Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN user not able to ping internal network

Dear All,

My vpn client is able to connect and get the ip address from the pool configured on vpn concentrator. But client is not able to ping the internal network that are inside the pix firewall.

concentrator is private interface connected with firewall dmz interface.

pix dmz ip 172.28.95.2

concentrator 172.28.95.95

remote access client ip: 172.28.37.x

I have configured the split tunneling for the follwing pix firewall networks on the conncentrator.

172.28.92.0/0.0.0.255

172.28.95.0/0.0.0.255

172.28.96.0/0.0.0.255

172.31.0.0/0.0.255.255

192.168.249.164/0.0.0.3

172.28.32.0/0.0.0.255

172.28.64.0/0.0.0.255

172.28.98.0/0.0.0.255

concentrator is able to reach all of the above networks without any problem.

But client is able to ping any of the above networks, except concentrator private interface.

static (inside,edn) 172.28.32.0 172.28.32.0 netmask 255.255.255.255

static (inside,edn) 172.28.92.0 172.28.92.0 netmask 255.255.255.255

static (inside,edn) 172.28.64.0 172.28.64.0 netmask 255.255.255.255

access-list nonat extended permit ip 172.28.32.0 255.255.255.0 172.28.32.0 255.255.255.0

access-list nonat extended permit ip 172.28.92.0 255.255.255.0 172.28.37.0 255.255.255.0

access-list nonat extended permit ip 172.28.32.0 255.255.255.0 172.28.37.0 255.255.255.0

access-list nonat extended permit ip 172.28.64.0 255.255.255.0 172.28.37.0 255.255.255.0

nat (inside) 0 access-list nonat

access-list edn_acl extended permit ip 172.28.37.0 255.255.255.0 172.28.32.0 255.255.255.0

access-list edn_acl extended permit ip 172.28.37.0 255.255.255.0 172.28.92.0 255.255.255.0

access-list edn_acl extended permit ip 172.28.37.0 255.255.255.0 172.28.64.0 255.255.255.0

route edn 172.28.37.0 255.255.255.0 172.28.95.95 1

2 REPLIES
New Member

Re: VPN user not able to ping internal network

Greetings,

I'm a little unclear about your problem as the sentences:

>concentrator is able to reach all of the >above networks without any problem.

>But client is able to ping any of the above >networks, except concentrator private >interface.

I think that you might mean NONE of the above networks.

I encountered a similar situation that I resolved by enabling nat-traversal on the device that is providing VPN access. You have not stated what these devices are, so I can't offer specifics. Make sure that isakmp is enabled for the Nat Traversal to function.

-Johan

New Member

Re: VPN user not able to ping internal network

Sorry for typing the wrong sentence. Client was not able to ping above networks. But now client can reach. I didnt nothing, it suddendly started working fine with the old configuration. I am using cisco vpn concentrator that has private interface connected with dmz of pix firewall. Please tell me still i need to unable it.

Thanks for the reply.

144
Views
0
Helpful
2
Replies