able to ping from from inside interface but not outside

Unanswered Question
Dec 11th, 2008
User Badges:

Users on vpn can not reach 1 particular host.


ICMP is allowed since they are able to ping other devices on our network when vpn'd in.


I am using ASDM to rung the ping test..

the first result is with the outside interface as source..the second is inside.


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.165, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.165, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 m


access-list a_splitTunnelAcl standard permit 172.20.0.0 255.255.0.0

access-list A_splitTunnelAcl standard permit 172.30.0.0 255.255.0.0

access-list A_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0

access-list a_splitTunnelAcl standard permit 206.213.201.96 255.255.255.248

access-list A_splitTunnelAcl standard permit 206.213.207.96 255.255.255.248

access-list A_splitTunnelAcl standard permit host 64.14.47.15x

access-list A_splitTunnelAcl standard permit host 64.14.47.15x

access-list A_splitTunnelAcl standard permit host 64.14.47.16x


route outside 0.0.0.0 0.0.0.0 64.14.47.190 1

route inside 64.14.4 255.255.255.255 172.30.0.1 1

route inside 64.14.4255.255.255.255 172.30.0.1 1

route inside 64.14.47 255.255.255.255 172.30.0.1 1

route inside 64.14.47 255.255.255.255 172.30.0.1 1

route inside 64.14.4 255.255.255.255 172.30.0.1 1

route inside 64.14.47 255.255.255.255 172.30.0.1 1

route inside 64.14.47 255.255.255.255 172.30.0.1 1

route inside 64.14.4 255.255.255.255 172.30.0.1 1

route inside 64.14.4 255.255.255.255 172.30.0.1 1

route inside 64.14.47 255.255.255.255 172.30.0.1 1

route inside 64.14.4 255.255.255.255 172.30.0.1 1

route inside 64.14.4 255.255.255.255 172.30.0.1 1

route inside 64.14.4 255.255.255.255 172.30.0.1 1

route inside 64.14.4 255.255.255.255 172.30.0.1 1

route inside 172.20.0.0 255.255.0.0 172.30.0.1 1

route inside 192.168.0.0 255.255.0.0 172.30.0.1 1

route inside 206.213.20255.255.255.248 172.30.0.1 1

route inside 206.213.2 255.255.255.248 172.30.0.1 1



172.30.0.1 is the interface on our network

172.30.0.2 is the inside interface of the firewal





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 12/11/2008 - 12:27
User Badges:
  • Green, 3000 points or more

Can vpn users ping anything on 192.168.0.0? If not, 192.168.0.0 most likely needs a route to the vpn client subnet.

ajagadee Thu, 12/11/2008 - 14:16
User Badges:
  • Cisco Employee,

Hi,


Does this device have two nics by any chance? Also, Check the routing table of the host "192.168.0.165" and make sure this host has a routing properly configured to route packets destined to the the VPN Pool of IP Addresses back to the client.


Also, what is this host? Is it a server or a VIP on a load balancer? Make sure that there are no filters that will block ICMP Traffic from the VPN Pool of IP Addresses.


Regards,

Arul


*Pls rate if it helps*

Actions

This Discussion