02-28-2008 11:36 AM
I have ASA 5540
here is my vpn config
access-lisst VPNRA extended permit ip 172.17.1.0 255.255.255.0 10.0.0.0 255.255.255.0
ip loacl pool AAA 10.0.0.10-10.0.0.254 mask 255.255.255.0
nat (inside) 0 acces-list VPNRA
vpn-tunnel-protocol IPsec
When I connect to VPN, I can access the internet. But I can not access or ping anything that is in the internal network.
02-28-2008 11:47 AM
Did you use Split-tunneling..?
vpn-tunnel-protocol IPsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test
access-list test standard permit 172.17.1.0.255.255.255.0 -->internal LAN subnet
hth
MS
02-28-2008 01:34 PM
ip local pool AAA 10.17.70.10-10.17.70.254 mask 255.255.255.0
access-list VPNRA extended permit ip 172.0.0.0 255.0.0.0 172.0.0.0 255.0.0.0
access-list splittunnel standard permit 172.0.0.0 255.0.0.0
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
still unable to connect the internal network, use packet tracer, and fail at VPN nat. On the internal Layer 3 switch, we add a static route, 10.17.70.0 255.255.255.0 10.0.0.2(the ASA Interface).
02-29-2008 07:19 AM
do you have a NAT exemption rule that bypasses the LAN subnet to VPN pool from being selected to nat?
Check the commands below:
access-list Private_nat0_outbound remark SSL VPN traffic exemption
access-list Private_nat0_outbound extended permit ip LOCAL-LAN 255.0.0.0 VPN-SSL 255.255.255.0
nat (Private) 0 access-list Private_nat0_outbound
nat (Public) 0 LOCAL-LAN 255.0.0.0
*LOCAL-LAN is "name 10.0.0.0 LOCAL-LAN"
*VPN-SSL is "name 10.32.2.x VPN-SSL" which is the vpn pool
Hope that helps.
(please rate the comment if you found it useful)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide