cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
284
Views
0
Helpful
2
Replies

VPN user not able to ping internal network

wasiimcisco
Level 1
Level 1

Dear All,

My vpn client is able to connect and get the ip address from the pool configured on vpn concentrator. But client is not able to ping the internal network that are inside the pix firewall.

concentrator is private interface connected with firewall dmz interface.

pix dmz ip 172.28.95.2

concentrator 172.28.95.95

remote access client ip: 172.28.37.x

I have configured the split tunneling for the follwing pix firewall networks on the conncentrator.

172.28.92.0/0.0.0.255

172.28.95.0/0.0.0.255

172.28.96.0/0.0.0.255

172.31.0.0/0.0.255.255

192.168.249.164/0.0.0.3

172.28.32.0/0.0.0.255

172.28.64.0/0.0.0.255

172.28.98.0/0.0.0.255

concentrator is able to reach all of the above networks without any problem.

But client is able to ping any of the above networks, except concentrator private interface.

static (inside,edn) 172.28.32.0 172.28.32.0 netmask 255.255.255.255

static (inside,edn) 172.28.92.0 172.28.92.0 netmask 255.255.255.255

static (inside,edn) 172.28.64.0 172.28.64.0 netmask 255.255.255.255

access-list nonat extended permit ip 172.28.32.0 255.255.255.0 172.28.32.0 255.255.255.0

access-list nonat extended permit ip 172.28.92.0 255.255.255.0 172.28.37.0 255.255.255.0

access-list nonat extended permit ip 172.28.32.0 255.255.255.0 172.28.37.0 255.255.255.0

access-list nonat extended permit ip 172.28.64.0 255.255.255.0 172.28.37.0 255.255.255.0

nat (inside) 0 access-list nonat

access-list edn_acl extended permit ip 172.28.37.0 255.255.255.0 172.28.32.0 255.255.255.0

access-list edn_acl extended permit ip 172.28.37.0 255.255.255.0 172.28.92.0 255.255.255.0

access-list edn_acl extended permit ip 172.28.37.0 255.255.255.0 172.28.64.0 255.255.255.0

route edn 172.28.37.0 255.255.255.0 172.28.95.95 1

2 Replies 2

sphear
Level 1
Level 1

Greetings,

I'm a little unclear about your problem as the sentences:

>concentrator is able to reach all of the >above networks without any problem.

>But client is able to ping any of the above >networks, except concentrator private >interface.

I think that you might mean NONE of the above networks.

I encountered a similar situation that I resolved by enabling nat-traversal on the device that is providing VPN access. You have not stated what these devices are, so I can't offer specifics. Make sure that isakmp is enabled for the Nat Traversal to function.

-Johan

Sorry for typing the wrong sentence. Client was not able to ping above networks. But now client can reach. I didnt nothing, it suddendly started working fine with the old configuration. I am using cisco vpn concentrator that has private interface connected with dmz of pix firewall. Please tell me still i need to unable it.

Thanks for the reply.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: