thanks for reply but my vpn client pool  is 192.168.2.0/24 & local lan pool is 10.0.0.0 255.255.255.0

what need to be change

Sorry for that missunderstood your question. Configuration looks Ok .

When client connect what is your output for show crypto ipsec sa ?

Also please run this and post the output.

packet-tracer input outside tcp 192.168.2.1 1024 10.0.0.1 80 detailed.

Thanks

Ajay

Thanks Ajay

I will soon provide the output of above given command.

Hi Ajay

kindly check the output of given below command

FW# packet-tracer input inside icmp 192.168.2.2 8 0 10.0.0.8

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.0.0 255.255.255.0 inside

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (rpf-violated) Reverse-path verify failed

10.0.0.8 is the inside L3 switch directly coonected to inside interface of the firewall & having the static route 192.168.2.0

255.255.255.0 10.0.0.1

Thanks

Hi Rizwan,

Thanks for your reply but i need to know why the given below commands need to be deleted

vpn-group-policy VPN

vpn-tunnel-protocol IPSec

yes server's default gateway is firewall's inside interface.

My firewall inside interface also connected to L3 switch & i have also added the static route in the L3 switch already but still not able to reach the internal resouces.

"Thanks for your reply but i need to know why the given below commands need to be deleted"

Those two highlighted commands are not part of the remote access vpn and are not required.

Those servers in question a default-gateway address is the FW's inside IP address or L3 "interface Vlan" address on the L3-Switch? Please confirm.

The default gateway of server's are firewall inside interface IP not L3 switch vlan interface.

Thanks

The switch in question is configured for the given vlan (i.e. firewall inside vlan) in layer2 mode, then servers' default gateway being the FW's inside address is perfectly fine and it should work, in this scenario there should not be "interface vlan" ip-address is used as default-gateway on the servers.

However if your switch in qusetion is configured for the vlan (i.e. firewall inside vlan) in layer3 mode i.e. with "interface vlan" and its ip address must be the default-gateway address for the servers.  Not the FW's inside ip-address as default-gateway, because your switch is a L3 switch in order the switch to route traffic, you must use its "interface vlan" ip address as default-gateway on the Servers.

I hope that make sense to you.

thanks

Rizwan Rafeek

ok i will configure one PC having default gateway L3 switch interface vlan IP & then check the traffic.

I will revert you back soon

Thanks for your quick reply.

Did that help to resolve your problem?

I have done the above procedure but not able to ping internal resources.

Thanks for the reply

Please forward the output from below command.

packet-tracer input inside icmp 192.168.2.1 8 0 10.0.0.X

Please replace the X with a valid host IP in your side network segment.