Can't access internal resource

Answered Question
Apr 6th, 2010

I was able to get to the internal resources by having the same VPN pool as the internal IP address (192.168.100.0).  Now, I want to have a different VPN pool from the internal IP address.  For example, I want to have the VPN pool from 192.168.101.1 - 192.168.101.250.  I was able to login to VPN client, but I cannot ping or access the internet resource (192.168.100.13).   Can you help me?  Attached is the config file.

Thanks.

Laura

Attachment: 
I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 8 months ago

Definitely safe to remove them.

The "prompt hostname context" command is useful if you have failover configured, and would like to know whether it's the active or standby unit, and if you have multiple context configured on the firewall. It just give you more information on the prompt.

Here is the command reference for "prompt":

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1921355

The rest of the config is for Smart Call Home. It is a new feature in version 8.2.2 and has limited functionality as it has just been introduced.

Here is a little bit of read of the feature if you are interested:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/monitor_smart_call_home.html

Correct Answer by Jennifer Halim about 6 years 8 months ago

If you are testing with ping, you would need to add the following:

policy-map global_policy
class inspection_default

     inspect icmp

Also your internal LAN default gateway should be the ASA inside interface (192.168.100.100), assuming that you are trying to access resources within 192.168.100.0/24 subnet.

Also, just want to confirm that you have vpn client configured as the first post config does not include that.

Correct Answer by mciszek about 6 years 8 months ago

Laura,

Sounds like you need to add the new VPN pool from 192.168.101.1 - 192.168.101.250 to your Inside_nat0_outbound ACL:

Should look like this now both the internal and VPN pool address ranges included:

access-list Inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.255.0

Hope this helps,

Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Correct Answer
mciszek Tue, 04/06/2010 - 19:46

Laura,

Sounds like you need to add the new VPN pool from 192.168.101.1 - 192.168.101.250 to your Inside_nat0_outbound ACL:

Should look like this now both the internal and VPN pool address ranges included:

access-list Inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.255.0

Hope this helps,

Mike

laurabolda Wed, 04/07/2010 - 09:22

Mciszek,

I still can't connect to the internal resource after adding the statement.  Do you have any other suggestions?

Thanks.

Laura

Correct Answer
Jennifer Halim Wed, 04/07/2010 - 14:20

If you are testing with ping, you would need to add the following:

policy-map global_policy
class inspection_default

     inspect icmp

Also your internal LAN default gateway should be the ASA inside interface (192.168.100.100), assuming that you are trying to access resources within 192.168.100.0/24 subnet.

Also, just want to confirm that you have vpn client configured as the first post config does not include that.

laurabolda Thu, 04/08/2010 - 11:07

Halijenn,

Thanks for taking time to look at the config again.  I did not have the "inspect icmp" statement in the my config.  I have this statement and thought it means icmp is turned on.

access-list 101 extended permit icmp any any

Thanks.

Laura

laurabolda Thu, 04/08/2010 - 11:13

Halijenn,

May I ask you another question?  I upgraded the IOS from 7.0 to 8.2.2.  The upgrade added the following statements.  I don't know what these statements are for.  Is it OK to remove them?  Thanks.

prompt hostname context
call-home    
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

Correct Answer
Jennifer Halim Thu, 04/08/2010 - 14:50

Definitely safe to remove them.

The "prompt hostname context" command is useful if you have failover configured, and would like to know whether it's the active or standby unit, and if you have multiple context configured on the firewall. It just give you more information on the prompt.

Here is the command reference for "prompt":

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1921355

The rest of the config is for Smart Call Home. It is a new feature in version 8.2.2 and has limited functionality as it has just been introduced.

Here is a little bit of read of the feature if you are interested:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/monitor_smart_call_home.html

laurabolda Thu, 04/08/2010 - 18:11

Thanks very much again for the prompt response and information, Halijenn.

Laura

Actions

This Discussion