Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using Cisco VPN client can't ping beyond inside interface

I have a ASA 5505 7.2(3)

The firewall is set up w/ A inside IP network of 192.168.55.0

The VPN pool is setup as 192.168.55.90-192.168.55.99

What do I need to enable or create to allow the outside vpn clients to access the inside servers?

9 REPLIES
Cisco Employee

Re: Using Cisco VPN client can't ping beyond inside interface

Hi,

You need to bypass NAT for the VPN Client Traffic by configuring nat (inside) 0.

nat (inside) 0 access-list 101

access-list 101 extended permit ip 192.168.55.0 255.255.255.0 192.168.55.0 255.255.255.0

Please refer the below URL for configuration details.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

While the above configuration should most likely resolve the issue, I would recommend that you configure a different subnet for the VPN Client Pool, something that is not part your internal network and then include them in the NAT 0 Command. Depending upon your routing domain and how things are configured, you could run into routing issues by assigning IP Address for the VPN Clients from your internal network.

Regards,

Arul

*Pls rate if it helps*

New Member

Re: Using Cisco VPN client can't ping beyond inside interface

I made the necessary changes to the vpn pool as requested. Now I am unable to ping the gateway of 192.168.55.1 The vpn pool is 192.168.75.0 225.255.255.0. I am attaching the updated config. Could any help?

Thanks

Cisco Employee

Re: Using Cisco VPN client can't ping beyond inside interface

Hi,

Couple of things:

1. You split tunnel is misconfigured.

access-list PCGRemoteAccess_splitTunnelAcl standard permit 192.168.75.0 255.255.255.0

The above ACL should be

access-list PCGRemoteAccess_splitTunnelAcl standard permit 192.168.55.0 255.255.255.0

Basically, split tunnel specifies what addresses you want the VPN Remote Users to access over the tunnel.

2. Your NAT (inside) 0 is misconfigured.

access-list 101 extended permit ip 192.168.75.0 255.255.255.0 192.168.75.0 255.255.255.0

This should be

access-list 101 extended permit ip 192.168.55.0 255.255.255.0 192.168.75.0 255.255.255.0

Please do make the changes and test the tunnel connectivity.

Regards,

Arul

*Pls rate if it helps*

New Member

Re: Using Cisco VPN client can't ping beyond inside interface

Made changes no difference. The tunnel is being built correctly but no traffic flow. I can't ping the 192.168.55.1 interface or any inside address.

New Member

Re: Using Cisco VPN client can't ping beyond inside interface

Still need help. Anybody out there?

New Member

Re: Using Cisco VPN client can't ping beyond inside interface

post your latest config please.

New Member

Re: Using Cisco VPN client can't ping beyond inside interface

Here you go

New Member

Re: Using Cisco VPN client can't ping beyond inside interface

Made change to access-list:

access-list 101 extended permit ip 192.168.55.0 255.255.255.0 192.168.75.0 255.255.255.0

Still doesn't work, but corrected as suggested.

Cisco Employee

Re: Using Cisco VPN client can't ping beyond inside interface

Tony,

After you made the changes to the configuration, did you do "clear xlate" and then try pinging an IP Address on the 192.168.55.0 subnet.

Also, after connecting the VPN Client and trying to access something on the inside, can you post the outputs of "show cry is sa" and "show cry ipsec sa"

Regards,

Arul

247
Views
0
Helpful
9
Replies
CreatePlease login to create content