I cant ping or reach the internal lan

Answered Question
Oct 28th, 2009

I can't reach or ping my internal network when i connect via VPN. The connection works fine all gets connected to the ASA and the users are accepted via radius

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 7 years 1 month ago

Jorgen,

I would recommend to use different RA pool network number to be separated from your inside network, this strategy ease troubleshooting efforts down the road as suppose to troutbleshooting issues from inside 192.168.0.0/24 and RA POOL 192.168.0.0/24, however, using same network can still work.

I would correct couple of things in your config .

You have allocated dhcpd for inside host from 192.168.0.2-192.168.0.129

and your RA vpn pool is defined from 192.168.0.60-192.168.0.75 , your RA pool allocation should be 192.168.0.130-192.168.0.145 to have some consistentcy.

You need to also add to your config "crypto isakmp nat-traversal " and have RA client try again

If all this above does not do the trick, keep in your config crypto isakmp nat-traversal and re-create new network for your RA POOL.

Here is easy script

remove RA POOL network

no ip local pool VPN_IMH 192.168.0.60-192.168.0.75 mask 255.255.255.0

create new POOL network assume ( 172.16.1.0 )

ip local pool VPN_IMH 172.16.1.60-172.16.1.75 mask 255.255.255.0

for your exempt nat acl add the following statement

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0

and remove this rule

no access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

Let us know how works out to assist

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Wed, 10/28/2009 - 10:24

Jorgen,

I would recommend to use different RA pool network number to be separated from your inside network, this strategy ease troubleshooting efforts down the road as suppose to troutbleshooting issues from inside 192.168.0.0/24 and RA POOL 192.168.0.0/24, however, using same network can still work.

I would correct couple of things in your config .

You have allocated dhcpd for inside host from 192.168.0.2-192.168.0.129

and your RA vpn pool is defined from 192.168.0.60-192.168.0.75 , your RA pool allocation should be 192.168.0.130-192.168.0.145 to have some consistentcy.

You need to also add to your config "crypto isakmp nat-traversal " and have RA client try again

If all this above does not do the trick, keep in your config crypto isakmp nat-traversal and re-create new network for your RA POOL.

Here is easy script

remove RA POOL network

no ip local pool VPN_IMH 192.168.0.60-192.168.0.75 mask 255.255.255.0

create new POOL network assume ( 172.16.1.0 )

ip local pool VPN_IMH 172.16.1.60-172.16.1.75 mask 255.255.255.0

for your exempt nat acl add the following statement

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0

and remove this rule

no access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

Let us know how works out to assist

Regards

jorgenhart Thu, 10/29/2009 - 01:19

Thank you very much!

This suggestuion helped me a alo, the main problem was crypto isakmp nat-traversal.

Regards

Actions

This Discussion