Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5500 VPN cannot ping LAN

Trying to connect a remote client using SSL VPN through web interface. When attempting to ping LAN side (192.168.1.2) through inside interface I am getting this in the log -

Deny icmp src inside:192.168.1.2 dst outside 192.168.50.1 (type 0,code 0) by access-group "inside_access_in" [0x0,0x0]

The VPN pool is using 192.168.50.0/24 and the inside LAN is 192.168.1.0/24. I am connecting to the WAN interface and the SSL VPN connects with no problem. Any suggestions?

Thanks,

Mike

5 REPLIES
Hall of Fame Super Blue

Re: ASA 5500 VPN cannot ping LAN

Hi Mike

Could you post the config (minus any sensitive info).

The access-list inside_access_in is blocking the traffic. Is there an access-list on your inside interface.

Jon

Cisco Employee

Re: ASA 5500 VPN cannot ping LAN

Mike,

Like Jon said, if you could post the config. It will help out.

Also, can you do send the output of the following, if you cant post the config.

sh run sysopt

sh run nat

Thanks

Gilbert

New Member

Re: ASA 5500 VPN cannot ping LAN

As requested, both the running config and show nat results in attached file. Your help is greatly appreciated.

Green

Re: ASA 5500 VPN cannot ping LAN

If you were going to allow this traffic in the acl you need to write it like this, yours is backwards.

access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

The way you currently have your inside_access_in acl written, you are pretty much stopping all traffic originated from the inside. Is this what you want? I recommend removing the acl entirely.

Please rate helpful posts.

New Member

Re: ASA 5500 VPN cannot ping LAN

Thanks, that fixed the problem. I had to also create a rule on the access-list outside to let the traffic out to the VPN clients. Many thanks for your help.

439
Views
13
Helpful
5
Replies