cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1049
Views
0
Helpful
26
Replies

ASA 5505 split tunneling enabled, still can't ping

cisco2012
Level 1
Level 1

I set up a Cisco ASA 5505 for remote access, and a point to point to a collocation facility. Recently local lan access

was not working so I configured the split tunnel access list. Local Lan access now works but when connected to the vpn

I still cannot ping anything on the opposite side of the tunnel. I could never ping anything on the other side. Can anyone

look at my config and tell me what I have configured wrong? I'm also unsure about the order or the ACE's in my ACL. The main office is using 192.168.10.x. The VPN dhcp pool

192.168.11.x. The co-location facility uses 192.168.4.x. here is my config. Thanks in advance.

26 Replies 26

husycisco
Level 7
Level 7

Hi Chad

Try following

no access-list CompanyX_splitTunnelAcl standard permit 192.168.11.0 255.255.255.240

no access-list CompanyX_splitTunnelAcl standard permit 64.x.x.x 255.255.255.0

no access-list CompanyX_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

access-list CompanyX_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.11.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.240

no access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0

Regards

I made the changes you suggested and everything is still the same. I cannot ping directly from my workstation to the remote office. While rdp'd into a remote workstation, I can ping to my collocation facility on the point-to-point. Nothing has changed. Also when I try and do an nslookup from my machine I get this:

P:\>nslookup

*** Can't find server name for address 192.168.10.200: Non-existent domain

*** Can't find server name for address 192.168.10.201: Non-existent domain

Here is my ipconfig /all for the vpn connection:

IP Address. . . . . . . . . . . . : 192.168.11.1

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 192.168.10.200

192.168.10.201

Primary WINS Server . . . . . . . : 192.168.10.200

Secondary WINS Server . . . . . . : 192.168.10.201

Any other ideas?

Right-click VPN icon in right-bottom, click statistics, then click route details and please take a screenshot and upload here

Also issue the following in your config and post the final config

polic-map global_policy

class inspection_default

inspect icmp

also run "clear xlate"

Here is a screenshot of the route details. I still have to run the commands you mentioned. I will post the final config as soon as I can. Thanks.

Route details are fine, waiting for final config

I'm still trying to make those changes to the config. Having trouble with ssh and telnet even though I have configured access through the ASDM. I'll post my config once I make the changes.

Ok, durig this time, please check if any software firewall set in client you try to ping, if firewall is on and exceptions are set, please check if exceptions allows local subnet only or any.

Any way I can enable ping through the ASDM? I am not able to telnet or SSH even though I have it configured. I tried doing it through the ASDM at : Properties - Device Admin - ICMP rules, inside, permit, any. Still no go.

I cant remember where it is exactly in ASDM. In ASDM, click tools then click Command Line Interface. Choose multiple line, paste commands there then click send. Then type sh run, click send and paste the output.

Here is my latest config after making the suggested changes. I still can't ping any workstations or servers. I can however ping a network printer and get a reply. I even went into the default domain policy and disabled Windows Firewall. It has to be my config since I can ping fine when I remoted into one of the servers or workstations. Any ideas?

add this

crypto isakmp nat-traversal 20

Will this command apply if I chose PAT instead of NAT when I used the wizard?

Yes it will.

I submitted crypto isakmp nat-traversal 20 via the CLI in the ASDM and it went through. I connected to the vpn and still nothing. Again the only ping that responds is to a network printer.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: