11-15-2012 06:20 PM - edited 02-21-2020 06:29 PM
hi,
1.Description
nat not on ASA,in front of ASA.
2.question:my Remote Access VPN can not ping the inside servers(10.0.0.0/16,10.10.0.0/16,10.11.0.0./16,10.12.0.0/16,172.16.0.0/16)
my vpn pool is 10.0.128.1-10.0.135.254 mask 255.255.248.0
ASA Version 8.4(5)
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.0.0.164 255.255.255.248
!
interface GigabitEthernet0/1
nameif outside
security-level 50
ip address 10.0.0.169 255.255.255.248
!

!
boot system disk0:/asa845-k8.bin
access-list any extended permit ip any any
access-list any extended permit icmp any any
access-list split standard permit 10.0.0.0 255.255.0.0
access-list split standard permit 10.10.0.0 255.255.0.0
access-list split standard permit 10.11.0.0 255.255.0.0
access-list split standard permit 10.12.0.0 255.255.0.0
access-list split standard permit 172.16.0.0 255.255.0.0

ip local pool ssl-ip-pool 10.0.128.1-10.0.135.254 mask 255.255.248.0
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-702.bin

access-group any in interface inside
access-group any out interface inside
access-group any in interface outside
access-group any out interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.171 1
route inside 10.0.0.0 255.255.0.0 10.0.0.163 1
route inside 10.10.0.0 255.255.0.0 10.0.0.163 1
route inside 10.11.0.0 255.255.0.0 10.0.0.163 1
route inside 10.12.0.0 255.255.0.0 10.0.0.163 1
route inside 172.16.0.0 255.255.0.0 10.0.0.163 1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_mt-ssl-profile internal
group-policy GroupPolicy_mt-ssl-profile attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain none
username huang password 2iP8hQebDVjA4sLR encrypted
tunnel-group mt-ssl-profile type remote-access
tunnel-group mt-ssl-profile general-attributes
address-pool ssl-ip-pool
default-group-policy GroupPolicy_mt-ssl-profile
tunnel-group mt-ssl-profile webvpn-attributes
group-alias mt-ssl-profile enable
!
3.The above condition
my Remote Access VPN can ping Internet(www.cisco.com),but can not ping inside servers
4. if change like this ,this question is also,can not ping .
object network obj-vpnpool
subnet 10.0.128.0 255.255.248.0
nat (inside,outside) source static any any destination static obj-vpnpool obj-vpnpool
my Remote Access VPN can ping Internet(www.cisco.com),but can not ping inside servers
5.if change like this
group-policy GroupPolicy_mt-ssl-profile attributes
split-tunnel-policy excludespecified
i can ping inside servers ,but can not ping internet(ping www.cisco.com)
thank you
Solved! Go to Solution.
11-16-2012 05:57 AM
Try to change your VPN Client pool so it doesn't overlap with the internal network.
It seems that you have a route for 10.0.0.0/16 and the vpn client pool is also in that subnet.
If that 10.0.128.0 subnet doesn't exist internally, make sure that your inside router knows how to route 10.0.128.0/255.255.248.0 via the ASA inside interface
11-16-2012 05:57 AM
Try to change your VPN Client pool so it doesn't overlap with the internal network.
It seems that you have a route for 10.0.0.0/16 and the vpn client pool is also in that subnet.
If that 10.0.128.0 subnet doesn't exist internally, make sure that your inside router knows how to route 10.0.128.0/255.255.248.0 via the ASA inside interface
11-18-2012 05:51 PM
yes .
use 10.0.192.1-10.0.198.254 mask 255.255.248.0 is ok.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide