Thu, 01/10/2008 - 09:19
User Badges:
  • Cisco Employee,

The issue could be the Pool from which the IP Addresses are assigned to the clients.

Is it possible to reconfigure the VPNClientIPs Pool to use a different set of ip addresses than the ones that are part of your LAN and see if it works.


1. Assign 172.16.1.x/24 for the VPN Clients.

2. Include 172.16.1.x/24 in the NAT 0 Command to bypass NAT.

3. Make sure that your internal routing knows that they need to send the traffic back to the ASA to reach 172.16.1.x/24.



ziweizhou Thu, 01/10/2008 - 10:31
User Badges:

Thanks for replying, Arul.

The issue is that VPN traffics has reached internal server, and replied traffics has reach firewall then it got tear down.

It seems inside the firewall, it doesn't realize the IP is a VPN client IP address.

But when I checked ARP table, it did show the connection IP for the VPN Client.

Any thoughts on that?

BTW, I used the same setting just the other day and everything works fine, it just stopped working today, and I don't remember that anything I modified can cause such a result.

ajagadee Tue, 01/15/2008 - 07:23
User Badges:
  • Cisco Employee,

Is it possible for you to change the pool of IP Addresses to something other than your internal network. Based upon your symptoms, it looks like the ASA is getting the return traffic and simply drops the packet because it has an inside ip addresses that falls within the 10.0.0.x/24 range.

Try changing the pool to a different subnet, reconfigure the NAT 0, make sure that the internal networks know that they need to send the traffic back to the ASA for the VPN Client Pool and give it a shot. Let me know how it goes.




This Discussion