Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1943
Views
0
Helpful
3
Replies

Can't Reach Inside Host after VPN connects to ASA

moises7777
Level 1
Level 1

‎06-01-2011 07:51 AM

Hi,

I am having problems accessing our internal network via VPN. We have an ASA at the perimeter that connects to a 3745 router and all of our networks come of that router. I can establish a VPN connection to the ASA but I can’t ping any of our internal host.

The internal network I need to access is 172.18.0.0. When I connect to the ASA I get a dhcp address from a pool created in the ASA, the pool is 172.200.1.x. I can’t ping from the ASA to the connected vpn host and I can’t ping from the host to the ASA ip address or to 3745 connected to it.

ASA config:

group-policy NAMEOFPOLICY internal

group-policy NAMEOFPOLICY attributes

dns-server value 172.18.2.2 172.18.2.23

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Splittunelacl1

split-dns value 172.18.2.2

address-pools value remote-vpn-pool

Splittunelacl1 

access-list Splittunelacl1 extended permit ip 172.18.0.0 255.255.240.0 172.200.1.0 255.255.255.0

NoNAT rule

access-list nonat extended permit ip 172.18.0.0 255.255.240.0 172.200.1.0 255.255.255.0

Route to the 3745

route inside 172.18.0.0 255.255.0.0 172.18.255.1 1
 
Route on the 3745 back to the ASA
 
ip route 0.0.0.0 0.0.0.0 172.18.255.2
 
I can’t see anything on the internal network, I can’t even ping the dns servers and so on. Any help would be appreciated, thanks.
Labels:
0 Helpful
3 Replies 3

moises7777
Level 1
Level 1

‎06-01-2011 08:22 AM

Ok, so now I can ping from the vpn client to the ASA inside interface as well as the interface on the 3745. I can also ping other networks that are connected to the 3745 like 10.x.x.x. From the 3745 I can ping the vpn host, however, I still can't ping any host on the 172.18.x.x subnet. I am seeing this in the logs:

no translation group found for icmp src outside 172.200.1.3 dest
172.18.2.2

0 Helpful

moises7777
Level 1
Level 1
In response to moises7777

‎06-01-2011 08:51 AM

A little more info:  I need to ping 172.18.0.1 and I can't. But i can ping 172.18.254.1 and 172.18.255.1 and 172.22.0.1. They are all interfaces on the 3745, but I can't get to the 172.18.0.0 network.

0 Helpful

moises7777
Level 1
Level 1
In response to moises7777

‎06-01-2011 09:11 AM

For anyone intrested the solution was

nat (inside) 0 access-list nonat

0 Helpful
Customers Also Viewed These Support Documents