cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3146
Views
0
Helpful
10
Replies

No local lan access Ipsec VPN

Hi

This week i configured a remote access vpn to an asa 5510.

See this topic: https://supportforums.cisco.com/message/3191344#3191344

Thanks to the support, i can connect now, but i still don't have any local lan access.

When i connect with my vpn client.

My internal dhcp pool is 192.0.0.0 255.255.255.0

My dhcp pool is 192.0.1.0 255.255.255.0

I have attachted my running config, and some screenshots from my VPN client when connected.

Any help would be appreciated

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

You've added an incorrect NAT exemption ACL. It should be:

access-list inside_nat0_outbound_1 extended permit ip any 192.0.1.0 255.255.255.0

and to test pinging the inside interface, pls add:

management-access inside

Hope that resolves the issue.

View solution in original post

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

You've added an incorrect NAT exemption ACL. It should be:

access-list inside_nat0_outbound_1 extended permit ip any 192.0.1.0 255.255.255.0

and to test pinging the inside interface, pls add:

management-access inside

Hope that resolves the issue.

Hi Jennifer

Thank you for the quick responce, but i still don't have local lan access.

when i'mconnected, my default gateway that i get from the asa, is the same as the ip

address i get from the asa.

Connection-specific DNS Suffix  . : xxxxxxxxxxxxxxxxx
IP Address. . . . . . . . . . . . : 192.0.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.0.1.2

Is this correct, it seems odd, but i don't know much about vpn's, as you may already know.

Thanks for all the help

yes, that is OK. from the statistics page, your vpn client is sending the traffic towards the ASA, but no traffic is returning.

Can you share the output of:

show crypto ipsec sa

Can you ping the ASA inside interface from vpn client?

Also, enable this command:

crypto isakmp nat-traversal

Ok here is the output

is ping to 192.0.0.40 successful?

Yes now ping to 192.0.0.40 is succesfull

Perfect,..

What other hosts are you trying to access internally? ping as well? you might want to check if personal firewall is turned on the inside host as it blocks incoming/inbound traffic from other subnets normally.

Hi

Now, i can ping to clients in the local network.

In my vpn client, it still says: Local access: Disabeld.

But it works, i'm happy.

Thank you very much for your help and quick responses Jennifer.



Great, thanks for the update. Please kindly mark the post as answered.