Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
4
Replies

remote VPN client cannot access LAN.

ziweizhou
Level 1
Level 1

‎01-10-2008 09:10 AM - edited ‎03-11-2019 04:46 AM

HI All,

I am using ASA5520 8.0(2) and my VPN client can establish a connection with the firewall. When I tried to ping from my VPN client to inside LAN servers, the traffic did research LAN Servers.

However the problem is that the return traffic is never delivered to VPN Client and got "teardown".

Here is my current configuration files. Any comment is appreciated.

Labels:
Preview file
5 KB
0 Helpful
4 Replies 4

ajagadee
Cisco Employee
Cisco Employee

‎01-10-2008 09:19 AM

The issue could be the Pool from which the IP Addresses are assigned to the clients.

Is it possible to reconfigure the VPNClientIPs Pool to use a different set of ip addresses than the ones that are part of your LAN and see if it works.

Example:

1. Assign 172.16.1.x/24 for the VPN Clients.

2. Include 172.16.1.x/24 in the NAT 0 Command to bypass NAT.

3. Make sure that your internal routing knows that they need to send the traffic back to the ASA to reach 172.16.1.x/24.

Regards,

Arul

0 Helpful

ziweizhou
Level 1
Level 1
In response to ajagadee

‎01-10-2008 10:31 AM

Thanks for replying, Arul.

The issue is that VPN traffics has reached internal server, and replied traffics has reach firewall then it got tear down.

It seems inside the firewall, it doesn't realize the IP is a VPN client IP address.

But when I checked ARP table, it did show the connection IP for the VPN Client.

Any thoughts on that?

BTW, I used the same setting just the other day and everything works fine, it just stopped working today, and I don't remember that anything I modified can cause such a result.

0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to ziweizhou

‎01-15-2008 07:23 AM

Is it possible for you to change the pool of IP Addresses to something other than your internal network. Based upon your symptoms, it looks like the ASA is getting the return traffic and simply drops the packet because it has an inside ip addresses that falls within the 10.0.0.x/24 range.

Try changing the pool to a different subnet, reconfigure the NAT 0, make sure that the internal networks know that they need to send the traffic back to the ASA for the VPN Client Pool and give it a shot. Let me know how it goes.

Regards,

Arul

0 Helpful

ziweizhou
Level 1
Level 1
In response to ajagadee

‎01-15-2008 07:35 AM

I tried that, still the same result.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card