cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
809
Views
0
Helpful
4
Replies

remote VPN client cannot access LAN.

ziweizhou
Level 1
Level 1

HI All,

I am using ASA5520 8.0(2) and my VPN client can establish a connection with the firewall. When I tried to ping from my VPN client to inside LAN servers, the traffic did research LAN Servers.

However the problem is that the return traffic is never delivered to VPN Client and got "teardown".

Here is my current configuration files. Any comment is appreciated.

4 Replies 4

ajagadee
Cisco Employee
Cisco Employee

The issue could be the Pool from which the IP Addresses are assigned to the clients.

Is it possible to reconfigure the VPNClientIPs Pool to use a different set of ip addresses than the ones that are part of your LAN and see if it works.

Example:

1. Assign 172.16.1.x/24 for the VPN Clients.

2. Include 172.16.1.x/24 in the NAT 0 Command to bypass NAT.

3. Make sure that your internal routing knows that they need to send the traffic back to the ASA to reach 172.16.1.x/24.

Regards,

Arul

Thanks for replying, Arul.

The issue is that VPN traffics has reached internal server, and replied traffics has reach firewall then it got tear down.

It seems inside the firewall, it doesn't realize the IP is a VPN client IP address.

But when I checked ARP table, it did show the connection IP for the VPN Client.

Any thoughts on that?

BTW, I used the same setting just the other day and everything works fine, it just stopped working today, and I don't remember that anything I modified can cause such a result.

Is it possible for you to change the pool of IP Addresses to something other than your internal network. Based upon your symptoms, it looks like the ASA is getting the return traffic and simply drops the packet because it has an inside ip addresses that falls within the 10.0.0.x/24 range.

Try changing the pool to a different subnet, reconfigure the NAT 0, make sure that the internal networks know that they need to send the traffic back to the ASA for the VPN Client Pool and give it a shot. Let me know how it goes.

Regards,

Arul

I tried that, still the same result.

Review Cisco Networking for a $25 gift card