cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
930
Views
10
Helpful
7
Replies

Can't access internal resource

laurabolda
Level 1
Level 1

I was able to get to the internal resources by having the same VPN pool as the internal IP address (192.168.100.0).  Now, I want to have a different VPN pool from the internal IP address.  For example, I want to have the VPN pool from 192.168.101.1 - 192.168.101.250.  I was able to login to VPN client, but I cannot ping or access the internet resource (192.168.100.13).   Can you help me?  Attached is the config file.

Thanks.

Laura

3 Accepted Solutions

Accepted Solutions

mciszek
Level 1
Level 1

Laura,

Sounds like you need to add the new VPN pool from 192.168.101.1 - 192.168.101.250 to your Inside_nat0_outbound ACL:

Should look like this now both the internal and VPN pool address ranges included:

access-list Inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.255.0

Hope this helps,

Mike

View solution in original post

If you are testing with ping, you would need to add the following:

policy-map global_policy
class inspection_default

     inspect icmp

Also your internal LAN default gateway should be the ASA inside interface (192.168.100.100), assuming that you are trying to access resources within 192.168.100.0/24 subnet.

Also, just want to confirm that you have vpn client configured as the first post config does not include that.

View solution in original post

Definitely safe to remove them.

The "prompt hostname context" command is useful if you have failover configured, and would like to know whether it's the active or standby unit, and if you have multiple context configured on the firewall. It just give you more information on the prompt.

Here is the command reference for "prompt":

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1921355

The rest of the config is for Smart Call Home. It is a new feature in version 8.2.2 and has limited functionality as it has just been introduced.

Here is a little bit of read of the feature if you are interested:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/monitor_smart_call_home.html

View solution in original post

7 Replies 7

mciszek
Level 1
Level 1

Laura,

Sounds like you need to add the new VPN pool from 192.168.101.1 - 192.168.101.250 to your Inside_nat0_outbound ACL:

Should look like this now both the internal and VPN pool address ranges included:

access-list Inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.255.0

Hope this helps,

Mike

Mciszek,

I still can't connect to the internal resource after adding the statement.  Do you have any other suggestions?

Thanks.

Laura

If you are testing with ping, you would need to add the following:

policy-map global_policy
class inspection_default

     inspect icmp

Also your internal LAN default gateway should be the ASA inside interface (192.168.100.100), assuming that you are trying to access resources within 192.168.100.0/24 subnet.

Also, just want to confirm that you have vpn client configured as the first post config does not include that.

Halijenn,

Thanks for taking time to look at the config again.  I did not have the "inspect icmp" statement in the my config.  I have this statement and thought it means icmp is turned on.

access-list 101 extended permit icmp any any

Thanks.

Laura

Halijenn,

May I ask you another question?  I upgraded the IOS from 7.0 to 8.2.2.  The upgrade added the following statements.  I don't know what these statements are for.  Is it OK to remove them?  Thanks.

prompt hostname context
call-home    
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

Definitely safe to remove them.

The "prompt hostname context" command is useful if you have failover configured, and would like to know whether it's the active or standby unit, and if you have multiple context configured on the firewall. It just give you more information on the prompt.

Here is the command reference for "prompt":

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1921355

The rest of the config is for Smart Call Home. It is a new feature in version 8.2.2 and has limited functionality as it has just been introduced.

Here is a little bit of read of the feature if you are interested:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/monitor_smart_call_home.html

Thanks very much again for the prompt response and information, Halijenn.

Laura

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: