Clicky

I am trying to config a new ASA5505 the base license for Anyconnect SSL vpn and finally  I am able to establish connection but i can't ping ASA ip or any inside host. I did a similar configuration on a different model and worked  without any issue.
I have attached the  config  the version 8.2(1) on ASA.  Aso  tried the same config on another similar model 5505 base license same sw ver same error.

Thanks

asked 12/03/2011 08:50

Manojc3's gravatar image

Manojc3 ♦♦


4 Answers:
You won't be able to ping the ASA inside IP, but you should be able to ping inside devices.  Your config looks right to me, and if the device is a 5505, my guess is you don't have another router inside, so devices probably have a default gateway pointing to the ASA.  (That's always a potential issue, whether the recipient of the pings knows where to send its response.)  Are you sure the device you're pinging on the inside will accept a ping?  Is there a personal firewall in operation that would block pings?  Can you ping that device from the ASA itself?

link

answered

jmeggers's gravatar image

jmeggers

Yes the ping should work from vpn to inside interface and also as you mentioned for inside host.  I tried this on a ASA5510 and it works. The one I am testing on ASA5505 I connected one PC in inside network (IP 192.168.3.10 gw as ASA inside interface ip 192.168.3.1). From the inside pc i can ping ASA's internal ip 192.168.3.1. When i try to connect from PC on outside network i am able to establish Anyconnect but cannot ping the inside pc 192.168.3.10 or other inside host. I can see any connect client get the ip 172.16.0.1 and i am able to ping that ip only. Also another strange thing i noticed that when I  assign the vpnpool1 address to “tunnel-group AnyCnt general-attributes  â€œ  I am not able to establish tunnel. It gives a message no ip address assign. When I remove the tunnel- group ip and assign it to “group-policy SSL_Grp attributes“it is able to establish tunnel.
link

answered 2011-12-04 at 11:48:11

Manojc3's gravatar image

Manojc3

HI,

At the first look the config seems good, did you reloaded the ASA?
This line is not need:
access-list ssl_split_tunnel standard permit 172.16.0.0 255.255.0.0
link

answered 2011-12-04 at 23:51:16

ikalmar's gravatar image

ikalmar

I reloaded  and it seem to be working fine.
link

answered 2011-12-10 at 13:27:10

Manojc3's gravatar image

Manojc3

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×1

Asked: 12/03/2011 08:50

Seen: 237 times

Last updated: 12/11/2011 05:05