cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
944
Views
0
Helpful
8
Replies

cant access remote LAN with Cisco Client

sebastianvetter
Level 1
Level 1

Hi,

iam using a ASA 5505 and connect with the Cisco Client 5.0.02.0090. The Client connects to remote LAN and get a IP Adress from the ASA.

But i can not access the remote LAN or ping the intern Interface of the ASA.

Anyone can help me with this issue?

2 Accepted Solutions

Accepted Solutions

If the client PC is in the same subnet as the other PC, then doesn't sound like an ASA issue.

Just make sure that the client PC is in the 192.168.20./24 subnet with default gateway of 192.168.20.100, and connected to a switchport on vlan 1.

Lastly, check if DNS resolution works, and/or if you can browse the internet with ip address.

View solution in original post

I would check if the PC has a personal FW on it, that could explain why one PC can ping and not the other.

You can setup a continuos ping to an IP address (ping -t on the PC) and a quick capture on the ASA inside interface also to see if the echo request makes it to the ASA and if the echo reply comes back from the internet:

access-list cap permit ip host host

access-list cap permit ip host    host

cap cap access-list cap interface inside

show cap cap

Also check logs:

logging buffered debugging

show logg | include

-heather

P.S If your original question is answered please mark this post as resolved and rate the responses. This helps us know more quickly which answers still need more assistance and lets us know how we are doing. Thanks in advace!

View solution in original post

8 Replies 8

Hi Sebastian,

Try adding these commands on the ASA:

management-access inside

sysopt connection permit-vpn

crypto isakmp nat-t

Disconnect, connect and...

Then try to PING 192.168.20.100 from the VPN client.

If it suceeds, the try to PING the internal LAN (make sure the gateway is 192.168.20.200)

If not, please post the output of ''sh cry ips sa''

As a recommendation, the VPN pool should belong to a different range from the inside LAN.

Federico.

Jennifer Halim
Cisco Employee
Cisco Employee

The ip pool should be in a different subnet than the inside interface.

Try to change it to a unique subnet.

For example:

ip local pool DHCP 192.168.50.10-192.168.50.20 mask 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.50.0 255.255.255.0

To ping through the ASA, please add the following:

policy-map global_policy
class inspection_default

     inspect icmp

Hope that helps.

Hi,

thanks for the fast answers. I delivered the ASA to the Customer and there i can connect me by VPN and access the internal interface of the ASA.

ASDM through the VPN tunnel works to. I dont do any changes of the Config.

Dont know what the issue in my enviroment was. Works even with the same IP Pool.

Only thing that is open now.... the Client PC at remota LAN cant access to Internet. But other can (Both direct connectet to the ASA)

I will let check the configuration of that PC.

If i have more questions you here from me!

Thanks

If the client PC is in the same subnet as the other PC, then doesn't sound like an ASA issue.

Just make sure that the client PC is in the 192.168.20./24 subnet with default gateway of 192.168.20.100, and connected to a switchport on vlan 1.

Lastly, check if DNS resolution works, and/or if you can browse the internet with ip address.

The Pc is at the same subnet as the other PC where internet worked and ofcourse the internal interface of the ASA.

All internal switchports are in vlan1.

So i think it is a problem of the PC. I need to wait till someone at remote site can check this.

How can i check DNS resolution at the ASA?

DNS needs to be resolvable on the PC itself. ASA will not perform the DNS resolution on behalf of the PC for traffic passing through the ASA.

Yes ofcourse it needs to be resolvable at the PC itself

I thought maybe i can check DNS resolves to outside at the asa.

I would check if the PC has a personal FW on it, that could explain why one PC can ping and not the other.

You can setup a continuos ping to an IP address (ping -t on the PC) and a quick capture on the ASA inside interface also to see if the echo request makes it to the ASA and if the echo reply comes back from the internet:

access-list cap permit ip host host

access-list cap permit ip host    host

cap cap access-list cap interface inside

show cap cap

Also check logs:

logging buffered debugging

show logg | include

-heather

P.S If your original question is answered please mark this post as resolved and rate the responses. This helps us know more quickly which answers still need more assistance and lets us know how we are doing. Thanks in advace!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: