VPN user not able to ping internal network

Unanswered Question
Jan 14th, 2008

Dear All,


My vpn client is able to connect and get the ip address from the pool configured on vpn concentrator. But client is not able to ping the internal network that are inside the pix firewall.




concentrator is private interface connected with firewall dmz interface.


pix dmz ip 172.28.95.2


concentrator 172.28.95.95


remote access client ip: 172.28.37.x


I have configured the split tunneling for the follwing pix firewall networks on the conncentrator.

172.28.92.0/0.0.0.255

172.28.95.0/0.0.0.255

172.28.96.0/0.0.0.255

172.31.0.0/0.0.255.255

192.168.249.164/0.0.0.3

172.28.32.0/0.0.0.255

172.28.64.0/0.0.0.255

172.28.98.0/0.0.0.255


concentrator is able to reach all of the above networks without any problem.


But client is able to ping any of the above networks, except concentrator private interface.


static (inside,edn) 172.28.32.0 172.28.32.0 netmask 255.255.255.255

static (inside,edn) 172.28.92.0 172.28.92.0 netmask 255.255.255.255

static (inside,edn) 172.28.64.0 172.28.64.0 netmask 255.255.255.255


access-list nonat extended permit ip 172.28.32.0 255.255.255.0 172.28.32.0 255.255.255.0


access-list nonat extended permit ip 172.28.92.0 255.255.255.0 172.28.37.0 255.255.255.0

access-list nonat extended permit ip 172.28.32.0 255.255.255.0 172.28.37.0 255.255.255.0

access-list nonat extended permit ip 172.28.64.0 255.255.255.0 172.28.37.0 255.255.255.0

nat (inside) 0 access-list nonat



access-list edn_acl extended permit ip 172.28.37.0 255.255.255.0 172.28.32.0 255.255.255.0

access-list edn_acl extended permit ip 172.28.37.0 255.255.255.0 172.28.92.0 255.255.255.0

access-list edn_acl extended permit ip 172.28.37.0 255.255.255.0 172.28.64.0 255.255.255.0


route edn 172.28.37.0 255.255.255.0 172.28.95.95 1





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.



Greetings,


I'm a little unclear about your problem as the sentences:


>concentrator is able to reach all of the >above networks without any problem.


>But client is able to ping any of the above >networks, except concentrator private >interface.


I think that you might mean NONE of the above networks.


I encountered a similar situation that I resolved by enabling nat-traversal on the device that is providing VPN access. You have not stated what these devices are, so I can't offer specifics. Make sure that isakmp is enabled for the Nat Traversal to function.


-Johan


wasiimcisco Fri, 01/18/2008 - 01:02

Sorry for typing the wrong sentence. Client was not able to ping above networks. But now client can reach. I didnt nothing, it suddendly started working fine with the old configuration. I am using cisco vpn concentrator that has private interface connected with dmz of pix firewall. Please tell me still i need to unable it.


Thanks for the reply.

Actions

This Discussion