access to inside from ASA vpn client with the same IP addressing

Unanswered Question
Sep 28th, 2010

I need give the network ip pool client vpn, and the network in inside is, when I connect VPN client from internet I can reach all network in the LAN  but the segment is imposible.

How I can do a walkarround of this problem?. I can`t change the network of pool vpn.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Tue, 09/28/2010 - 14:06


I don't understand your problem.

The VPN pool and the internal segment are not overlapping.

Please clarify.


jaime.gonzalez@... Tue, 09/28/2010 - 15:07

ok, but, If i try to reach other network it work, please see the config below:

access-list Admin extended permit ip host
access-list Admin extended permit icmp
access-list Admin extended permit ip
access-list Admin extended permit ip
access-list Admin extended permit ip
access-list Admin extended permit icmp
access-list Admin extended permit icmp
ip local pool Admin mask
group-policy Admin internal
group-policy Admin attributes
split-tunnel-network-list value Admin
address-pools value Admin
tunnel-group Admin type remote-access
tunnel-group Admin general-attributes
address-pool Admin
default-group-policy Admin
tunnel-group Admin ipsec-attributes

the "debug icmp trace" show a correct response.

Federico Coto F... Tue, 09/28/2010 - 15:18

Do you also have the traffic between
included in the NONAT ACL?

In other words, you have something like this?

access-list NAME permit ip
nat (inside) 0 access-list NAME

The debug icmp trace shows requests/responses fine?


The has a default gateway which points to the ASA's internal IP?

If there's a router in between you might want to check if that device is blocking this traffic?

What is the result of the packet tracer from the VPN client when connected to the network?

Do you see packets encrypted/decrypted for that security association?  sh cry ips sa


jaime.gonzalez@... Tue, 09/28/2010 - 16:14

I made a mistake with the information , the network inside is and the ip pool vpn is I beleave it is overlaping.

and it`s the result of  :

input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (rpf-violated) Reverse-path verify failed

I read about and I`m fear the ASA  see an attempt of spoofing.

praprama Tue, 09/28/2010 - 17:06


Can you paste the entire output of the packet-tracer? You might have to disable "ip verify reverse-path INTERFACE" on the interface you are getting that error.




This Discussion