Cannot Access Inside from VPN Client

Unanswered Question
Oct 6th, 2008

Hi all

I am sorry that i make u feel bore of same question.

I went through all the posts regarding this and am not able to troubleshoot the issue .

I am able to Connect to my ASA and establish a tunnel

I am able to ping my ASA inside

I am able to run Telnet and ASDM over the VPN client to my ASA

But I am not able to ping any host inside the network

I am attaching Running config and sh crypto ipsec sa

please do the favor

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Tue, 10/07/2008 - 05:52

Sreekanth,

Looks like a routing issue.

If you VPN Tunnel is up and you are able to ping the inside IP Address of the ASA, that basically means your configuration on the ASA for the IPSEC Part is good :-)

Does your internal network know that they need to route the packets for the VPN Pool of IP Addresses "ip local pool vpnpool 172.16.0.20-172.16.0.29 mask 255.255.255.0" back to the ASA. I guess this is where things are not working as expected.

One thing I noticed is, you have a pool of ip addresses that is part of your internal network. Typically, this is not recommended because of routing issues.

So, you have two options:

1. Configure your internal routing to forward the packets destined for the Pool of IP Addresses back to the ASA.

OR

2. Reconfigure the Pool of IP Addresses to a totally different subnet (Ex. 192.168.150.0/24)and then configure your internal routing to forward packets destined to the pool back to the ASA.

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

sreekanth sarma Mon, 10/13/2008 - 00:19

Hi arul

I went through ur post and did following changes

ip pool - 10.1.1.1 - 10.1.1.25 255.255.255.0

and i have a default route in my Core Switch to ASA 5520

ip route 0.0.0.0 0.0.0.0 172.20.0.10

we use EIGRP as our Internal Routing Protocol and I created a VLAN with 10.1.1.0 /24 address Scope and created a SVI interface with 10.1.1.30 as the address of interface and added it to the Routing Protocol

on CORE SWITCH

vlan 225

interface vlan 225

ip address 10.1.1.30 255.255.255.0

no shutdown

router eigrp 100

redistribute static

network 172.16.0.0

network 10.1.1.0

ip route 0.0.0.0 0.0.0.0 172.20.0.10

I am able to Ping 10.1.1.30 from firewall and what to do next

The Same problem Continues even After the Changes

Actions

This Discussion