Strange VPN Remote Issue

Unanswered Question
May 11th, 2009
User Badges:

we have configured IPSEC Remote VPN on ASA 5510. Remote client is able to successfully authenticate and establish a tunnel , however user will not be able to ping any inside Hosts . As troubleshooting measure , i did enable ICMp trace 255 , i see the VPN Client ICMP request and a echo reply back from the Inside host hitting the Inside Interface of the Firewall . Can you please go through the configuration and let me know if anything needs to be changed .

Path the User will take is

VPn Usr-->Firewall ( inside ip 10.10.10.2)->L3switch (10.10.10.1)->Host (10.10.10.5)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
John Blakley Mon, 05/11/2009 - 11:58
User Badges:
  • Purple, 4500 points or more

Does anything else seem to work other than icmp?


Try:


same-security-traffic permit intra-interface


HTH,

John

ciscosom Mon, 05/11/2009 - 12:05
User Badges:

Thanks for responding back John , modified the Configuration as per your suggestion , but no LUCK . No Traffic is being received back by the Remote client . Looks like the Return/response packet sent by the Inside host to the remote client is reaching the ASA but is not entering the IPSEC tunnel ..


Debug ICMp Trace output


echo reply from inside:10.10.11.1 to outside:192.168.14.1 ID=1 seq=758 len2

ICMP echo request from outside:192.168.14.1 to inside:10.10.11.1 ID=1 seq=759 l2

ICMP echo reply from inside:10.10.11.1 to outside:192.168.14.1 ID=1 seq=759 len2

ICMP echo request from outside:192.168.14.1 to inside:10.10.11.1 ID=1 seq=760 l2

ICMP echo reply from inside:10.10.11.1 to outside:192.168.14.1 ID=1 seq=760 len2

ICMP echo request from outside:192.168.14.1 to inside:10.10.11.1 ID=1 seq=761 l2

ICMP echo reply from inside:10.10.11.1 to outside:192.168.14.1 ID=1 seq=761 len

John Blakley Mon, 05/11/2009 - 12:18
User Badges:
  • Purple, 4500 points or more

Are you trying to ping from 192.168.14.0 or are you trying to ping TO 192.168.14.0? Try adding "inspect icmp" to your default policy.


HTH,

John

ciscosom Mon, 05/11/2009 - 12:23
User Badges:

Hi John ,


192.168.14.1 is the remote Client Ip assigned by ASA Ip pool .10.10.10.1 is the L3 Switch interface behind the Firewall .

I am trying to ping from 192.168.14.1 (remote vpn Client) ---> 10.10.10.1 (L3 Switch ).

John Blakley Mon, 05/11/2009 - 12:34
User Badges:
  • Purple, 4500 points or more

Can you ping the .14.1 address from the ASA?

John Blakley Mon, 05/11/2009 - 12:38
User Badges:
  • Purple, 4500 points or more

Do you have a route in your L3 switch back to the 192.168.14.0 subnet?

ciscosom Mon, 05/11/2009 - 12:46
User Badges:

Hi John ,


Yes L3 has a defualt route pointing to ASA .

I think If routing was an issue we would not received the reply packets back from the host when we did the Debug ICMP Trace on the ASA , Your thoughts on this ?


Also i am not able to Ping the Remote Client (192.168.14.1) from the ASA

John Blakley Mon, 05/11/2009 - 12:52
User Badges:
  • Purple, 4500 points or more

You should at least be able to hit it from the ASA. What do you get back if you do a:


sh vpn-sessiondb remote



ciscosom Mon, 05/11/2009 - 13:03
User Badges:

First of all , i have no words to Thank you !!


You are correct ,Ideally we should be able to ping the Remote Client from the ASA Atleast . I think that 10.10.0.0 is not going into the ipsec tunnel when the destination iip is 192.168.14.0 for some reason ..Anywasy , below is the remote Db Output


Session Type: IPsec


Username : Administrator Index : 2

Assigned IP : 192.168.14.1 Public IP : X.X.12.200

Protocol : IKE IPsec

License : IPsec

Encryption : 3DES Hashing : SHA1

Bytes Tx : 1828 Bytes Rx : 8518

Group Policy : tom Tunnel Group : tom

Login Time : 20:53:45 UTC Mon May 11 2009

Duration : 0h:00m:34s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

John Blakley Mon, 05/11/2009 - 13:06
User Badges:
  • Purple, 4500 points or more

Glad to help :) What are they using to connect with? Cisco's VPN client? Is the stateful firewall on by chance?


And let me get this right, you've always tried to ping from this side to the 192.168.14.0 side, or have you tried 192.168.14.1 -> 10.x.x.x?

ciscosom Mon, 05/11/2009 - 13:11
User Badges:

yes i have tried both directions ..


192.168.14.0 (remote client) ---> 10.x.x.x (host behind firewall_


10.x.x.x (host behind firewall)--> Remote client . No Traffic at all .


Yes , Remote USers connect using Cisco VPN Client 5.03XX version


No , Stateful firewall is OFF .

John Blakley Mon, 05/11/2009 - 13:23
User Badges:
  • Purple, 4500 points or more

Do you get an entry in your routing table for that host? What shows as it's next hop?


Try this:


access-list VPN permit host 0.0.0.0


group-policy tom attrib

split-tunnel-specified excludespecified

split-tunnel-network-list value VPN


John

ciscosom Mon, 05/11/2009 - 18:27
User Badges:

I tried that too , but no Luck . So i went ahead and opened a Case with TAC ,I will keep you posted on it ..But again thanks a ton for helping me on this issue , if you ever visit Atlanta ,Beer is on me .

nomair_83 Tue, 05/12/2009 - 12:22
User Badges:
  • Bronze, 100 points or more

Can u try specific networks rather then using "any" in your nat0 acl?




ciscosom Tue, 05/12/2009 - 17:10
User Badges:

Thanks for taking time to go through my Issue nomair . I modified the ip's but that did not make any differance

Actions

This Discussion