https://community.cisco.com/t5/network-security/access-to-inside-from-asa-vpn-client-with-the-same-ip-addressing/m-p/1552632#M610345 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I don't understand your problem.</P><P>The VPN pool and the internal segment are not overlapping.</P><P></P><P>Please clarify.</P><P></P><P>Federico.</P></BODY></HTML> Tue, 28 Sep 2010 21:06:14 GMT Federico Coto Fajardo 2010-09-28T21:06:14Z https://community.cisco.com/t5/network-security/access-to-inside-from-asa-vpn-client-with-the-same-ip-addressing/m-p/1552631#M610341 <P>I need give the network ip pool client vpn 10.70.253.0/24, and the network in inside is 10.70.255.0/24, when I connect VPN client from internet I can reach all network in the LAN&nbsp; but the segment 10.70.255.0 is imposible.</P><P><BR />How I can do a walkarround of this problem?. I can`t change the network of pool vpn.</P> Mon, 11 Mar 2019 18:46:48 GMT https://community.cisco.com/t5/network-security/access-to-inside-from-asa-vpn-client-with-the-same-ip-addressing/m-p/1552631#M610341 jaime.gonzalez 2019-03-11T18:46:48Z https://community.cisco.com/t5/network-security/access-to-inside-from-asa-vpn-client-with-the-same-ip-addressing/m-p/1552632#M610345 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I don't understand your problem.</P><P>The VPN pool and the internal segment are not overlapping.</P><P></P><P>Please clarify.</P><P></P><P>Federico.</P></BODY></HTML> Tue, 28 Sep 2010 21:06:14 GMT https://community.cisco.com/t5/network-security/access-to-inside-from-asa-vpn-client-with-the-same-ip-addressing/m-p/1552632#M610345 Federico Coto Fajardo 2010-09-28T21:06:14Z https://community.cisco.com/t5/network-security/access-to-inside-from-asa-vpn-client-with-the-same-ip-addressing/m-p/1552633#M610349 <HTML><HEAD></HEAD><BODY><P>ok, but, If i try to reach other network it work, please see the config below:</P><P></P><P>access-list Admin extended permit ip host 9.9.9.9 10.70.253.0 255.255.255.0 <BR />access-list Admin extended permit icmp 10.70.255.0 255.255.255.0 10.70.253.0 255.255.255.0 <BR />access-list Admin extended permit ip 10.70.255.0 255.255.255.0 10.70.253.0 255.255.255.0 <BR />access-list Admin extended permit ip 145.125.0.0 255.255.0.0 10.70.253.0 255.255.255.0 <BR />access-list Admin extended permit ip 129.0.0.0 255.0.0.0 10.70.253.0 255.255.255.0 <BR />access-list Admin extended permit icmp 145.125.0.0 255.255.0.0 10.70.253.0 255.255.255.0 <BR />access-list Admin extended permit icmp 129.0.0.0 255.0.0.0 10.70.253.0 255.255.255.0 <BR />ip local pool Admin 10.70.253.1-10.70.253.254 mask 255.255.255.0<BR />group-policy Admin internal<BR />group-policy Admin attributes<BR /> split-tunnel-network-list value Admin<BR /> address-pools value Admin<BR />tunnel-group Admin type remote-access<BR />tunnel-group Admin general-attributes<BR /> address-pool Admin<BR /> default-group-policy Admin<BR />tunnel-group Admin ipsec-attributes</P><P></P><P>the "debug icmp trace" show a correct response.</P></BODY></HTML> Tue, 28 Sep 2010 22:07:07 GMT https://community.cisco.com/t5/network-security/access-to-inside-from-asa-vpn-client-with-the-same-ip-addressing/m-p/1552633#M610349 jaime.gonzalez 2010-09-28T22:07:07Z https://community.cisco.com/t5/network-security/access-to-inside-from-asa-vpn-client-with-the-same-ip-addressing/m-p/1552634#M610351 <HTML><HEAD></HEAD><BODY><P>Do you also have the traffic between 10.70.255.0 255.255.255.0 10.70.253.0 255.255.255.0 <BR />included in the NONAT ACL?</P><P></P><P>In other words, you have something like this?</P><P></P><P>access-list NAME permit ip 10.70.255.0 255.255.255.0 10.70.253.0 255.255.255.0 <BR />nat (inside) 0 access-list NAME</P><P></P><P>The debug icmp trace shows requests/responses fine?</P><P></P><P>Question.</P><P>The 10.70.255.0/24 has a default gateway which points to the ASA's internal IP?</P><P>If there's a router in between you might want to check if that device is blocking this traffic?</P><P></P><P>What is the result of the packet tracer from the VPN client when connected to the 10.70.255.0/24 network?</P><P>Do you see packets encrypted/decrypted for that security association?&nbsp; sh cry ips sa</P><P></P><P>Federico.</P></BODY></HTML> Tue, 28 Sep 2010 22:18:43 GMT https://community.cisco.com/t5/network-security/access-to-inside-from-asa-vpn-client-with-the-same-ip-addressing/m-p/1552634#M610351 Federico Coto Fajardo 2010-09-28T22:18:43Z https://community.cisco.com/t5/network-security/access-to-inside-from-asa-vpn-client-with-the-same-ip-addressing/m-p/1552635#M610354 <HTML><HEAD></HEAD><BODY><P>I made a mistake with the information , the network inside is 10.70.0.0/16 and the ip pool vpn is 10.70.253.0....sorry. I beleave it is overlaping.</P><P></P><P>and it`s the result of&nbsp; :</P><P></P><P>Result:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop&nbsp; <BR />Drop-reason: (rpf-violated) Reverse-path verify failed</P><P></P><P>I read about and I`m fear the ASA&nbsp; see an attempt of spoofing.</P></BODY></HTML> Tue, 28 Sep 2010 23:14:44 GMT https://community.cisco.com/t5/network-security/access-to-inside-from-asa-vpn-client-with-the-same-ip-addressing/m-p/1552635#M610354 jaime.gonzalez 2010-09-28T23:14:44Z https://community.cisco.com/t5/network-security/access-to-inside-from-asa-vpn-client-with-the-same-ip-addressing/m-p/1552636#M610356 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can you paste the entire output of the packet-tracer? You might have to disable "ip verify reverse-path INTERFACE" on the interface you are getting that error.</P><P></P><P>Regards,</P><P>Prapanch</P></BODY></HTML> Wed, 29 Sep 2010 00:06:41 GMT https://community.cisco.com/t5/network-security/access-to-inside-from-asa-vpn-client-with-the-same-ip-addressing/m-p/1552636#M610356 praprama 2010-09-29T00:06:41Z