Cisco Support Community
Community Member

Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

Hi Guys,

I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.

Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.


For some odd reason, I am able to ping the following, with no issues.

  • Cisco 3750 SVI (
  • CentOS web server (connected directly to the Cisco ASA 5505)


I have checked and enable the following:

  • Nat Exemption
  • Sysopt connection permit-vpn
  • ACL's
  • same-security-traffic permit inter-interface
  • same-security-traffic permit intra-interface
  • Added ICMP in the inspection policy
  • Packet-capture - Only getting echo requests.


Thanks in advance!


Hi, I believe you have the



I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from (Anyconnect VPN pool) to (Inside LAN) to make this work


object network acvpnpool

subnet <anyconnect VPN Subnet>

object network insidelan

subnet <inside lan subnet>

nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan


Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!





Community Member

Thanks for the help, the

Thanks for the help, the issue on most of the host behind the Cisco 3750 is it's pointed to the wrong SVI Gateway :P lol this is what happens when I rushed re-building my Data Center in the garage.

I'm not extending some of the VLAN SVI on the inside network hosted in the Cisco 3750 to be reachable in the Anyconnect tunnel, the fun never stops. :D

CreatePlease to create content