Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
867
Views
0
Helpful
10
Replies

ASA 5505 VPN can't access connected network

KEN COUSINO JR.
Level 1
Level 1

‎03-04-2013 09:17 AM

I have an ASA 5505 with ipsec VPN configured on it.  I am able to  connect to the ASA but I can't ping a connected network.  I get a dhcp  assigned address in the network I am trying to reach but can't access  that network on Vlan5.  Please help.

I attached the config.

Labels:
15355768-config.TXT.zip
0 Helpful
10 Replies 10

jawad-mukhtar
Level 4
Level 4

‎03-04-2013 09:28 AM

Use VPN Pool IP other then 5.x because this subnet is being used and allow that New Subnet IP in Nat0.

Jawad
0 Helpful

KEN COUSINO JR.
Level 1
Level 1
In response to jawad-mukhtar

‎03-04-2013 09:32 AM

Like adding something like this?

access-list SPLIT_ACL extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0

ip local pool VPNPOOL2 192.168.15.203-192.168.15.204 mask 255.255.255.0

Am I missing anything?

Thanks,

Ken

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to KEN COUSINO JR.

‎03-04-2013 09:41 AM

Just leave all as at is and add this line in your nat 0 acl:

access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0

And better change your split-tunnel acl from this

access-list SPLIT_ACL extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0

to this

access-list SPLIT_ACL standard permit 192.168.5.0 255.255.255.0

Your split-acl should be from perspective of ASA and it's more correct to use standard acl for this purpose.

0 Helpful

KEN COUSINO JR.
Level 1
Level 1
In response to Andrew Phirsov

‎03-04-2013 10:13 AM

Will there be any issue since the network I am trying to reach in on vlan 5 on nameif fw-access?

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to KEN COUSINO JR.

‎03-04-2013 10:25 AM

I'm not sure i understand your last question)

0 Helpful

KEN COUSINO JR.
Level 1
Level 1
In response to KEN COUSINO JR.

‎03-04-2013 10:30 AM

The no_nat access list is referrenced with

nat (inside) 0 access-list no_nat

The interface I am trying to reach is vlan5 which is named fw-civic not inside.  Should the acl

access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0

also referrence the vlan5 like this

nat (fw-civic) 0 access-list no_nat

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to KEN COUSINO JR.

‎03-04-2013 11:16 AM

Yes. I didn't notice that.

That nat-exemption rule should reference fw-civic (not inside) interface, jus like you put it:

nat (fw-civic) 0 access-list no_nat

0 Helpful

KEN COUSINO JR.
Level 1
Level 1
In response to Andrew Phirsov

‎03-04-2013 11:39 AM

I think final questions, can you have two nat statements that point to the same acl ie.

access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 172.31.1.0 255.255.255.0

access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 0 access-list no_nat

nat (inside) 1 192.168.9.0 255.255.255.0

nat (fw-civic) 0 access-list no_nat

nat (fw-civic) 1 192.168.5.0 255.255.255.0

Or do I need to create a new acl for the fw-civic interface?

Thanks

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to KEN COUSINO JR.

‎03-04-2013 09:14 PM

You can use the same ACL.

0 Helpful

KEN COUSINO JR.
Level 1
Level 1
In response to Andrew Phirsov

‎03-20-2013 10:24 AM

Well, I am still stuck.  I have made the changes and I am still not able to commuicate with a device inside the vlan5 network.  Can you relook at the config?

0 Helpful
Customers Also Viewed These Support Documents