I’ve seen similar posts to this problem and I still haven’t managed to crack it so I thought I’d try my own post. I have a VPN client running on a laptop connected a DSL circuit. The VPN client is configured correctly for an external address on another firewall, this external firewall passes through ISAKMP / IPSEC to an ASA where it terminates. The client authenticates and gets an address from the client pool (VPNCLIENTS – 10.2.16.x / 24) and the tunnel completes with no problems. From the internal ASA I can ping any internal network behind the 10.0.3.240 interface (INSIDE) and I have a route on the inside network to get to the 10.2.16/0 clients to point to this address (10.0.3.240). All good so far.
Now the problems begin. I cant ping anything from the VPN clients (10.2.16.0) network to anywhere, I cant ping any interface on the ASA or any internal network. I also cant ping the client from the ASA and therefore not from the internal network either. This configuration is bare bones configuration so I don’t even have the NAT exception rules added. Looking for advice to get this to work. Network diagram attached too.
ip address 192.168.40.10 255.255.255.0
ip address 10.0.3.240 255.255.254.0
no ip address
no ip address
no ip address
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 10.2.16.0 255.255.255.0
pager lines 24
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNCLIENTS 10.2.16.5-10.2.16.250 mask 255.255.255.0
My first recommendation would be to use another network for your vpn clients. You don't want it to overlap with your inside networks. Use something outside of 10.0.0.0/8 since you have a route in the ASA for this which points inside.
Upon further investigation it seems echo requests destined to internal hosts are getting there however the replies are not getting back to the client. Could this be a simple case of traffic not originating from an inside to outside interface. I'm still not sure where VPN client traffic originates. the client pool is from the ASA however is traffic from this subnet originating from the client or from the ASA itself when the VPN is connected. ??
Good point about the client subnet and I will change it, there is a more specific route to this subnet though and that seems to be working fine, do need to change it though.
I can see ICMP traffic from an internal host hitting the ASA however no traffic is seen at the other end of the tunnel on the client, can anyone suggest why traffic destined for the client is not being pushed down the tunnel ??
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :