10-06-2008 11:27 PM
Hi all
I am sorry that i make u feel bore of same question.
I went through all the posts regarding this and am not able to troubleshoot the issue .
I am able to Connect to my ASA and establish a tunnel
I am able to ping my ASA inside
I am able to run Telnet and ASDM over the VPN client to my ASA
But I am not able to ping any host inside the network
I am attaching Running config and sh crypto ipsec sa
please do the favor
10-07-2008 05:52 AM
Sreekanth,
Looks like a routing issue.
If you VPN Tunnel is up and you are able to ping the inside IP Address of the ASA, that basically means your configuration on the ASA for the IPSEC Part is good :-)
Does your internal network know that they need to route the packets for the VPN Pool of IP Addresses "ip local pool vpnpool 172.16.0.20-172.16.0.29 mask 255.255.255.0" back to the ASA. I guess this is where things are not working as expected.
One thing I noticed is, you have a pool of ip addresses that is part of your internal network. Typically, this is not recommended because of routing issues.
So, you have two options:
1. Configure your internal routing to forward the packets destined for the Pool of IP Addresses back to the ASA.
OR
2. Reconfigure the Pool of IP Addresses to a totally different subnet (Ex. 192.168.150.0/24)and then configure your internal routing to forward packets destined to the pool back to the ASA.
I hope it helps.
Regards,
Arul
** Please rate all helpful posts **
10-13-2008 12:19 AM
Hi arul
I went through ur post and did following changes
ip pool - 10.1.1.1 - 10.1.1.25 255.255.255.0
and i have a default route in my Core Switch to ASA 5520
ip route 0.0.0.0 0.0.0.0 172.20.0.10
we use EIGRP as our Internal Routing Protocol and I created a VLAN with 10.1.1.0 /24 address Scope and created a SVI interface with 10.1.1.30 as the address of interface and added it to the Routing Protocol
on CORE SWITCH
vlan 225
interface vlan 225
ip address 10.1.1.30 255.255.255.0
no shutdown
router eigrp 100
redistribute static
network 172.16.0.0
network 10.1.1.0
ip route 0.0.0.0 0.0.0.0 172.20.0.10
I am able to Ping 10.1.1.30 from firewall and what to do next
The Same problem Continues even After the Changes
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: