05-23-2008 06:34 AM - edited 03-11-2019 05:49 AM
I set up a Cisco ASA 5505 for remote access, and a point to point to a collocation facility. Recently local lan access
was not working so I configured the split tunnel access list. Local Lan access now works but when connected to the vpn
I still cannot ping anything on the opposite side of the tunnel. I could never ping anything on the other side. Can anyone
look at my config and tell me what I have configured wrong? I'm also unsure about the order or the ACE's in my ACL. The main office is using 192.168.10.x. The VPN dhcp pool
192.168.11.x. The co-location facility uses 192.168.4.x. here is my config. Thanks in advance.
05-23-2008 07:05 AM
Hi Chad
Try following
no access-list CompanyX_splitTunnelAcl standard permit 192.168.11.0 255.255.255.240
no access-list CompanyX_splitTunnelAcl standard permit 64.x.x.x 255.255.255.0
no access-list CompanyX_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list CompanyX_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
no access-list inside_nat0_outbound extended permit ip any 192.168.11.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.240
no access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
Regards
05-23-2008 07:30 AM
I made the changes you suggested and everything is still the same. I cannot ping directly from my workstation to the remote office. While rdp'd into a remote workstation, I can ping to my collocation facility on the point-to-point. Nothing has changed. Also when I try and do an nslookup from my machine I get this:
P:\>nslookup
*** Can't find server name for address 192.168.10.200: Non-existent domain
*** Can't find server name for address 192.168.10.201: Non-existent domain
Here is my ipconfig /all for the vpn connection:
IP Address. . . . . . . . . . . . : 192.168.11.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.10.200
192.168.10.201
Primary WINS Server . . . . . . . : 192.168.10.200
Secondary WINS Server . . . . . . : 192.168.10.201
Any other ideas?
05-23-2008 07:40 AM
Right-click VPN icon in right-bottom, click statistics, then click route details and please take a screenshot and upload here
Also issue the following in your config and post the final config
polic-map global_policy
class inspection_default
inspect icmp
also run "clear xlate"
05-23-2008 07:56 AM
05-23-2008 08:15 AM
Route details are fine, waiting for final config
05-23-2008 09:30 AM
I'm still trying to make those changes to the config. Having trouble with ssh and telnet even though I have configured access through the ASDM. I'll post my config once I make the changes.
05-23-2008 09:54 AM
Ok, durig this time, please check if any software firewall set in client you try to ping, if firewall is on and exceptions are set, please check if exceptions allows local subnet only or any.
05-23-2008 10:03 AM
Any way I can enable ping through the ASDM? I am not able to telnet or SSH even though I have it configured. I tried doing it through the ASDM at : Properties - Device Admin - ICMP rules, inside, permit, any. Still no go.
05-23-2008 10:13 AM
I cant remember where it is exactly in ASDM. In ASDM, click tools then click Command Line Interface. Choose multiple line, paste commands there then click send. Then type sh run, click send and paste the output.
05-23-2008 10:27 AM
Here is my latest config after making the suggested changes. I still can't ping any workstations or servers. I can however ping a network printer and get a reply. I even went into the default domain policy and disabled Windows Firewall. It has to be my config since I can ping fine when I remoted into one of the servers or workstations. Any ideas?
05-23-2008 10:34 AM
add this
crypto isakmp nat-traversal 20
05-23-2008 10:44 AM
Will this command apply if I chose PAT instead of NAT when I used the wizard?
05-23-2008 10:45 AM
Yes it will.
05-23-2008 10:48 AM
I submitted crypto isakmp nat-traversal 20 via the CLI in the ASDM and it went through. I connected to the vpn and still nothing. Again the only ping that responds is to a network printer.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: