Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cannot Telnet to ASA in VPN tunnel.

Unanswered Question
Mar 31st, 2008
User Badges:

Once I am in VPN tunnel, I can't Ping or Telnet to the ASA using Inside interface IP.

Below is the partial configuration:

telnet Outside

telnet Inside

telnet timeout 10

ssh Inside

ssh timeout 60

ssh version 1

console timeout 0

management-access Inside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Mon, 03/31/2008 - 14:12
User Badges:
  • Green, 3000 points or more

do you have AAA server group LOCAL configured? if so add this statement.

aaa authentication telnet console LOCAL

make sure you do not have in your config any icmp deny acl towards inside interface, for example icmp deny any inside will block pings on inside interface, check that.

once you vpn try telnet to asa, if not success please post sanitized config.




JORGE RODRIGUEZ Tue, 04/01/2008 - 17:33
User Badges:
  • Green, 3000 points or more

sorry for late reply..

your ra vpn network is consider inside not outside, you will not be able to telnet or icmp to asa inside while in vpn and this statement pointing to oustide interface. please correct this and post your results.

remove this statement

no telnet Outside

and replace it with

telnet inside


mahanya00 Wed, 04/02/2008 - 14:19
User Badges:

No. Did'nt work............... Any other suggestions.......................


JORGE RODRIGUEZ Wed, 04/02/2008 - 14:31
User Badges:
  • Green, 3000 points or more

What does your logs indicate when you try icmp or telnet to inside interface while in vpn , can you post asa log output.

nguyenvinnie Wed, 04/02/2008 - 15:18
User Badges:

The log file does not have any info on ICMP, we have also tried "debug icmp" still no sign ICMP packets. Besides issue with Telnet, we can't get to websites that are on our business partner "lacounty" interface.

JORGE RODRIGUEZ Wed, 04/02/2008 - 17:17
User Badges:
  • Green, 3000 points or more

are the websites under the network ? f so can you reach next hop router from the asa? when you say you cannot reach websites via lacounty interface is it through vpn or anyone behind asa.

mahanya00 Thu, 04/03/2008 - 08:23
User Badges:

The unreachable websites are in which resides beyond "lacounty" interface and we have this problem only when we're in VPN.

nguyenvinnie Thu, 04/03/2008 - 14:28
User Badges:


We found 2 issues with the config that prevent us from Telnet to the ASA.

1- Typo on nonatdmz access-list, should have

been instead of

2- Splittunel acess-list did not include "Inside" interface

You help is greatly appreciated,

JORGE RODRIGUEZ Thu, 04/03/2008 - 16:50
User Badges:
  • Green, 3000 points or more

So you guys are all set then, did you make the corrections on the acls? can you post updated config.


This Discussion