cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1067
Views
0
Helpful
4
Replies

Cannot ping specific IPs when connected through VPN

leonnikolaou
Level 1
Level 1

Hi all,

I have a DVR system for my cameras in the office with the IPs 192.168.1.120, 192.168.1.130

and also I have another two PCs with the IPs 192.168.1.90, 192.168.1.100.

I created a Remote VPN on my Cisco ASA 5505 firewall in order to access my cameras from home using Cisco VPN Client.

When I'm connected through VPN I cannot ping my camera IPs (192.168.1.120, .130) but I can ping my PCs IPs (192.168.1.90.,100)

However I'm able to ping all of these IPs when I'm connected straight from my Cisco ASA firewall console.

Do you any ideas what could be the problem accessing the camera IPs?

Thank you for your time

Regards

Leon

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

Possibly the camera has not been configured with the correct default gateway.

When you are pinging the camera from the ASA, I assume that your ASA interface is in the same subnet as the camera, but when you are pinging from the VPN, the remote VPN Client will be from a different subnet than the camera subnet.

Please ensure that the correct default gateway has been configured on the camera.

Thank you for the reply Jennifer,

Actually, there are on diffrent subnets.

My Cisco ASA is configured as follows:

(CAMERAS) dmz zone interface: 192.168.1.20 (which is also connected to my camera switch 192.168.1.1)

(INTERNAL) interface: 192.168.0.1

The Remote VPN is configured with all class C subnet 192.168.1.0/24

Thank you for your time

Regards

Leon

Firstly, the remote VPN pool subnet needs to be different to any of your internal subnet (inc. DMZ subnet). Pls change the pool to something else.

Secondly, if you configure split tunnel, it would need to include both 192.168.1.0/24 and 192.168.0.0/24.

Thirdly, you would need to configure NAT exemption on DMZ interface as well:

access-list nonat-dmz permit ip 192.168.1.0 255.255.255.0 255.255.255.0

nat (dmz) 0 access-list nonat-dmz

Thank you Jennifer,

I will check it and let you know.

Thank you