VPN Site-to-Site - cannot ping the router's internal IP address

Hi guys,.

I configured a VPN site-to site between two routers, everything works well except ping the internal (LAN) IP of a router.

Everything works fine: ping the hosts through the tunnel in both feel.

Routers that I use:

-IOS 1841: M3 15.0 (1)

-2811 IOS: 15.0 (1) M5-> here is the problem. I can't ping the inside interface of the router.

I checked its ipsec counters and it seems that it does not send packets through the tunnel when I ping from the LAN interface.

#pkts program is not incrementing.

Anyone had this problem before?

Thank you very much.

Best regards

I think that happens because when the router responds to icmp request he gets is outside interface IP (not the IP Address of the inside interface, wich you are trying to ping) as the source of a package. If icmp-response does not go in the tunnel, because the IP address in the router's external interface is not included in the crypto-acl.

Solution to this, if it's correct guess, is to add the router's external IP to the crypto-acl.

Tags: Cisco Security

Similar Questions

  • WRT160N v2 site blocking to the router even after reset and upgrade firmware

    For some reason any my WRT160N v2 router blocks access to the following Web site: www.cngoons.com

    I can connect on the site if I connect to the modem directly, or using the connection to the internet of someone else. However computers that connect through the router is unable to access the site via a web browser (IE, FF or Chrome), cannot ping the site, and a tracert also fails.

    I have reset the router by default, but the site is still blocked. I've upgraded to the latest firmware (WRT160Nv2_v2.0.03.009_US_code.bin) and the problem persists.

    Any ideas on what's going on?

    And after a search even more, I found this old thread dealing with the same question:

    http://homecommunity.Cisco.com/T5/wireless-routers/Linksys-router-blocked-website/TD-p/12917

    A solution is given at the end to change the MAC address of the router (I cloned MAC address of my PC), and then restart the cable modem. It worked for me!

  • Once the VPN connection is established, cannot ping or you connect other IP devices

    Try to get a RV016 installed and work so that people can work from home.  You will need to charge customers remote both WIN XP and MAC OS X.

    Have the configured router and works fine with the VPN Linksys client for WIN XP users.  Can connect, ping, mount the shared disks, print to printers to intellectual property, etc.

    Can connect to the router fine with two VPN clients third 3 for Mac: VPN Tracker and IPSecuritas.  However, once the connection is established, cannot ping the VPN LinkSYS router or any other IP address on the LAN Office.  Turn the firewall on or off makes no difference.

    Is there documentation anywhere that describes how the LinksysVPN for Windows Client communicates so these can be replicated in 3rd VPN clients from third parties for the Mac in OS X?

    The connection with IPSecuritas and VPN Tracker is performed using a shared key and a domain name.  It is not a conflict of IP address network between the client and the VPN 192.168.0.0/24 network.

    VPN Tracker and IPSecuritas are able to connect to the routers CISCO easy VPN with no poblem.

    Any ideas on how to get the RV016 to work for non-Windows users?

    We found and fixed the problem, so using VPN Tracker or current IPSecuritas on OS X people have access to the LAN via the RV016 machines. The "remote networks" in the screen BASE in VPN Tracker has been set on the entire subnet: 192.168.0.0/255.255.255.0 the in the RV016 has been set to the IP of 192.168.0.1 to 192.168.0.254 range. Even if the addresses are essentially the same, without specifying the full subnet in the RV016 has allowed the connection to do but prevented the VPN client machine to connect because the RV016 would pass all traffic to the Remote LAN. Change the setting of 'local group' in RV016 settings in the screen "VPN/summary/GroupVPN', 'Local Group Zone' for the subnet 192.168.0.0/24 full solved the problem.

  • ASUS laptop computer only connects if I'm sitting next to the router loses power after a few feet

    1. ASUS laptop computer only connects if I'm sitting next to the router loses power after a few feet
    2. new laptop

    I have the same problem with this ASUS Ultrabook. New brand ASUS but in two different houses and I have the same problems. Get right next to the router and it connects ok. Get a few feet away from the router and the ASUS gets angry and does not connect. Downloaded the latest driver, but that did not help either. Obviously, this is a faulty piece of equipment in the laptop. Great joy!

  • Satellite T110-11U - cannot find the router WLAN

    Hello

    I have a Toshiba Satellite T110-11U. Have had since February and loved it-fortunately it wireless used throughout the House. Then one day on a month, unless I was in the same room that the wireless router, Wireless does not work. I have 2 other laptops (and iPhone) which still connect wirelessly throughout the House and the garden without problem.
    As you can imagine, it was very strange. When I take in the garden, my other laptops are all networks wireless in the region, but my Toshiba can't find any.

    Suspecting it was a driver problem, I made sure that the wireless drivers are up-to-date. With no joy, I got the system as it was at the time of purchase (do a complete restoration by interupting, starting and leaving the hard drive to be deleted and reinstalled etc.). Still the same problem. I even changed the rooms in which the router is, and the same problem - the Toshiba cannot find the router unless the router is located a few meters from the laptop.

    Until I lose the will to live, can anyone suggest the cause of my problems, or is it time I admitted defeat and brought back to the Comet under warranty (where likely test next to a wireless router and tell me everything is fine!).

    Thank you very much

    Steve.

    Hey Buddy,

    Did you check if the wireless network card is recognized correctly in the Device Manager? There may be a yellow exclamation or unknown device. Try also updating the driver WLAN from Toshiba Web site:
    http://APS2.toshiba-tro.de/WLAN/

    See all other WLAN routers?
    The wireless network card can be activated using a combination of keys FN + F8 and in the BIOS. In the BIOS, you should also load default settings and test again.

  • VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK

    I tried to set up a simple customer vpn using this document

    http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

    VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK BEHIND "RA"...

    6.3 (5) PIX version

    interface ethernet0 car

    Auto interface ethernet1

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    activate the encrypted password of VmHKIhnF4Gs5AWk3

    VmHKIhnF4Gs5AWk3 encrypted passwd

    hostname VOIPLABPIX

    domain voicelab.com

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol they 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol 2000 skinny

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names of

    access-list 101 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

    access-list 101 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

    access-list 102 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

    access-list 102 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

    pager lines 24

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside 208.x.x.11 255.255.255.0

    IP address inside 172.10.2.2 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    IP local pool voicelabpool 172.10.3.100 - 172.10.3.254

    history of PDM activate

    ARP timeout 14400

    NAT (inside) - 0 102 access list

    Route outside 0.0.0.0 0.0.0.0 208.x.x.11 1

    Route inside 172.10.1.0 255.255.255.0 172.10.2.1 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    AAA-server GANYMEDE + 3 max-failed-attempts

    AAA-server GANYMEDE + deadtime 10

    RADIUS Protocol RADIUS AAA server

    AAA-server RADIUS 3 max-failed-attempts

    AAA-RADIUS deadtime 10 Server

    AAA-server local LOCAL Protocol

    Enable http server

    http 172.0.0.0 255.0.0.0 inside

    http 0.0.0.0 0.0.0.0 inside

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    Permitted connection ipsec sysopt

    Crypto ipsec transform-set esp-aes-256 trmset1, esp-sha-hmac

    Crypto-map dynamic map2 10 set transform-set trmset1

    map map1 10 ipsec-isakmp crypto dynamic map2

    client authentication card crypto LOCAL map1

    map1 outside crypto map interface

    ISAKMP allows outside

    ISAKMP identity address

    part of pre authentication ISAKMP policy 10

    ISAKMP policy 10 encryption aes-256

    ISAKMP policy 10 sha hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    vpngroup address voicelabpool pool cuclab

    vpngroup dns 204.x.x.10 Server cuclab

    vpngroup cuclab by default-field voicelab.com

    vpngroup split tunnel 101 cuclab

    vpngroup idle 1800 cuclab-time

    vpngroup password cuclab *.

    Telnet timeout 5

    SSH 208.x.x.11 255.255.255.255 outside

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH 172.10.1.2 255.255.255.255 inside

    SSH timeout 60

    Console timeout 0

    username labadmin jNEF0yoDIDCsaoVQ encrypted password privilege 2

    Terminal width 80

    Cryptochecksum:b03a349e1ac9e6022432523bbb54504b

    : end

    Try to turn on NAT - T

    PIX (config) #isakmp nat-traversal 20

    http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

    HTH

  • Cannot ping the Virtual Machine by host

    Hi all,

    Please help, I use VMWare Workstation 6.5 and I have a physical operating system which is Windows XP SP2, I have a network card, but not connected to a physical switch, the IP address is 192.168.0.1. I installed a Virtual Machine using Microsoft Windows 2003 server as the operating system, promote as domain controller, install the DHCP, DNS service and assign an IP 192.168.0.2, no default gateway.

    My VMnet1 on physical operating system has an IP 192.168.204.1 and VMNet8 has an IP 192.168.126.1.

    The host, I cannot ping the 192.168.0.2 which is the IP address of the Virtual Machine. Even in the Virtual Machine, I can not ping 192.168.0.1 is the IP address of the host. From what I read, the physical and the virtual machine were connected with a virtual switch. Am I wrong?

    Any advice?

    Thanks in advance.

    They SEEM to be in different networks, you need search routing between them,... since they differnet networks...

    on the other

    they do host and the virtual machine on the same subnet / network for EXAMPLE: class C class network 192.168.200.0/24

    granting of points if my answer was helpful... Thank you > > > > > > > >

    concerning

    Joe

  • Can ping the router and the computers to the network, but not beyond router

    I have 2 computers in linux and 3 Windows XP computers.  All can ping the router and inside my network.  Anyone can browse the internet.  None can ping outside my network (google.com or its IP address) if connected directly via the switch or router.  Traceroute shows stopping at the router.  Router firewall is disabled.  Ping on the router tool not working anymore. Linksys WRT54G Router is and I've just updated to firmware 4.21.1 but the old firmware is has never worked. I use 192.168.1.1 for the router.  Linux has some IP fixed all the other usind DHCP.  ISP is a provider of mobile phone to the modem.  Just like cable or DSL, I guess.  I've looked everywhere with no solutions.  Anyone have any ideas?

    Yes, contact your ISP to get it resolved.

  • I can't access my linksys router using 192,168.1.1 or ping the router or research on the ipconfig command.

    Access router

    I can't access my linksys router using 192,168.1.1 or ping the router or research on the ipconfig command. 192.168.1.1 is the URL and only worked twice in the multiple attempts

    Are you absolutely sure this is the IP address of the gateway?

    Open a command prompt and type "ipconfig/all" (without the quotes, noting the space between ipconfig and / all) and see what it teaches you about the IP Address of the default gateway.

  • After that stright connected to iSCSI (initiator) Host cannot ping the server iSCSI (target), but the target can, why?

    After that host on vSHere 4.0 strightly connected to iSCSI (initiator) host cannot ping the server iSCSI (target), but target can.  And iSCSI works well. I mean I can create and use the iSCSI disk, why? It makes me confused.

    Thank you!

    Geoarge,

    iSCSI traffic uses a VMkernel port, instead of using the command 'ping', use 'vmkping '.

    André

  • Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2

    I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa.

    I can ping the FWb inside interface 192.168.20.1 from the FWa inside 172.16.1.1 interface, but I can not ping to the 10.52.100.10 of the FWa FWb inside2 interface. I can not ping the gateway host FWa 10.52.100.1.

    I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2.
    =========================================================

    Here is a skeleton of the FWa configuration:

    name 172.16.1.0 network-inside
    name 192.168.20.0 HprCnc Thesys
    name 10.52.100.0 ring52-network
    name 10.53.100.0 ring53-network
    name S.S.S.S outside-interface

    interface Vlan1
    nameif inside
    security-level 100
    IP 172.16.1.1 255.255.255.0
    !
    interface Vlan2
    Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
    nameif outside
    security-level 0
    outside interface IP address 255.255.255.240

    the DM_INLINE_NETWORK_5 object-group network
    network-object HprCnc Thesys 255.255.255.0
    ring52-network 255.255.255.0 network-object
    ring53-network 255.255.255.0 network-object

    the DM_INLINE_NETWORK_3 object-group network
    ring52-network 255.255.255.0 network-object
    network-object HprCnc Thesys 255.255.255.0
    ring53-network 255.255.255.0 network-object

    outside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3
    inside_nat_outbound list extended access allowed inside-network ip, 255.255.255.0 DM_INLINE_NETWORK_5 object-group
    permit access list extended ip host 173.162.149.72 Outside_nat0_outbound aus_asx_uat 255.255.255.0

    NAT (inside) 0 access-list sheep
    NAT (inside) 101-list of access inside_nat_outbound
    NAT (inside) 101 0.0.0.0 0.0.0.0
    NAT (outside) 0-list of access Outside_nat0_outbound

    card crypto VPN 5 corresponds to the address Outside_5_cryptomap
    card crypto VPN 5 set pfs Group1
    VPN 5 set peer D.D.D.D crypto card
    VPN 5 value transform-set VPN crypto card
    tunnel-group D.D.D.D type ipsec-l2l
    IPSec-attributes tunnel-Group D.D.D.D
    pre-shared key *.

    =========================================================

    FWb:

    name 10.52.100.0 ring52-network
    name 10.53.100.0 ring53-network
    name 10.51.100.0 ring51-network
    name 10.54.100.0 ring54-network

    interface Vlan1
    nameif inside
    security-level 100
    address 192.168.20.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    address IP D.D.D.D 255.255.255.240
    !
    interface Vlan52
    prior to interface Vlan1
    nameif inside2
    security-level 100
    IP 10.52.100.10 255.255.255.0

    the DM_INLINE_NETWORK_3 object-group network
    ring52-network 255.255.255.0 network-object
    ring53-network 255.255.255.0 network-object

    the DM_INLINE_NETWORK_2 object-group network
    ring52-network 255.255.255.0 network-object
    object-network 192.168.20.0 255.255.255.0
    ring53-network 255.255.255.0 network-object

    inside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 host S.S.S.S
    inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip host

    outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host

    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1 0.0.0.0 0.0.0.0
    inside2_nat0_outbound (inside2) NAT 0 access list
    NAT (inside2) 1 0.0.0.0 0.0.0.0

    Route inside2 network ring51 255.255.255.0 10.52.100.1 1
    Route inside2 network ring53 255.255.255.0 10.52.100.1 1
    Route inside2 network ring54 255.255.255.0 10.52.100.1 1

    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 set pfs Group1
    outside_map game 1 card crypto peer S.S.S.S
    card crypto outside_map 1 set of transformation-ESP-3DES-SHA
    outside_map interface card crypto outside

    tunnel-group S.S.S.S type ipsec-l2l
    IPSec-attributes tunnel-group S.S.S.S
    pre-shared key *.

    =========================================================================
    I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.

    Ping Successul FWa inside the interface on FWb

    FWa # ping 192.168.20.1
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 192.168.20.1, time-out is 2 seconds:
    Echo request ICMP from outside-interface to 192.168.20.1 ID = 32068 seq = 23510 len = 72
    ! ICMP echo reply to 192.168.20.1 in outside-interface ID = 32068 seq = 23510 len = 72
    ....

    FWb #.
    Echo ICMP of S.S.S.S to 192.168.20.1 ID request = 32068 seq = 23510 len = 72
    ICMP echo reply 192.168.20.1 S.S.S.S ID = 32068 seq = 23510 len = 72
    ==============================================================================
    Successful ping of Fwa on a host connected to the inside interface on FWb

    FWa # ping 192.168.20.15
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 192.168.20.15, wait time is 2 seconds:
    Echo request ICMP from outside-interface to 192.168.20.15 ID = seq 50862 = 18608 len = 72
    ! ICMP echo reply to 192.168.20.15 in outside-interface ID = seq 50862 = 18608 len = 72
    ...

    FWb #.
    Inside outside:S.S.S.S ICMP echo request: 192.168.20.15 ID = seq 50862 = 18608 len = 72
    ICMP echo reply to Interior: 192.168.20.15 outside:S.S.S.S ID = seq 50862 = 18608 len = 72

    ===========================
    Unsuccessful ping of FWa to inside2 on FWb interface

    FWa # ping 10.52.100.10
    Send 5, echoes ICMP 100 bytes to 10.52.100.10, wait time is 2 seconds:
    Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
    ? Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
    ...

    FWb #.
    10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
    10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
    ....

    ==================================================================================

    Unsuccessful ping of Fwa to a host of related UI inside2 on FWb

    FWa # ping 10.52.100.1
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 10.52.100.1, wait time is 2 seconds:
    Echo request ICMP from outside-interface to 10.52.100.1 ID = 11842 seq = 15799 len = 72

    FWb #.
    Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
    Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72

    =======================

    Thank you

    Hi odelaporte2,

    Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm.

    This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time.

    It may be useful

    -Randy-

  • VPN - cannot ping the next hop

    Then some advice... I have configured a server VPN - pptp on my router, create a vpn for the customer at the site. For the moment, the client computer can connect and a connection to the router. I can ping from client to the router (192.168.5.1) but cannot ping 192.168.5.2 (switch) or 192.168.10.X (workstations)

    What I try to achieve is to access the internal network (192.168.10.X), which is the end of the layer 3 switch. Any help/extra eyes would be good.

    Here is my design of the network and the config below:

    Client computer---> Internet---> (1.1.1.1) Cisco router (192.168.5.1) 881---> switch Dell Powerconnect 6248 (192.168.5.2)--> Workstation (192.168.10.x)

    Router Cisco 881

    AAA new-model

    !

    AAA of authentication ppp default local

    !

    VPDN enable

    !

    !

    VPDN-group VPDN PPTP

    !

    accept-dialin

    Pptp Protocol

    virtual-model 1

    !

    interface FastEthernet0

    Description link to switch

    switchport access vlan 5

    !

    interface FastEthernet1

    no ip address

    !

    interface FastEthernet2

    no ip address

    !

    interface FastEthernet3

    switchport access vlan 70

    no ip address

    !

    interface FastEthernet4

    Description INTERNET WAN PORT

    IP [IP EXTERNAL address]

    NAT outside IP

    IP virtual-reassembly in

    full duplex

    Speed 100

    card crypto VPN1

    !

    interface Vlan1

    no ip address

    !

    interface Vlan5

    Description $ES_LAN$

    IP 192.168.5.1 255.255.255.248

    no ip redirection

    no ip unreachable

    IP nat inside

    IP virtual-reassembly in

    !

    interface Vlan70

    IP [IP EXTERNAL address]

    IP virtual-reassembly in

    IP tcp adjust-mss 1452

    !

    !

    !

    interface virtual-Template1

    IP unnumbered FastEthernet4

    encapsulation ppp

    peer default ip address pool defaultpool

    Ms-chap PPP chap authentication protocol

    !

    IP local pool defaultpool 192.168.10.200 192.168.10.210

    IP forward-Protocol ND

    IP http server

    23 class IP http access

    local IP http authentication

    IP http secure server

    IP http timeout policy inactive 600 life 86400 request 10000

    !

    overload of IP nat inside source list no. - NAT interface FastEthernet4

    IP route 0.0.0.0 0.0.0.0 [address IP EXTERNAL]

    Route IP 192.168.0.0 255.255.0.0 192.168.5.2

    !

    No. - NAT extended IP access list

    deny ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.255.255

    IP 192.168.0.0 allow 0.0.255.255 everything

    VLAN70 extended IP access list

    ip [IP EXTERNAL] 0.0.0.15 permit 192.168.10.0 0.0.1.255

    permit tcp [IP EXTERNAL] 0.0.0.15 any eq smtp

    permit tcp [IP EXTERNAL] 0.0.0.15 any eq www

    permit any eq 443 tcp [IP EXTERNAL] 0.0.0.15

    permit tcp [IP EXTERNAL] 0.0.0.15 any eq field

    permits any udp [IP EXTERNAL] 0.0.0.15 eq field

    list of IP - VPN access scope

    IP 192.168.10.0 allow 0.0.1.255 10.1.0.0 0.0.1.255

    Licensing ip [IP EXTERNAL] 0.0.0.15 10.1.0.0 0.0.1.255

    WAN extended IP access list

    !

    Layer 3 switch - Dell Powerconnect 6224

    !

    IP routing

    IP route 0.0.0.0 0.0.0.0 192.168.5.1

    interface vlan 5

    name "to connect to the Cisco router.

    Routing

    IP 192.168.5.2 255.255.255.248

    output

    !

    interface vlan 10

    "internal network" name

    Routing

    IP 192.168.10.1 255.255.255.0

    output

    !

    interface ethernet 1/g12

    switchport mode acesss vlan 5

    output

    !

    interface ethernet 1/g29

    switchport mode access vlan 10

    output

    !

    Hi Samuel,.

    I went through your configuration and picked up a few problematic lines...

    First of all, you can't have your vpn-pool to be in the range of 192.168.10.x/24, because you already have this subnet used behind the switch (this would be possible if you had 192.168.10.x range connected directly to the router). In addition, you may not link your virtual model to the WAN ip address, it must be bound to an interface with a subnet that includes your IP vpn-pool range.

    The cleaner for this is,

    Create a new interface of back of loop with a new subnet

    !

    loopback interface 0

    192.168.99.1 IP address 255.255.255.0

    !

    New vpn set up, pool

    !

    IP local pool defaultpool 192.168.99.200 192.168.99.210

    !

    Change your template to point the new loopback interface,

    !

    interface virtual-Template1

    IP unnumbered loopback0

    encapsulation ppp

    peer default ip address pool defaultpool

    Ms-chap PPP chap authentication protocol

    !

    All vpn clients will get an IP address of 192.168.99.200 192.168.99.210 range. And they will be able to get the router and up to the desired range 192.168.10.x/24 behind the router. Packages get the switch, then to the host. Host will respond through the gateway (switch)-> router-> Client.

    PS: Sooner, even if your packages arrive at the host, the host will never try to send the response back through the gateway (switch) packets because STI (hosts) point of view, the package came from the same local network, so the host will simply try to "arp" for shippers MAC and eventually will expire)

    I hope this helps.

    Please don't forget to rate/brand of useful messages

    Shamal

  • Cisco 5505, inside, I cannot ping the external IP of the router, but inside I can ping anything else

    Hello

    5505 Cisco's internal IP: 10.10.0.1 static, securty level 100

    External IP of Cisco 5505: 36.X.X.23 Dhcp, 0 security level

    of within peut all host external example ping by host 10.10.0.3 to google.com

    inside peut ping all domestic example of the host, host 10.10.0.3 to 10.10.0.5 included the internal IP of Cisco 10.10.0.1

    inside peut ping ip network address different on the same network from my router external example the host 36.x.x.25

    cannot ping inside the IP 36.X.X.23?

    from outside peuvent ping the IP 36.X.X.23

    outside peuvent ping different extenal network 36.X.X.X network ip

     
    How can I ping the 36.X.X.23 of the Interior, any suggestions?

    It's called background management which is not supported in the ASA

    https://Tools.Cisco.com/bugsearch/bug/CSCtd86651

    That's why is not and this will never work the ASA design does not

    It will be useful.

  • SharePoint site cannot use the explore display

    Hello

    I have a sharepoint site that I used to upload and download documents in which I am not able to use the option 'Explorer View'
    When I try that it show windows cannot display the page web error
    The site is located in the Local intranet zone and I am running Win 7 with IE8
    Thank you
    SID

    Hi yerleştiriniz,

    The question you posted would be better suited in the TechNet Forums. I would recommend posting your query in SharePoint from TechNet Forums.

    http://social.technet.Microsoft.com/forums/en-us/category/SharePoint

    It will be useful.

  • Connected to the ASA via the "VPN Client" software, but cannot ping devices.

    I have a network that looks like this:

    I successfully connected inside the ASA via a software "Client VPN" tunnel network and got an IP address of 10.45.99.100/16.

    I am trying to ping the 10.45.99.100 outside 10.45.7.2, but the ping fails (request timed out).

    On the SAA, including the "logging console notifications" value, I notice the following message is displayed:

    "% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; "Connection for icmp src, dst outside: 10.45.99.100 inside: 10.45.7.2 (type 8, code 0) rejected due to the failure of reverse path of NAT.

    I have a vague feeling that I'm missing a NAT rule of course, but not all. What did I miss?

    Here is my configuration of ASA: http://pastebin.com/raw.php?i=ad6p1Zac

    Hello

    You seem to have a configured ACL NAT0 but is not actually in use with a command "nat"

    You would probably need

    NAT (inside) 0-list of access inside_nat0_outside

    He must manage the NAT0

    Personally, I would avoid using large subnets/networks. You probably won't ever have host behind ASA who would fill / 16 subnet mask.

    I would also keep the pool VPN as a separate network from LANs behind ASA. The LAN 10.45.0.0/16 and 10.45.99.100 - 200 are on the same network.

    -Jouni

Maybe you are looking for