Re: ASA firewall VPN site to client unable to ping inside the ne

ntmanjunath · ‎12-25-2012

Hi,

I am unable to ping from client VPN to inside the network any one of the following IP address after establishing the VPN connection.

The following IP address are not able to ping

192.168.2.24

192.168.2.13

192.168.2.100 - this is firewall gateway

Tx.

mvsheik123 · ‎12-26-2012

Hi,

It is not recomended to have remote users IPs as part of your internal ip range (ip local pool remote_support_pool 192.168.2.150-192.168.2.200 mask 255.255.255.0) . Try by chaging the remote IPs to unused subnet ex: 192.168.130.x and add the specific route on ASA (route outside 192.168.130.x .... 1).

hth

MS

ntmanjunath · ‎12-26-2012

Hi

I just modify the different IP pool as you said and route also, still am unable to ping those internal IPs.......is there any other changes.

ip local pool remote_support_pool 192.168.130.1-192.168.130.200 mask 255.255.255.0

route ouside 192.168.130.0 255.255.255.0 10.97.37.128 1

Thx

Manju

husycisco · ‎12-27-2012

can you upload your most recent configuration?

Also please run "route print" at both the vpn client, and the destination pc that you are trying to ping.

Also temporarily disable windows or any software firewall at destination client while pinging.

Jeff Van Houten · ‎12-27-2012

Make sure .24 and .13 both have their gateway set as .100.

Sent from Cisco Technical Support iPad App

Jeff Van Houten · ‎12-27-2012

Also, check to see if you can ping those from inside the network. If not, you likely have a firewall on those hosts preventing ping.

Sent from Cisco Technical Support iPad App

ntmanjunath · ‎12-30-2012

I can ping inside between to PC's .13, .24 and firewall gateway .100 as well.

The problem is only from remote client not even any of those PC's and firewall gateway.

Jitendra Siyag · ‎12-30-2012

is nat-control disabled?

try to ping from firewall to remote client. can you ping?

also try to check using packet-tracer command with particular source and destination to check for any access issue in firewall.

ntmanjunath · ‎12-30-2012

nat-control enabled

remote client not pinging from firewall

CISCO-ASA1# packet-tracer input ouside icmp 192.168.2.100 200 200 30000 192.16$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.130.1 255.255.255.255 ouside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: ouside
input-status: up
input-line-status: up
output-interface: ouside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Jitendra Siyag · ‎01-01-2013

your ACL on the outside interface is blocking the ping implicitly. you will have to specifically allow it there. or you can enter below command

sysopt connection permit-vpn

and also you will have to add a nat 0 rule for bypassing nat from inside to the VPN pool. as traffic will not be allowed if there is no rule.

after that you can try to run the command again to see where it is being blocked.

ASA firewall VPN site to client unable to ping inside the networks