Can’t ping ASA inside interface over IPSec VPN

610

Even though, IPSec VPN is successfully established between 2 ends of your network, you can’t ping ASA inside over IPSec VPN from the other end. Basically, you cannot remotely manage Cisco ASA through the VPN tunnel. You also noticed that inside interface is reachable from LAN.

The problem is with manual NAT statement that overlaps with Management-access interface IP address. Adding “route-lookup” keyword at the end of NAT statement resolves the issue.

Overlapping NAT statement:

nat (inside,outside) source static sn-10.1.120.0 sn-10.1.120.0 destination static wv-192.168.1.0 wv-192.168.1.0

Solution:

nat (inside,outside) source static sn-10.1.120.0 sn-10.1.120.0 destination static wv-192.168.1.0 wv-192.168.1.0 route-lookup

You do not need to delete and recreate NAT statement, just execute the same NAT statement by adding route-lookup at the end.

 

·


Related Articles & Comments

Menu Title
%d bloggers like this: