Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't access internal resource

I was able to get to the internal resources by having the same VPN pool as the internal IP address (192.168.100.0).  Now, I want to have a different VPN pool from the internal IP address.  For example, I want to have the VPN pool from 192.168.101.1 - 192.168.101.250.  I was able to login to VPN client, but I cannot ping or access the internet resource (192.168.100.13).   Can you help me?  Attached is the config file.

Thanks.

Laura

3 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: Can't access internal resource

Laura,

Sounds like you need to add the new VPN pool from 192.168.101.1 - 192.168.101.250 to your Inside_nat0_outbound ACL:

Should look like this now both the internal and VPN pool address ranges included:

access-list Inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.255.0

Hope this helps,

Mike

Cisco Employee

Re: Can't access internal resource

If you are testing with ping, you would need to add the following:

policy-map global_policy
class inspection_default

     inspect icmp

Also your internal LAN default gateway should be the ASA inside interface (192.168.100.100), assuming that you are trying to access resources within 192.168.100.0/24 subnet.

Also, just want to confirm that you have vpn client configured as the first post config does not include that.

Cisco Employee

Re: Can't access internal resource

Definitely safe to remove them.

The "prompt hostname context" command is useful if you have failover configured, and would like to know whether it's the active or standby unit, and if you have multiple context configured on the firewall. It just give you more information on the prompt.

Here is the command reference for "prompt":

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1921355

The rest of the config is for Smart Call Home. It is a new feature in version 8.2.2 and has limited functionality as it has just been introduced.

Here is a little bit of read of the feature if you are interested:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/monitor_smart_call_home.html

7 REPLIES
New Member

Re: Can't access internal resource

Laura,

Sounds like you need to add the new VPN pool from 192.168.101.1 - 192.168.101.250 to your Inside_nat0_outbound ACL:

Should look like this now both the internal and VPN pool address ranges included:

access-list Inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.255.0

Hope this helps,

Mike

New Member

Re: Can't access internal resource

Mciszek,

I still can't connect to the internal resource after adding the statement.  Do you have any other suggestions?

Thanks.

Laura

Cisco Employee

Re: Can't access internal resource

If you are testing with ping, you would need to add the following:

policy-map global_policy
class inspection_default

     inspect icmp

Also your internal LAN default gateway should be the ASA inside interface (192.168.100.100), assuming that you are trying to access resources within 192.168.100.0/24 subnet.

Also, just want to confirm that you have vpn client configured as the first post config does not include that.

New Member

Re: Can't access internal resource

Halijenn,

Thanks for taking time to look at the config again.  I did not have the "inspect icmp" statement in the my config.  I have this statement and thought it means icmp is turned on.

access-list 101 extended permit icmp any any

Thanks.

Laura

New Member

Re: Can't access internal resource

Halijenn,

May I ask you another question?  I upgraded the IOS from 7.0 to 8.2.2.  The upgrade added the following statements.  I don't know what these statements are for.  Is it OK to remove them?  Thanks.

prompt hostname context
call-home    
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

Cisco Employee

Re: Can't access internal resource

Definitely safe to remove them.

The "prompt hostname context" command is useful if you have failover configured, and would like to know whether it's the active or standby unit, and if you have multiple context configured on the firewall. It just give you more information on the prompt.

Here is the command reference for "prompt":

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1921355

The rest of the config is for Smart Call Home. It is a new feature in version 8.2.2 and has limited functionality as it has just been introduced.

Here is a little bit of read of the feature if you are interested:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/monitor_smart_call_home.html

New Member

Re: Can't access internal resource

Thanks very much again for the prompt response and information, Halijenn.

Laura

268
Views
10
Helpful
7
Replies