I cant ping or reach the internal lan

Answered Question
Oct 28th, 2009
User Badges:

I can't reach or ping my internal network when i connect via VPN. The connection works fine all gets connected to the ASA and the users are accepted via radius



Correct Answer by JORGE RODRIGUEZ about 7 years 9 months ago

Jorgen,


I would recommend to use different RA pool network number to be separated from your inside network, this strategy ease troubleshooting efforts down the road as suppose to troutbleshooting issues from inside 192.168.0.0/24 and RA POOL 192.168.0.0/24, however, using same network can still work.


I would correct couple of things in your config .



You have allocated dhcpd for inside host from 192.168.0.2-192.168.0.129


and your RA vpn pool is defined from 192.168.0.60-192.168.0.75 , your RA pool allocation should be 192.168.0.130-192.168.0.145 to have some consistentcy.



You need to also add to your config "crypto isakmp nat-traversal " and have RA client try again



If all this above does not do the trick, keep in your config crypto isakmp nat-traversal and re-create new network for your RA POOL.


Here is easy script


remove RA POOL network

no ip local pool VPN_IMH 192.168.0.60-192.168.0.75 mask 255.255.255.0



create new POOL network assume ( 172.16.1.0 )

ip local pool VPN_IMH 172.16.1.60-172.16.1.75 mask 255.255.255.0



for your exempt nat acl add the following statement


access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0


and remove this rule


no access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0


Let us know how works out to assist



Regards



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Wed, 10/28/2009 - 10:24
User Badges:
  • Green, 3000 points or more

Jorgen,


I would recommend to use different RA pool network number to be separated from your inside network, this strategy ease troubleshooting efforts down the road as suppose to troutbleshooting issues from inside 192.168.0.0/24 and RA POOL 192.168.0.0/24, however, using same network can still work.


I would correct couple of things in your config .



You have allocated dhcpd for inside host from 192.168.0.2-192.168.0.129


and your RA vpn pool is defined from 192.168.0.60-192.168.0.75 , your RA pool allocation should be 192.168.0.130-192.168.0.145 to have some consistentcy.



You need to also add to your config "crypto isakmp nat-traversal " and have RA client try again



If all this above does not do the trick, keep in your config crypto isakmp nat-traversal and re-create new network for your RA POOL.


Here is easy script


remove RA POOL network

no ip local pool VPN_IMH 192.168.0.60-192.168.0.75 mask 255.255.255.0



create new POOL network assume ( 172.16.1.0 )

ip local pool VPN_IMH 172.16.1.60-172.16.1.75 mask 255.255.255.0



for your exempt nat acl add the following statement


access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0


and remove this rule


no access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0


Let us know how works out to assist



Regards



jorgenhart Thu, 10/29/2009 - 01:19
User Badges:

Thank you very much!

This suggestuion helped me a alo, the main problem was crypto isakmp nat-traversal.


Regards

Actions

This Discussion