Need help experts - VPN 5505 and pat

Unanswered Question
Jul 17th, 2010

I have a asa 5505 setup with a single IP address, I need to do PAT for my internal web server and also need to support ssl vpn witht he anyconnect client.  I can get the connection working, but I cannot ping from my vpn pool to my internal addresses, I have tried everything, any ideas??

I have this setup in lab right now with the following config:

external ip

Internal IP is

VPN pool is

I can ping from to, but I cannot ping from to

Here is my config, any help is appreciated

ASA Version 8.2(2)
hostname ciscoasa
enable password fYGjIZ.r.8FYvTjF encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa822-k8.bin
ftp mode passive
access-list nonat extended permit ip
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any
access-list inside_access_in extended permit icmp any any
pager lines 24
logging enable
logging console errors
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool mask
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

port 5000
enable outside
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username sconnor password NTX.dtr/jCYdHIag encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_Pool
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
service-policy global_policy global
prompt hostname context
: end
ciscoasa# cis

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Sat, 07/17/2010 - 15:09

Base on the configuration, the vpn client should be able to ping the internal host.

You might want to check if there is any personal firewall on the internal host that might be blocking inbound ping from different subnet (normally that is the issue).

You can add the following command:

management-access inside

Then try to ping the ASA inside interface from the vpn client. If that works just fine, then you might want to check your internal host itself, or try to see if you can ping any other 192.168.5.x hosts (pls make sure that you disable the personal firewall which normally is the culprit).

Hope that helps.

shaun.connor Sat, 07/17/2010 - 15:18

Thanks for the reply, I will check that, I have turned on the management interface and I can ping that on the network


This Discussion