03-31-2008 07:26 AM
Once I am in VPN tunnel, I can't Ping or Telnet to the ASA using Inside interface IP.
Below is the partial configuration:
telnet 10.17.70.0 255.255.255.0 Outside
telnet 172.17.0.0 255.255.0.0 Inside
telnet timeout 10
ssh 172.17.0.0 255.255.0.0 Inside
ssh timeout 60
ssh version 1
console timeout 0
management-access Inside
03-31-2008 02:12 PM
do you have AAA server group LOCAL configured? if so add this statement.
aaa authentication telnet console LOCAL
make sure you do not have in your config any icmp deny acl towards inside interface, for example icmp deny any inside will block pings on inside interface, check that.
once you vpn try telnet to asa, if not success please post sanitized config.
HTH
Rgds
Jorge
04-01-2008 08:23 AM
04-01-2008 05:33 PM
sorry for late reply..
your ra vpn network is consider inside not outside, you will not be able to telnet or icmp to asa inside while in vpn and this statement pointing to oustide interface. please correct this and post your results.
remove this statement
no telnet 10.17.70.0 255.255.255.0 Outside
and replace it with
telnet 10.17.70.0 255.255.255.0 inside
Jorge
04-02-2008 08:51 AM
Murali, any update on your issue?
Rgds
Jorge
04-02-2008 02:19 PM
No. Did'nt work............... Any other suggestions.......................
Murali
04-02-2008 02:31 PM
What does your logs indicate when you try icmp or telnet to inside interface while in vpn , can you post asa log output.
04-02-2008 03:18 PM
The log file does not have any info on ICMP, we have also tried "debug icmp" still no sign ICMP packets. Besides issue with Telnet, we can't get to websites that are on our business partner "lacounty" interface.
04-02-2008 05:17 PM
are the websites under the 192.168.1.0 network ? f so can you reach 0.0.0.1 next hop router from the asa? when you say you cannot reach websites via lacounty interface is it through vpn or anyone behind asa.
04-03-2008 08:23 AM
The unreachable websites are in 10.2.0.0 which resides beyond "lacounty" interface and we have this problem only when we're in VPN.
04-03-2008 02:28 PM
Jorge,
We found 2 issues with the config that prevent us from Telnet to the ASA.
1- Typo on nonatdmz access-list, should have
been 10.17.70.0 instead of 10.16.70.0
2- Splittunel acess-list did not include
10.0.0.2 "Inside" interface
You help is greatly appreciated,
04-03-2008 04:50 PM
So you guys are all set then, did you make the corrections on the acls? can you post updated config.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: