10-28-2009 09:33 AM
I can't reach or ping my internal network when i connect via VPN. The connection works fine all gets connected to the ASA and the users are accepted via radius
Solved! Go to Solution.
10-28-2009 10:24 AM
Jorgen,
I would recommend to use different RA pool network number to be separated from your inside network, this strategy ease troubleshooting efforts down the road as suppose to troutbleshooting issues from inside 192.168.0.0/24 and RA POOL 192.168.0.0/24, however, using same network can still work.
I would correct couple of things in your config .
You have allocated dhcpd for inside host from 192.168.0.2-192.168.0.129
and your RA vpn pool is defined from 192.168.0.60-192.168.0.75 , your RA pool allocation should be 192.168.0.130-192.168.0.145 to have some consistentcy.
You need to also add to your config "crypto isakmp nat-traversal " and have RA client try again
If all this above does not do the trick, keep in your config crypto isakmp nat-traversal and re-create new network for your RA POOL.
Here is easy script
remove RA POOL network
no ip local pool VPN_IMH 192.168.0.60-192.168.0.75 mask 255.255.255.0
create new POOL network assume ( 172.16.1.0 )
ip local pool VPN_IMH 172.16.1.60-172.16.1.75 mask 255.255.255.0
for your exempt nat acl add the following statement
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
and remove this rule
no access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
Let us know how works out to assist
Regards
10-28-2009 10:24 AM
Jorgen,
I would recommend to use different RA pool network number to be separated from your inside network, this strategy ease troubleshooting efforts down the road as suppose to troutbleshooting issues from inside 192.168.0.0/24 and RA POOL 192.168.0.0/24, however, using same network can still work.
I would correct couple of things in your config .
You have allocated dhcpd for inside host from 192.168.0.2-192.168.0.129
and your RA vpn pool is defined from 192.168.0.60-192.168.0.75 , your RA pool allocation should be 192.168.0.130-192.168.0.145 to have some consistentcy.
You need to also add to your config "crypto isakmp nat-traversal " and have RA client try again
If all this above does not do the trick, keep in your config crypto isakmp nat-traversal and re-create new network for your RA POOL.
Here is easy script
remove RA POOL network
no ip local pool VPN_IMH 192.168.0.60-192.168.0.75 mask 255.255.255.0
create new POOL network assume ( 172.16.1.0 )
ip local pool VPN_IMH 172.16.1.60-172.16.1.75 mask 255.255.255.0
for your exempt nat acl add the following statement
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
and remove this rule
no access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
Let us know how works out to assist
Regards
10-29-2009 01:19 AM
Thank you very much!
This suggestuion helped me a alo, the main problem was crypto isakmp nat-traversal.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide