Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

RA VPN cannot ping, but the firewall can

This is an interesting one.

I have a remote access vpn configured on my asa5520 and that works perfectly ok.

There is a set of segments though I cannot ping from my remote access vpn client but I can ping it from the inside interface of the firewall.

The default route of the client is .1 in the "ip local pool" which I believe is the firewall itself, is it?

But in any case, my client is unable to ping that segment. There is an internal route on the firewall to that segment to the extent the inside interface can ping it... but NOT the client.

Why is that?

2 REPLIES
Green

Re: RA VPN cannot ping, but the firewall can

What does your nat exemption acl look like? Is this other segment part of it? Can you post a config?

New Member

Re: RA VPN cannot ping, but the firewall can

firewall 1:

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.20.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.20.99.0 255.255.255.0 10.20.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 216.183.93.176 255.255.255.248

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.20.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip any 10.20.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 10.20.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 172.16.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 172.16.70.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 10.42.0.0 255.255.0.0

firewall 2:

access-list todixie_nat0_outbound extended permit ip 192.168.220.0 255.255.255.0

10.0.0.0 255.0.0.0

access-list todixie_nat0_outbound extended permit ip 192.168.240.0 255.255.255.0

10.0.0.0 255.0.0.0

access-list todixie_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0

10.0.0.0 255.0.0.0

access-list todixie_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0

10.0.0.0 255.0.0.0

access-list todixie_nat0_outbound extended permit ip 192.168.230.0 255.255.255.0

10.0.0.0 255.0.0.0

I am unable to ping from 10.20.50.x/24 to 192.168.200.x

192.168.210.x

192.168.220.x

where 10.20.50 is the ip pool for remote access vpn and the 192.168 segments are local segment routed on the core switch behind firewall 2.

As you can see 10.20.50 is a subset of segments on the ACL's.

138
Views
0
Helpful
2
Replies
CreatePlease to create content