Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

I cant ping or reach the internal lan

I can't reach or ping my internal network when i connect via VPN. The connection works fine all gets connected to the ASA and the users are accepted via radius

1 ACCEPTED SOLUTION

Accepted Solutions

Re: I cant ping or reach the internal lan

Jorgen,

I would recommend to use different RA pool network number to be separated from your inside network, this strategy ease troubleshooting efforts down the road as suppose to troutbleshooting issues from inside 192.168.0.0/24 and RA POOL 192.168.0.0/24, however, using same network can still work.

I would correct couple of things in your config .

You have allocated dhcpd for inside host from 192.168.0.2-192.168.0.129

and your RA vpn pool is defined from 192.168.0.60-192.168.0.75 , your RA pool allocation should be 192.168.0.130-192.168.0.145 to have some consistentcy.

You need to also add to your config "crypto isakmp nat-traversal " and have RA client try again

If all this above does not do the trick, keep in your config crypto isakmp nat-traversal and re-create new network for your RA POOL.

Here is easy script

remove RA POOL network

no ip local pool VPN_IMH 192.168.0.60-192.168.0.75 mask 255.255.255.0

create new POOL network assume ( 172.16.1.0 )

ip local pool VPN_IMH 172.16.1.60-172.16.1.75 mask 255.255.255.0

for your exempt nat acl add the following statement

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0

and remove this rule

no access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

Let us know how works out to assist

Regards

2 REPLIES

Re: I cant ping or reach the internal lan

Jorgen,

I would recommend to use different RA pool network number to be separated from your inside network, this strategy ease troubleshooting efforts down the road as suppose to troutbleshooting issues from inside 192.168.0.0/24 and RA POOL 192.168.0.0/24, however, using same network can still work.

I would correct couple of things in your config .

You have allocated dhcpd for inside host from 192.168.0.2-192.168.0.129

and your RA vpn pool is defined from 192.168.0.60-192.168.0.75 , your RA pool allocation should be 192.168.0.130-192.168.0.145 to have some consistentcy.

You need to also add to your config "crypto isakmp nat-traversal " and have RA client try again

If all this above does not do the trick, keep in your config crypto isakmp nat-traversal and re-create new network for your RA POOL.

Here is easy script

remove RA POOL network

no ip local pool VPN_IMH 192.168.0.60-192.168.0.75 mask 255.255.255.0

create new POOL network assume ( 172.16.1.0 )

ip local pool VPN_IMH 172.16.1.60-172.16.1.75 mask 255.255.255.0

for your exempt nat acl add the following statement

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0

and remove this rule

no access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

Let us know how works out to assist

Regards

New Member

Re: I cant ping or reach the internal lan

Thank you very much!

This suggestuion helped me a alo, the main problem was crypto isakmp nat-traversal.

Regards

129
Views
0
Helpful
2
Replies