Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5500 VPN cannot ping LAN

Trying to connect a remote client using SSL VPN through web interface. When attempting to ping LAN side ( through inside interface I am getting this in the log -

Deny icmp src inside: dst outside (type 0,code 0) by access-group "inside_access_in" [0x0,0x0]

The VPN pool is using and the inside LAN is I am connecting to the WAN interface and the SSL VPN connects with no problem. Any suggestions?



Hall of Fame Super Blue

Re: ASA 5500 VPN cannot ping LAN

Hi Mike

Could you post the config (minus any sensitive info).

The access-list inside_access_in is blocking the traffic. Is there an access-list on your inside interface.


Cisco Employee

Re: ASA 5500 VPN cannot ping LAN


Like Jon said, if you could post the config. It will help out.

Also, can you do send the output of the following, if you cant post the config.

sh run sysopt

sh run nat



New Member

Re: ASA 5500 VPN cannot ping LAN

As requested, both the running config and show nat results in attached file. Your help is greatly appreciated.


Re: ASA 5500 VPN cannot ping LAN

If you were going to allow this traffic in the acl you need to write it like this, yours is backwards.

access-list inside_access_in extended permit icmp

The way you currently have your inside_access_in acl written, you are pretty much stopping all traffic originated from the inside. Is this what you want? I recommend removing the acl entirely.

Please rate helpful posts.

New Member

Re: ASA 5500 VPN cannot ping LAN

Thanks, that fixed the problem. I had to also create a rule on the access-list outside to let the traffic out to the VPN clients. Many thanks for your help.