01-09-2011 03:01 AM
A strange problem is seen while working on an ipsec vpn on asa.
ASA inside : 192.168.100.1 255.255.255.240
client host connected directly to asa inside: 192.168.100.2
tunnel forms properly. when remote client 10.20.15.5 is pinged from asa it responds.
the same ping when tried from client 192.168.100.2 connected directly to asa inside doesnt work.
& doing this also doesnt bring the tunnel up.
from asa ping to 192.168.100.1 & vice versa is fine.
packet tracer & running configuration is attached. Capture of ping traffic from host to asa inside interface doesnt show any output.
Please help.
thanks.
Solved! Go to Solution.
01-09-2011 02:55 PM
That doesn't sound right.
If it goes through the VPN tunnel, the traffic will be encrypted and you shouldn't be able to see the hop for your internet provider.
Can you please clear the xlate and connections for that host: clear local 192.168.100.2
01-09-2011 03:21 AM
Base on the packet tracer, there is no configuration error on the ASA. However, just double checking that you have configured NAT exemption on the ASA, ie: "nat (inside) 0 access-list
Does the 192.168.100.2 host have default gateway configured to be the ASA inside interface (192.168.100.1)?
01-09-2011 03:35 AM
exemption was tried , but did not help.
i removed exemption configuration as no nat is currently happening on this device.
yes, gateway for the host is 192.168.100.1. I can reach gateway from host.
very strange though, when i trace from this client 100.2 , hops show it taking path towards my internet connection provider. is it because the vpn tunnel is not used for this ping or tracert from the client.
thanks.
01-09-2011 08:47 AM
Hi,
What are you trying to traceroute to from the PC?
Its interesting that you do not see captures when trying to ping the 10.x.x.x host from the machine. Do you see captures when trying to ping the ASA's IP 192.168.100.1 from the 100.2 machine?Please check the ARP table on the PC and confirm that it maps 192.168.100.1 to the MAC address of the ASA's inside interface.
Cheers,
Prapanch
01-09-2011 02:55 PM
That doesn't sound right.
If it goes through the VPN tunnel, the traffic will be encrypted and you shouldn't be able to see the hop for your internet provider.
Can you please clear the xlate and connections for that host: clear local 192.168.100.2
01-10-2011 04:40 PM
thanks Jennifer & Prapanch, the client host was able to communicate via the tunnel from inside interface after i rebooted the asa.
strange, but after trying options including ones suggested by you , i tried with reboot & it went off fine.
Appreciate your help provided on this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide