VPN Clients can't access internal LAN

Unanswered Question
May 30th, 2008

Hello - I have seen a few other threads on this issue, but can't seem to fix mine. I have a ASA 5520. My VPN clients can connect, they get a DHCP address from our internal server no problem. I can can ping and connect to the VPN clients from our LAN, but the clients can not ping me or anything else on the LAN. The clients are connecting ipsec-ra. I know I must be missing something simple here. Here is my config. Any help would be great



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Fri, 05/30/2008 - 07:01

You are missing a nat exemption acl entry for you vpn client pool(192.168.200.0).


access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.200.0 255.255.255.0

access-list nonat extended permit ip 10.0.0.0 255.255.0.0 192.168.200.0 255.255.255.0


You do have this entry..


access-list NONAT extended permit ip any 192.168.200.0 255.255.255.0


but you cannot have 2 nat exemption acl's, so you can get rid of that one.


no access-list NONAT extended permit ip any 192.168.200.0 255.255.255.0

adcorbett_2 Sun, 06/01/2008 - 09:56

That was it. Thanks!


acomiskey - dude - for as many times as you have helped me out, if you are ever in Massachusetts, let me know. I owe you!

Actions

This Discussion