12-12-2008 07:34 AM
Users can connect to the internal network through our ASA 5510 without an issue and can access all internal servers and shares. However, when a user is connected to the VPN the client cannot be seen by any systems on the internal network nor can they be pinged from inside the ASA 5510. I'm not familiar with this device so I'm not sure if this is by design or if it's a routing issue.
12-12-2008 08:09 AM
Hi,
The fact that you have said that the users can access all internal servers when connected would make me want to rule out a routing issue. For the clients to see the return traffc e.g. speaking to exchange or accessing files on the LAN, the network devices will need to know how to route back to the VPN subnet, e.g. point back towards your ASA. If the routing is ok and they can access files etc ok then it is likely to be an issue with a firewall etc. Perhaps the rules on the internal interface of the ASA?
If you are still having problems please provide more information on the setup, private IP addressing etc.
Thanks
12-12-2008 08:19 AM
Hi,
Internally I can ping the the ASA 5510 that the VPN client connects to. If I telnet into the ASA and try to ping a client that is connected to to the VPN I still cannot ping the client.
Regards
Dave
12-12-2008 08:34 AM
Our internal network is using 192.168.150.x, the ASA is using 192.168.151.x and the ASA is handing out IP range 10.10.1.x range.
12-12-2008 11:00 AM
Hi,
It is very posible your RA client has windows firewall turned on, could you confirm the RA vpn user machine has windows firewall turned off to better troubleshoot ICMP towards the RA client IP.
Rgds
Jorge
12-12-2008 11:15 AM
Jorge,
All of our systems have the windows firewall turned off, users do not have the ability to change that. I've also tested the issue using my laptop as a test with the same results and I do not have the windows firewall on.
Dave
12-12-2008 02:42 PM
Dave,
Perhaps I did not read carefully your post, if I still do please tell me.. what you are indicating is the RA clients can ping and get to any resources on the inside correct? you can ping from hosts on the inside LAN the RA client IP address , if all above is correct you are fine.
but you cannot ping RA client IPs from the ASA? you can't ping RA ips until you allow icmp on the oustide interface.
if you do from the ASA a low level debug you will see the following output , this is when icmp is blocked on the outside.
from a test lab fw outside interface is 63.x.x.4 interface 2
RA vpn client ip 10.20.20.20
sending a ping from asa to 10.20.20.20
asa(config)#terminal monitor
asa(config)#debug icmp trace
asa(config)#ping 10.20.20.20
ICMP echo request from 63.x.x.4 to 10.20.20.20 ID=4388 seq=25280 len=72
<163>Dec 12 2008 17:05:43: %ASA-3-313001: Denied ICMP type=0, code=0 from 10.20.20.20 on interface outside
ICMP echo reply from 10.20.20.20 to 63.x.x.4 ID=4388 seq=25280 len=72
Denied ICMP type = 0, code = 0 from 10.20.20.20on interface 2
Dec 12 2008 17:05:45: %ASA-6-302020: Built outbound ICMP connection for faddr 10.20.20.20/0 gaddr 63.x.x.4/4388 laddr
ICMP echo request from 63.x.x.4 to 10.20.20.20 ID=4388 seq=25280 len=72
<163>Dec 12 2008 17:05:45: %ASA-3-313001: Denied ICMP type=0, code=0 from 10.20.20.20 on interface outside
ICMP echo reply from 10.20.20.20 to 63.x.x.4 ID=4388 seq=25280 len=72
Denied ICMP type = 0, code = 0 from 10.20.20.20on interface 2
Dec 12 2008 17:05:47: %ASA-6-302020: Built outbound ICMP connection for faddr 10.20.20.20/0 gaddr 63.x.x.4/4388 laddr
ICMP echo request from 63.x.x.4 to 10.20.20.20 ID=4388 seq=25280 le
To overcome this you need.
asa(config)# no icmp deny any outside
or
asa(config)#icmp permit any outside
asa(config)# ping 10.20.20.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms
I would not recommend to enable icmp on the oustide interface unless you want to troubleshoot something , otherwise keep icmp blocked on the outside interface.
Rgds
Jorge
PLS rate helpful posts if it helped
12-15-2008 08:04 AM
Jorge,
The ASA is configured to allow icmp to the outside. I can ping internet IP addresses and some private IP addresses. I cannot ping the IP range that the ASA is handing out to the VPN clients. That is where the issue is I believe. I'm also fairly certain the routing is setup correctly for the inside to contact the VPN range the ASA hands out to the VPN clients. That is why this issue seems strange.
Regards
Dave
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide