04-06-2010 07:13 PM
I was able to get to the internal resources by having the same VPN pool as the internal IP address (192.168.100.0). Now, I want to have a different VPN pool from the internal IP address. For example, I want to have the VPN pool from 192.168.101.1 - 192.168.101.250. I was able to login to VPN client, but I cannot ping or access the internet resource (192.168.100.13). Can you help me? Attached is the config file.
Thanks.
Laura
Solved! Go to Solution.
04-06-2010 07:46 PM
Laura,
Sounds like you need to add the new VPN pool from 192.168.101.1 - 192.168.101.250 to your Inside_nat0_outbound ACL:
Should look like this now both the internal and VPN pool address ranges included:
access-list Inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.255.0
Hope this helps,
Mike
04-07-2010 02:20 PM
If you are testing with ping, you would need to add the following:
policy-map global_policy
class inspection_default
inspect icmp
Also your internal LAN default gateway should be the ASA inside interface (192.168.100.100), assuming that you are trying to access resources within 192.168.100.0/24 subnet.
Also, just want to confirm that you have vpn client configured as the first post config does not include that.
04-08-2010 02:50 PM
Definitely safe to remove them.
The "prompt hostname context" command is useful if you have failover configured, and would like to know whether it's the active or standby unit, and if you have multiple context configured on the firewall. It just give you more information on the prompt.
Here is the command reference for "prompt":
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1921355
The rest of the config is for Smart Call Home. It is a new feature in version 8.2.2 and has limited functionality as it has just been introduced.
Here is a little bit of read of the feature if you are interested:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/monitor_smart_call_home.html
04-06-2010 07:46 PM
Laura,
Sounds like you need to add the new VPN pool from 192.168.101.1 - 192.168.101.250 to your Inside_nat0_outbound ACL:
Should look like this now both the internal and VPN pool address ranges included:
access-list Inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.255.0
Hope this helps,
Mike
04-07-2010 09:22 AM
Mciszek,
I still can't connect to the internal resource after adding the statement. Do you have any other suggestions?
Thanks.
Laura
04-07-2010 02:20 PM
If you are testing with ping, you would need to add the following:
policy-map global_policy
class inspection_default
inspect icmp
Also your internal LAN default gateway should be the ASA inside interface (192.168.100.100), assuming that you are trying to access resources within 192.168.100.0/24 subnet.
Also, just want to confirm that you have vpn client configured as the first post config does not include that.
04-08-2010 11:07 AM
Halijenn,
Thanks for taking time to look at the config again. I did not have the "inspect icmp" statement in the my config. I have this statement and thought it means icmp is turned on.
access-list 101 extended permit icmp any any
Thanks.
Laura
04-08-2010 11:13 AM
Halijenn,
May I ask you another question? I upgraded the IOS from 7.0 to 8.2.2. The upgrade added the following statements. I don't know what these statements are for. Is it OK to remove them? Thanks.
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
04-08-2010 02:50 PM
Definitely safe to remove them.
The "prompt hostname context" command is useful if you have failover configured, and would like to know whether it's the active or standby unit, and if you have multiple context configured on the firewall. It just give you more information on the prompt.
Here is the command reference for "prompt":
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1921355
The rest of the config is for Smart Call Home. It is a new feature in version 8.2.2 and has limited functionality as it has just been introduced.
Here is a little bit of read of the feature if you are interested:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/monitor_smart_call_home.html
04-08-2010 06:11 PM
Thanks very much again for the prompt response and information, Halijenn.
Laura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide