Can you please copy on the forum, your current running config on the FW.

whole configuration not possible, but can provide access-list & nat 0 commands

you can remove all security contend from the config and post it.

Do you have a enable "ip verify reverse-path" on the interfaces?

yes this command is enable on both inside & outside interface

Remove them from both interfaces.

and remove these as well.

access-list 101 extended permit ip any any

access-list out extended permit ip any any

access-group out in interface outside

access-group 101 in interface inside

I have never seen anything like these four lines, it defeat the purpose of the firewall.

Have you tried to remove these lines and test it?

I have tried the above given steps but still not able to reach the internal servers

I will try to simulate on my lab PIX515E running version 8.3 which is pretty much same syntax version as your FW. Will post your result. I am just puzzled with your ASA results.

Thanks

Rizwan Rafeek.

hello Rakesh,

I did the test with Layer2 switch when default-gateway is pointing to FW's inside address on hosts on the inside network and tested on Layer3 switch as well, when default-gateway is poining to SVI interfave on the layer3 switch and in both cases it was successful.

If you are still experince the problem, my recommendation is to delete your current vpn config and configure it from scratch from the config I posted on the forum.

Thanks

Rizwan Rafeek

hello Rakesh,

As promised I tested your config on my PIX515E running latest version and it was successful.

---------------

pixfirewall# show run

: Saved

:

PIX Version 8.0(4)28

!

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.0.111 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

boot system flash:/pix804-28.bin

ftp mode passive

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list splitTunnelAcl extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 192.168.2.1-192.168.2.6 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-61557.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 10.0.0.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Firstset esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map mymap 200 set transform-set Firstset

crypto dynamic-map mymap 200 set reverse-route

crypto map out_map 100 ipsec-isakmp dynamic mymap

crypto map out_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy VPN internal

group-policy VPN attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splitTunnelAcl

username rafeek password m3apWYb4PDcs1Vtq encrypted privilege 0

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool vpnpool

default-group-policy VPN

tunnel-group VPN ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5a044b6bca89c5cf1da552bbf46cb4a4

: end

pixfirewall# ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 30/36/40 ms

pixfirewall#