Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Unable to connect to remote LAN with SSLVPN established

Hello all,

our network scenario in below:

                          ipsec

       lan A       <---------> lan B (remote)

  & vpn pool

                          ipsec

       lan A       <---------> lan C (remote)

  & vpn pool

where lan A is 192.168.3.0/24, vpn pool is 192.168.4.0/24, lan B is 10.255.1.0/24, lan C is 172.24.0.0/16

lan A and lan B is connected with an ipsec VPN, lan A and lan C is connected with an ipsec VPN.

Now there is a problem confusing me:

while using SSLVPN to connect, we can not ping anything on lan B.

But on lan A, we can ping all of lan B.

lan A and lan C works perfectly with ipsec VPN, both lan and SSLVPN ping. (lan A can ping lan C, vpn pool can ping lan C)

We have add access-list from lan A to lan B, but not work.

Is there any way to ping from vpn pool to lan B correctly?

Thanks a lot

5 REPLIES

Re: Unable to connect to remote LAN with SSLVPN established

It will be more helpfull, if you could post a full configuration.

I guess the issue is on ACL no-nat-0, currently, it only has the following entry.

access-list no-nat-0 extended permit ip 192.168.4.0 255.255.255.0 172.24.0.0 255.255.0.0

If it works for LAN C, you should add the following for LAN B

access-list no-nat-0 extended permit ip 192.168.4.0 255.255.255.0 10.255.1.0 255.255.255.0

New Member

Re: Unable to connect to remote LAN with SSLVPN established

Hello Wudong

it seems not, because I have added the config before, but not work

in the attachment is the configuration file of our ASA.

Re: Unable to connect to remote LAN with SSLVPN established

Since nat-control is enabled, you have to add that entry in no-nat-0 so that the packet from SSL VPN client to Lan B won't be NAT-ed when it makes U-turn on ASA.

Can you try the following,

-disconnect ssl vpn client

-clear xlate

-connect ssl vpn client again

-ping from client to LAN B,

-check the log in ASA to see if there is any error message

- run a "packet-trace" command by using outside interface as input interface, vpn client's IP as source IP  and the IP in LAN B as dest IP.

New Member

Re: Unable to connect to remote LAN with SSLVPN established

Hello yudong,


Here is the packet tracer result

I don't know why in VPN phase 10 it drops...

on NAT Exemption I have added the ACL from 192.168.4.0 to 10.255.1.0, but no work.

Need some help about this..

Thanks a lot

New Member

Re: Unable to connect to remote LAN with SSLVPN established

sorry for that

I found the problem is in the LAN B side....

Now it works

Sorry for bothering you too much

Thanks a lot

328
Views
0
Helpful
5
Replies
CreatePlease to create content