12-25-2012 11:08 PM
Hi,
I am unable to ping from client VPN to inside the network any one of the following IP address after establishing the VPN connection.
The following IP address are not able to ping
192.168.2.24
192.168.2.13
192.168.2.100 - this is firewall gateway
Tx.
12-26-2012 07:58 AM
Hi,
It is not recomended to have remote users IPs as part of your internal ip range (ip local pool remote_support_pool 192.168.2.150-192.168.2.200 mask 255.255.255.0) . Try by chaging the remote IPs to unused subnet ex: 192.168.130.x and add the specific route on ASA (route outside 192.168.130.x ....
hth
MS
12-26-2012 11:44 PM
Hi
I just modify the different IP pool as you said and route also, still am unable to ping those internal IPs.......is there any other changes.
ip local pool remote_support_pool 192.168.130.1-192.168.130.200 mask 255.255.255.0
route ouside 192.168.130.0 255.255.255.0 10.97.37.128 1
Thx
Manju
12-27-2012 10:34 AM
can you upload your most recent configuration?
Also please run "route print" at both the vpn client, and the destination pc that you are trying to ping.
Also temporarily disable windows or any software firewall at destination client while pinging.
12-27-2012 06:58 AM
Make sure .24 and .13 both have their gateway set as .100.
Sent from Cisco Technical Support iPad App
12-27-2012 06:59 AM
Also, check to see if you can ping those from inside the network. If not, you likely have a firewall on those hosts preventing ping.
Sent from Cisco Technical Support iPad App
12-30-2012 10:02 PM
I can ping inside between to PC's .13, .24 and firewall gateway .100 as well.
The problem is only from remote client not even any of those PC's and firewall gateway.
12-30-2012 10:12 PM
is nat-control disabled?
try to ping from firewall to remote client. can you ping?
also try to check using packet-tracer command with particular source and destination to check for any access issue in firewall.
12-30-2012 11:51 PM
nat-control enabled
remote client not pinging from firewall
CISCO-ASA1# packet-tracer input ouside icmp 192.168.2.100 200 200 30000 192.16$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.130.1 255.255.255.255 ouside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: ouside
input-status: up
input-line-status: up
output-interface: ouside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
01-01-2013 11:38 AM
your ACL on the outside interface is blocking the ping implicitly. you will have to specifically allow it there. or you can enter below command
sysopt connection permit-vpn
and also you will have to add a nat 0 rule for bypassing nat from inside to the VPN pool. as traffic will not be allowed if there is no rule.
after that you can try to run the command again to see where it is being blocked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide