https://community.cisco.com/t5/network-security/asa-vpn-client-access-issue/m-p/1953067#M440331 <P>Hi, im new to ASA and have a quick question I got a ipsec vpn over the WAN interface that is working via a client and im assigned the ip from the correct pool below which is part of nameif ADMINSTAFF, however I can’t ssh to the ASA once the tunnel is connected I suspect it has something to do with NAT/policy-group but im not sure. When I VNC to 192.168.2.32 1<SUP>st</SUP> then ssh to the ASA it works but from my vpn assigned ip 192.168.2.90-99 I ssh to the ASA 192.168.2.1 ip doesn’t work. when connected via the vpn client i can't ping 192.168.2.1 but i can ping 192.168.2.32.</P><P></P><P>interface Ethernet0/0</P><P> nameif WAN</P><P> security-level 0</P><P> ip address x.x.x.17 255.255.255.248</P><P>!</P><P>interface Ethernet0/1</P><P> nameif LAN</P><P> security-level 50</P><P> no ip address</P><P>!</P><P>interface Ethernet0/2</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Ethernet0/2.100</P><P> vlan 101</P><P> nameif STAFF</P><P> security-level 50</P><P> ip address 192.168.1.1 255.255.255.0</P><P>!</P><P>interface Ethernet0/2.101</P><P> vlan 102</P><P> nameif ADMINSTAFF</P><P> security-level 50</P><P> ip address 192.168.2.1 255.255.255.0</P><P>!</P><P>interface Ethernet0/2.102</P><P> vlan 1</P><P> nameif Default</P><P> security-level 50</P><P> ip address 192.168.254.1 255.255.255.0</P><P>!</P><P></P><P></P><P></P><P>access-list skip-nat-inside extended permit ip any 192.168.2.0 255.255.255.0</P><P>access-list skip-nat-inside extended permit ip host 192.168.1.32 192.168.3.0 255.255.255.0</P><P>access-list skip-nat-inside extended permit ip host 192.168.1.31 192.168.3.0 255.255.255.0</P><P>access-list skip-nat-inside extended permit ip host 192.168.2.32 192.168.3.0 255.255.255.0</P><P>access-list skip-nat-inside extended permit ip host 192.168.2.31 192.168.3.0 255.255.255.0</P><P></P><P>ssh 192.168.1.0 255.255.255.0 STAFF</P><P>ssh 192.168.2.0 255.255.255.0 ADMINSTAFF</P><P>ssh 192.168.254.0 255.255.255.0 Default</P><P>ssh 10.0.0.0 255.255.255.0 management</P><P></P><P></P><P>global (WAN) 2 x.x.x.18-x.x.x.20</P><P>global (WAN) 1 interface</P><P>nat (STAFF) 0 access-list skip-nat-inside</P><P>nat (STAFF) 1 192.168.1.0 255.255.255.0</P><P>nat (ADMINSTAFF) 0 access-list skip-nat-inside</P><P>nat (ADMINSTAFF) 2 192.168.2.28 255.255.255.255</P><P>nat (ADMINSTAFF) 2 192.168.2.29 255.255.255.255</P><P>nat (ADMINSTAFF) 1 192.168.2.0 255.255.255.0</P><P>nat (Default) 0 access-list skip-nat-inside</P><P>nat (Default) 1 192.168.254.0 255.255.255.0</P><P>nat (management) 0 access-list management_nat0_outbound</P><P></P><P>ip local pool X 192.168.2.90-192.168.2.99 mask 255.255.255.0</P><P></P><P></P><P>group-policy X internal</P><P>group-policy X attributes</P><P> dns-server value x.x.x.x x.x.x.x</P><P>username X password xxx encrypted privilege 0</P><P>username X attributes</P><P> vpn-group-policy X</P><P>tunnel-group X type remote-access</P><P>tunnel-group X general-attributes</P><P> address-pool X</P><P> default-group-policy X</P><P>tunnel-group X ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group-map default-group X</P> Mon, 11 Mar 2019 23:24:26 GMT paul amaral 2019-03-11T23:24:26Z https://community.cisco.com/t5/network-security/asa-vpn-client-access-issue/m-p/1953067#M440331 <P>Hi, im new to ASA and have a quick question I got a ipsec vpn over the WAN interface that is working via a client and im assigned the ip from the correct pool below which is part of nameif ADMINSTAFF, however I can’t ssh to the ASA once the tunnel is connected I suspect it has something to do with NAT/policy-group but im not sure. When I VNC to 192.168.2.32 1<SUP>st</SUP> then ssh to the ASA it works but from my vpn assigned ip 192.168.2.90-99 I ssh to the ASA 192.168.2.1 ip doesn’t work. when connected via the vpn client i can't ping 192.168.2.1 but i can ping 192.168.2.32.</P><P></P><P>interface Ethernet0/0</P><P> nameif WAN</P><P> security-level 0</P><P> ip address x.x.x.17 255.255.255.248</P><P>!</P><P>interface Ethernet0/1</P><P> nameif LAN</P><P> security-level 50</P><P> no ip address</P><P>!</P><P>interface Ethernet0/2</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Ethernet0/2.100</P><P> vlan 101</P><P> nameif STAFF</P><P> security-level 50</P><P> ip address 192.168.1.1 255.255.255.0</P><P>!</P><P>interface Ethernet0/2.101</P><P> vlan 102</P><P> nameif ADMINSTAFF</P><P> security-level 50</P><P> ip address 192.168.2.1 255.255.255.0</P><P>!</P><P>interface Ethernet0/2.102</P><P> vlan 1</P><P> nameif Default</P><P> security-level 50</P><P> ip address 192.168.254.1 255.255.255.0</P><P>!</P><P></P><P></P><P></P><P>access-list skip-nat-inside extended permit ip any 192.168.2.0 255.255.255.0</P><P>access-list skip-nat-inside extended permit ip host 192.168.1.32 192.168.3.0 255.255.255.0</P><P>access-list skip-nat-inside extended permit ip host 192.168.1.31 192.168.3.0 255.255.255.0</P><P>access-list skip-nat-inside extended permit ip host 192.168.2.32 192.168.3.0 255.255.255.0</P><P>access-list skip-nat-inside extended permit ip host 192.168.2.31 192.168.3.0 255.255.255.0</P><P></P><P>ssh 192.168.1.0 255.255.255.0 STAFF</P><P>ssh 192.168.2.0 255.255.255.0 ADMINSTAFF</P><P>ssh 192.168.254.0 255.255.255.0 Default</P><P>ssh 10.0.0.0 255.255.255.0 management</P><P></P><P></P><P>global (WAN) 2 x.x.x.18-x.x.x.20</P><P>global (WAN) 1 interface</P><P>nat (STAFF) 0 access-list skip-nat-inside</P><P>nat (STAFF) 1 192.168.1.0 255.255.255.0</P><P>nat (ADMINSTAFF) 0 access-list skip-nat-inside</P><P>nat (ADMINSTAFF) 2 192.168.2.28 255.255.255.255</P><P>nat (ADMINSTAFF) 2 192.168.2.29 255.255.255.255</P><P>nat (ADMINSTAFF) 1 192.168.2.0 255.255.255.0</P><P>nat (Default) 0 access-list skip-nat-inside</P><P>nat (Default) 1 192.168.254.0 255.255.255.0</P><P>nat (management) 0 access-list management_nat0_outbound</P><P></P><P>ip local pool X 192.168.2.90-192.168.2.99 mask 255.255.255.0</P><P></P><P></P><P>group-policy X internal</P><P>group-policy X attributes</P><P> dns-server value x.x.x.x x.x.x.x</P><P>username X password xxx encrypted privilege 0</P><P>username X attributes</P><P> vpn-group-policy X</P><P>tunnel-group X type remote-access</P><P>tunnel-group X general-attributes</P><P> address-pool X</P><P> default-group-policy X</P><P>tunnel-group X ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group-map default-group X</P> Mon, 11 Mar 2019 23:24:26 GMT https://community.cisco.com/t5/network-security/asa-vpn-client-access-issue/m-p/1953067#M440331 paul amaral 2019-03-11T23:24:26Z https://community.cisco.com/t5/network-security/asa-vpn-client-access-issue/m-p/1953068#M440332 <HTML><HEAD></HEAD><BODY><P>Pls add teh following to be able to manage the ASA via VPN Client:</P><P></P><P>management-access ADMINSTAFF</P></BODY></HTML> Fri, 29 Jun 2012 02:54:37 GMT https://community.cisco.com/t5/network-security/asa-vpn-client-access-issue/m-p/1953068#M440332 Jennifer Halim 2012-06-29T02:54:37Z https://community.cisco.com/t5/network-security/asa-vpn-client-access-issue/m-p/1953069#M440333 <HTML><HEAD></HEAD><BODY><P>Oh and BTW, you shouldn't really have the ip pool in the same subnet as your internal network. It should be a completely unique subnet.</P></BODY></HTML> Fri, 29 Jun 2012 02:55:38 GMT https://community.cisco.com/t5/network-security/asa-vpn-client-access-issue/m-p/1953069#M440333 Jennifer Halim 2012-06-29T02:55:38Z