11-11-2010 10:42 PM
Hello all,
our network scenario in below:
ipsec
lan A <---------> lan B (remote)
& vpn pool
ipsec
lan A <---------> lan C (remote)
& vpn pool
where lan A is 192.168.3.0/24, vpn pool is 192.168.4.0/24, lan B is 10.255.1.0/24, lan C is 172.24.0.0/16
lan A and lan B is connected with an ipsec VPN, lan A and lan C is connected with an ipsec VPN.
Now there is a problem confusing me:
while using SSLVPN to connect, we can not ping anything on lan B.
But on lan A, we can ping all of lan B.
lan A and lan C works perfectly with ipsec VPN, both lan and SSLVPN ping. (lan A can ping lan C, vpn pool can ping lan C)
We have add access-list from lan A to lan B, but not work.
Is there any way to ping from vpn pool to lan B correctly?
Thanks a lot
11-12-2010 03:23 PM
It will be more helpfull, if you could post a full configuration.
I guess the issue is on ACL no-nat-0, currently, it only has the following entry.
access-list no-nat-0 extended permit ip 192.168.4.0 255.255.255.0 172.24.0.0 255.255.0.0
If it works for LAN C, you should add the following for LAN B
access-list no-nat-0 extended permit ip 192.168.4.0 255.255.255.0 10.255.1.0 255.255.255.0
11-13-2010 05:47 AM
11-13-2010 01:05 PM
Since nat-control is enabled, you have to add that entry in no-nat-0 so that the packet from SSL VPN client to Lan B won't be NAT-ed when it makes U-turn on ASA.
Can you try the following,
-disconnect ssl vpn client
-clear xlate
-connect ssl vpn client again
-ping from client to LAN B,
-check the log in ASA to see if there is any error message
- run a "packet-trace" command by using outside interface as input interface, vpn client's IP as source IP and the IP in LAN B as dest IP.
11-14-2010 05:04 AM
11-14-2010 05:20 AM
sorry for that
I found the problem is in the LAN B side....
Now it works
Sorry for bothering you too much
Thanks a lot
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: