Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1255
Views
0
Helpful
9
Replies

Using Cisco VPN client can't ping beyond inside interface

tony
Level 1
Level 1

‎10-24-2008 11:44 AM

I have a ASA 5505 7.2(3)

The firewall is set up w/ A inside IP network of 192.168.55.0

The VPN pool is setup as 192.168.55.90-192.168.55.99

What do I need to enable or create to allow the outside vpn clients to access the inside servers?

Labels:
Preview file
6 KB
0 Helpful
9 Replies 9

ajagadee
Cisco Employee
Cisco Employee

‎10-24-2008 12:03 PM

Hi,

You need to bypass NAT for the VPN Client Traffic by configuring nat (inside) 0.

nat (inside) 0 access-list 101

access-list 101 extended permit ip 192.168.55.0 255.255.255.0 192.168.55.0 255.255.255.0

Please refer the below URL for configuration details.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

While the above configuration should most likely resolve the issue, I would recommend that you configure a different subnet for the VPN Client Pool, something that is not part your internal network and then include them in the NAT 0 Command. Depending upon your routing domain and how things are configured, you could run into routing issues by assigning IP Address for the VPN Clients from your internal network.

Regards,

Arul

*Pls rate if it helps*

0 Helpful

tony
Level 1
Level 1
In response to ajagadee

‎10-28-2008 11:04 AM

I made the necessary changes to the vpn pool as requested. Now I am unable to ping the gateway of 192.168.55.1 The vpn pool is 192.168.75.0 225.255.255.0. I am attaching the updated config. Could any help?

Thanks

Preview file
6 KB
0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to tony

‎10-28-2008 11:47 AM

Hi,

Couple of things:

1. You split tunnel is misconfigured.

access-list PCGRemoteAccess_splitTunnelAcl standard permit 192.168.75.0 255.255.255.0

The above ACL should be

access-list PCGRemoteAccess_splitTunnelAcl standard permit 192.168.55.0 255.255.255.0

Basically, split tunnel specifies what addresses you want the VPN Remote Users to access over the tunnel.

2. Your NAT (inside) 0 is misconfigured.

access-list 101 extended permit ip 192.168.75.0 255.255.255.0 192.168.75.0 255.255.255.0

This should be

access-list 101 extended permit ip 192.168.55.0 255.255.255.0 192.168.75.0 255.255.255.0

Please do make the changes and test the tunnel connectivity.

Regards,

Arul

*Pls rate if it helps*

0 Helpful

tony
Level 1
Level 1
In response to ajagadee

‎10-28-2008 12:07 PM

Made changes no difference. The tunnel is being built correctly but no traffic flow. I can't ping the 192.168.55.1 interface or any inside address.

0 Helpful

tony
Level 1
Level 1
In response to tony

‎10-28-2008 01:22 PM

Still need help. Anybody out there?

0 Helpful

j.bourque
Level 1
Level 1
In response to tony

‎10-28-2008 01:40 PM

post your latest config please.

0 Helpful

tony
Level 1
Level 1
In response to j.bourque

‎10-28-2008 01:47 PM

Here you go

Preview file
6 KB
0 Helpful

tony
Level 1
Level 1
In response to tony

‎10-28-2008 03:19 PM

Made change to access-list:

access-list 101 extended permit ip 192.168.55.0 255.255.255.0 192.168.75.0 255.255.255.0

Still doesn't work, but corrected as suggested.

Preview file
8 KB
0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to tony

‎10-28-2008 03:43 PM

Tony,

After you made the changes to the configuration, did you do "clear xlate" and then try pinging an IP Address on the 192.168.55.0 subnet.

Also, after connecting the VPN Client and trying to access something on the inside, can you post the outputs of "show cry is sa" and "show cry ipsec sa"

Regards,

Arul

0 Helpful
Customers Also Viewed These Support Documents