06-01-2011 07:51 AM
Hi,
I am having problems accessing our internal network via VPN. We have an ASA at the perimeter that connects to a 3745 router and all of our networks come of that router. I can establish a VPN connection to the ASA but I can’t ping any of our internal host.
The internal network I need to access is 172.18.0.0. When I connect to the ASA I get a dhcp address from a pool created in the ASA, the pool is 172.200.1.x. I can’t ping from the ASA to the connected vpn host and I can’t ping from the host to the ASA ip address or to 3745 connected to it.
ASA config:
group-policy NAMEOFPOLICY internal
group-policy NAMEOFPOLICY attributes
dns-server value 172.18.2.2 172.18.2.23
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Splittunelacl1
split-dns value 172.18.2.2
address-pools value remote-vpn-pool
Splittunelacl1
access-list Splittunelacl1 extended permit ip 172.18.0.0 255.255.240.0 172.200.1.0 255.255.255.0
NoNAT rule
access-list nonat extended permit ip 172.18.0.0 255.255.240.0 172.200.1.0 255.255.255.0
Route to the 3745
route inside 172.18.0.0 255.255.0.0 172.18.255.1 1
Route on the 3745 back to the ASA
ip route 0.0.0.0 0.0.0.0 172.18.255.2
I can’t see anything on the internal network, I can’t even ping the dns servers and so on. Any help would be appreciated, thanks.
06-01-2011 08:22 AM
Ok, so now I can ping from the vpn client to the ASA inside interface as well as the interface on the 3745. I can also ping other networks that are connected to the 3745 like 10.x.x.x. From the 3745 I can ping the vpn host, however, I still can't ping any host on the 172.18.x.x subnet. I am seeing this in the logs:
no translation group found for icmp src outside 172.200.1.3 dest
172.18.2.2
06-01-2011 08:51 AM
A little more info: I need to ping 172.18.0.1 and I can't. But i can ping 172.18.254.1 and 172.18.255.1 and 172.22.0.1. They are all interfaces on the 3745, but I can't get to the 172.18.0.0 network.
06-01-2011 09:11 AM
For anyone intrested the solution was
nat (inside) 0 access-list nonat
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide