12-05-2008 09:13 AM
This is an interesting one.
I have a remote access vpn configured on my asa5520 and that works perfectly ok.
There is a set of segments though I cannot ping from my remote access vpn client but I can ping it from the inside interface of the firewall.
The default route of the client is .1 in the "ip local pool" which I believe is the firewall itself, is it?
But in any case, my client is unable to ping that segment. There is an internal route on the firewall to that segment to the extent the inside interface can ping it... but NOT the client.
Why is that?
12-05-2008 10:01 AM
What does your nat exemption acl look like? Is this other segment part of it? Can you post a config?
12-05-2008 10:12 AM
firewall 1:
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.20.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.20.99.0 255.255.255.0 10.20.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 216.183.93.176 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.20.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.20.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 10.20.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 172.16.70.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 10.42.0.0 255.255.0.0
firewall 2:
access-list todixie_nat0_outbound extended permit ip 192.168.220.0 255.255.255.0
10.0.0.0 255.0.0.0
access-list todixie_nat0_outbound extended permit ip 192.168.240.0 255.255.255.0
10.0.0.0 255.0.0.0
access-list todixie_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0
10.0.0.0 255.0.0.0
access-list todixie_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0
10.0.0.0 255.0.0.0
access-list todixie_nat0_outbound extended permit ip 192.168.230.0 255.255.255.0
10.0.0.0 255.0.0.0
I am unable to ping from 10.20.50.x/24 to 192.168.200.x
192.168.210.x
192.168.220.x
where 10.20.50 is the ip pool for remote access vpn and the 192.168 segments are local segment routed on the core switch behind firewall 2.
As you can see 10.20.50 is a subset of segments on the ACL's.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: