Cannot ping VPN client connected through ASA 5510

Orthman71 · ‎12-12-2008

Users can connect to the internal network through our ASA 5510 without an issue and can access all internal servers and shares. However, when a user is connected to the VPN the client cannot be seen by any systems on the internal network nor can they be pinged from inside the ASA 5510. I'm not familiar with this device so I'm not sure if this is by design or if it's a routing issue.

mike_guy29 · ‎12-12-2008

Hi,

The fact that you have said that the users can access all internal servers when connected would make me want to rule out a routing issue. For the clients to see the return traffc e.g. speaking to exchange or accessing files on the LAN, the network devices will need to know how to route back to the VPN subnet, e.g. point back towards your ASA. If the routing is ok and they can access files etc ok then it is likely to be an issue with a firewall etc. Perhaps the rules on the internal interface of the ASA?

If you are still having problems please provide more information on the setup, private IP addressing etc.

Thanks

Orthman71 · ‎12-12-2008

Hi,

Internally I can ping the the ASA 5510 that the VPN client connects to. If I telnet into the ASA and try to ping a client that is connected to to the VPN I still cannot ping the client.

Regards

Dave

Orthman71 · ‎12-12-2008

Our internal network is using 192.168.150.x, the ASA is using 192.168.151.x and the ASA is handing out IP range 10.10.1.x range.

JORGE RODRIGUEZ · ‎12-12-2008

Hi,

It is very posible your RA client has windows firewall turned on, could you confirm the RA vpn user machine has windows firewall turned off to better troubleshoot ICMP towards the RA client IP.

Rgds

Jorge

Jorge Rodriguez

Orthman71 · ‎12-12-2008

Jorge,

All of our systems have the windows firewall turned off, users do not have the ability to change that. I've also tested the issue using my laptop as a test with the same results and I do not have the windows firewall on.

Dave

JORGE RODRIGUEZ · ‎12-12-2008

Dave,

Perhaps I did not read carefully your post, if I still do please tell me.. what you are indicating is the RA clients can ping and get to any resources on the inside correct? you can ping from hosts on the inside LAN the RA client IP address , if all above is correct you are fine.

but you cannot ping RA client IPs from the ASA? you can't ping RA ips until you allow icmp on the oustide interface.

if you do from the ASA a low level debug you will see the following output , this is when icmp is blocked on the outside.

from a test lab fw outside interface is 63.x.x.4 interface 2

RA vpn client ip 10.20.20.20

sending a ping from asa to 10.20.20.20

asa(config)#terminal monitor

asa(config)#debug icmp trace

asa(config)#ping 10.20.20.20

ICMP echo request from 63.x.x.4 to 10.20.20.20 ID=4388 seq=25280 len=72

<163>Dec 12 2008 17:05:43: %ASA-3-313001: Denied ICMP type=0, code=0 from 10.20.20.20 on interface outside

ICMP echo reply from 10.20.20.20 to 63.x.x.4 ID=4388 seq=25280 len=72

Denied ICMP type = 0, code = 0 from 10.20.20.20on interface 2

Dec 12 2008 17:05:45: %ASA-6-302020: Built outbound ICMP connection for faddr 10.20.20.20/0 gaddr 63.x.x.4/4388 laddr

ICMP echo request from 63.x.x.4 to 10.20.20.20 ID=4388 seq=25280 len=72

<163>Dec 12 2008 17:05:45: %ASA-3-313001: Denied ICMP type=0, code=0 from 10.20.20.20 on interface outside

ICMP echo reply from 10.20.20.20 to 63.x.x.4 ID=4388 seq=25280 len=72

Denied ICMP type = 0, code = 0 from 10.20.20.20on interface 2

Dec 12 2008 17:05:47: %ASA-6-302020: Built outbound ICMP connection for faddr 10.20.20.20/0 gaddr 63.x.x.4/4388 laddr

ICMP echo request from 63.x.x.4 to 10.20.20.20 ID=4388 seq=25280 le

To overcome this you need.

asa(config)# no icmp deny any outside

or

asa(config)#icmp permit any outside

asa(config)# ping 10.20.20.20

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.20.20.20, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

I would not recommend to enable icmp on the oustide interface unless you want to troubleshoot something , otherwise keep icmp blocked on the outside interface.

Rgds

Jorge

PLS rate helpful posts if it helped

Jorge Rodriguez

Orthman71 · ‎12-15-2008

Jorge,

The ASA is configured to allow icmp to the outside. I can ping internet IP addresses and some private IP addresses. I cannot ping the IP range that the ASA is handing out to the VPN clients. That is where the issue is I believe. I'm also fairly certain the routing is setup correctly for the inside to contact the VPN range the ASA hands out to the VPN clients. That is why this issue seems strange.

Regards

Dave