Using Cisco VPN client can't ping beyond inside interface

Unanswered Question
Oct 24th, 2008
User Badges:

I have a ASA 5505 7.2(3)

The firewall is set up w/ A inside IP network of 192.168.55.0

The VPN pool is setup as 192.168.55.90-192.168.55.99

What do I need to enable or create to allow the outside vpn clients to access the inside servers?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Fri, 10/24/2008 - 12:03
User Badges:
  • Cisco Employee,

Hi,


You need to bypass NAT for the VPN Client Traffic by configuring nat (inside) 0.


nat (inside) 0 access-list 101

access-list 101 extended permit ip 192.168.55.0 255.255.255.0 192.168.55.0 255.255.255.0


Please refer the below URL for configuration details.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml


While the above configuration should most likely resolve the issue, I would recommend that you configure a different subnet for the VPN Client Pool, something that is not part your internal network and then include them in the NAT 0 Command. Depending upon your routing domain and how things are configured, you could run into routing issues by assigning IP Address for the VPN Clients from your internal network.


Regards,

Arul


*Pls rate if it helps*




tony@asi-usa.com Tue, 10/28/2008 - 11:04
User Badges:

I made the necessary changes to the vpn pool as requested. Now I am unable to ping the gateway of 192.168.55.1 The vpn pool is 192.168.75.0 225.255.255.0. I am attaching the updated config. Could any help?

Thanks



ajagadee Tue, 10/28/2008 - 11:47
User Badges:
  • Cisco Employee,

Hi,


Couple of things:


1. You split tunnel is misconfigured.


access-list PCGRemoteAccess_splitTunnelAcl standard permit 192.168.75.0 255.255.255.0


The above ACL should be


access-list PCGRemoteAccess_splitTunnelAcl standard permit 192.168.55.0 255.255.255.0


Basically, split tunnel specifies what addresses you want the VPN Remote Users to access over the tunnel.


2. Your NAT (inside) 0 is misconfigured.


access-list 101 extended permit ip 192.168.75.0 255.255.255.0 192.168.75.0 255.255.255.0


This should be


access-list 101 extended permit ip 192.168.55.0 255.255.255.0 192.168.75.0 255.255.255.0


Please do make the changes and test the tunnel connectivity.


Regards,

Arul


*Pls rate if it helps*

tony@asi-usa.com Tue, 10/28/2008 - 12:07
User Badges:

Made changes no difference. The tunnel is being built correctly but no traffic flow. I can't ping the 192.168.55.1 interface or any inside address.

ajagadee Tue, 10/28/2008 - 15:43
User Badges:
  • Cisco Employee,

Tony,


After you made the changes to the configuration, did you do "clear xlate" and then try pinging an IP Address on the 192.168.55.0 subnet.


Also, after connecting the VPN Client and trying to access something on the inside, can you post the outputs of "show cry is sa" and "show cry ipsec sa"


Regards,

Arul

Actions

This Discussion