VPN clients are able to ping all devices on the network BUT those located in the management subnet. My ASA has a direct connection to the management interface and therefore the subnet.
Solved! Go to Solution.
thanks for the quick reply. I have the following nat exempt:
access-list nonat extended permit ip any 172.16.250.0 255.255.255.0
the subnet above is for the VPN clients.
Even you though you have the permit any to XXX.XXX.XXX.XXX and the xxx is the vpn network you have to apply the nat exempt in the management interface, the exempt are not globaly aplied, it's for each interface, so if you have only one exempt created it's prety much the problem
I am not sure that I am following you. Are you saying to add the following:
nat (management) 0 access-list nonat
nat (management) 1 access-list nonat
nat (management) 0 access-list nonat And if you have an split tunnel at the tunnel you have to put the management network to be tunneled, you can verify that at the client when you connect. you can right cliek the lock icon go to statistics than route and see which networks are going through the tunnel.
Yes, the interface is management only.
ip address 10.0.255.251 255.255.255.0 standby 10.0.255.252