03-04-2013 09:17 AM
I have an ASA 5505 with ipsec VPN configured on it. I am able to connect to the ASA but I can't ping a connected network. I get a dhcp assigned address in the network I am trying to reach but can't access that network on Vlan5. Please help.
I attached the config.
03-04-2013 09:28 AM
Use VPN Pool IP other then 5.x because this subnet is being used and allow that New Subnet IP in Nat0.
03-04-2013 09:32 AM
Like adding something like this?
access-list SPLIT_ACL extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0
ip local pool VPNPOOL2 192.168.15.203-192.168.15.204 mask 255.255.255.0
Am I missing anything?
Thanks,
Ken
03-04-2013 09:41 AM
Just leave all as at is and add this line in your nat 0 acl:
access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0
And better change your split-tunnel acl from this
access-list SPLIT_ACL extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0
to this
access-list SPLIT_ACL standard permit 192.168.5.0 255.255.255.0
Your split-acl should be from perspective of ASA and it's more correct to use standard acl for this purpose.
03-04-2013 10:13 AM
Will there be any issue since the network I am trying to reach in on vlan 5 on nameif fw-access?
03-04-2013 10:25 AM
I'm not sure i understand your last question)
03-04-2013 10:30 AM
The no_nat access list is referrenced with
nat (inside) 0 access-list no_nat
The interface I am trying to reach is vlan5 which is named fw-civic not inside. Should the acl
access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0
also referrence the vlan5 like this
nat (fw-civic) 0 access-list no_nat
03-04-2013 11:16 AM
Yes. I didn't notice that.
That nat-exemption rule should reference fw-civic (not inside) interface, jus like you put it:
nat (fw-civic) 0 access-list no_nat
03-04-2013 11:39 AM
I think final questions, can you have two nat statements that point to the same acl ie.
access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0
nat (inside) 0 access-list no_nat
nat (inside) 1 192.168.9.0 255.255.255.0
nat (fw-civic) 0 access-list no_nat
nat (fw-civic) 1 192.168.5.0 255.255.255.0
Or do I need to create a new acl for the fw-civic interface?
Thanks
03-04-2013 09:14 PM
You can use the same ACL.
03-20-2013 10:24 AM
Well, I am still stuck. I have made the changes and I am still not able to commuicate with a device inside the vlan5 network. Can you relook at the config?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide