on your internal network do you have a route back to 10.0.3.x
Main Topics
Browse All TopicsHello. I know there are a lot of similar questions here. I've reviewed most of them and haven't been able to figure out the answer. I have an ASA 5505 with the below configuration. When I connect from a Cisco VPN Client (version 5), I am able to login and establish a connection. When I attempt to ping the internal LAN, I get timeouts. When I ping the internal ASA interface it returns the pings resolved as the external interface IP address. I've read other posts where crypto isakmp nat-traversal does the trick, so I included that in the config, and it's not helping.
Anything you can do would be greatly appreciated.
: Saved
:
ASA Version 8.0(2)
!
hostname chi-fw1
domain-name ABC123.com
enable password JMfZP.BelKYwu9uu encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.2.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.194 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd PGktX.gI4nhIkOwV encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name ABC123.com
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any 10.0.3.0 255.255.255.0
access-list ABC123_splitTunnelAcl standard permit 10.2.2.0 255.255.255.0
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpn-client-addresspool 10.0.3.0-10.0.3.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa-server RADIUS protocol radius
aaa-server RADIUS host 10.2.2.253
key vpn
radius-common-pw vpn
aaa-server RADIUS host 10.2.2.250
key vpn
radius-common-pw vpn
http server enable
http 10.2.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet 10.2.2.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy ABC123 internal
group-policy ABC123 attributes
wins-server value 10.2.2.253 10.2.2.250
dns-server value 10.2.2.253 10.2.2.250
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ABC123_splitTunnelAcl
default-domain value ABC123.local
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
tunnel-group ABC123 type remote-access
tunnel-group ABC123 general-attributes
address-pool vpn-client-addresspool
authentication-server-grou
default-group-policy ABC123
tunnel-group ABC123 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:a005049f9a1
: end
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Okay. Nevermind. It turned out to be something stupid.
The ASA and the PIX are both on the same network with different IPs. The hosts I was trying to ping on the internal network still had their gateway set to the PIX. So the ping was getting to the internal network, but the reply couldn't find its way back to the ASA.
I took one host and set the gateway IP to the ASA and low-and-behold, I could ping it through the VPN.
Business Accounts
Answer for Membership
by: tapkePosted on 2009-11-05 at 11:09:46ID: 25752781
Have you tried ticking the "Save this password in your password list? :-)