I can not ping computers on my local network through a VPN client

Unanswered Question
Dec 22nd, 2009

I make a connection through Cisco VPN Client and ASA 5510. Yet I can not see the computers that are in the local network.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Tue, 12/22/2009 - 13:59

Here are a few questions to ask yourself in order to troubleshoot further.  Are you tunneling all traffic towards the ASA or are you configured for split tunneling? If split tunneling, does the client have a valid route to the destination network.  Do you see packets encapsulated on the client and decapsulated on the corresonding ASA IPSec SA?  Does the ASA know how to reach these hosts and do the hosts know how to get back to the ASA in order to reach the VPN client pool?  In the return path, do you see encaps/decaps on the SA and client statistics?  If you are using NAT, have you exempted the return traffic so that it bypasses the egress NAT process?

FRANCISCO IBARRA Tue, 12/22/2009 - 14:48

Well if the client sends packets but not receive packets. I'm not using split tunnel. I think I missing as a return path of the ASA to the customer. Here I put a bit of code. I hope you can help me.

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.162.0 255.255.255.0                                                                                              
ip local pool Rmx 192.168.162.1-192.168.162.255 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

Todd Pula Tue, 12/22/2009 - 14:59

Based on this code snippet, return traffic from the 192.168.0.0/24 network destined for the vpn client pool 192.168.162.0/24 will be exempt from the NAT process.  I am assuming that you have a corresponding global command in your config.  I do see an input ACL configured on the inside interface.  You will also want to make sure that the return traffic is permitted through this ACL.  You have to look at both directions to see if the packet is able to get to the far side host but fails in the return path towards the ASA.  Look at the client statistics to see if you see the encap/decap counters incrementing.  Do you see the encap/decap counters incrementing on the corresponding ASA IPSec SA?  Does the ASA know how to get the packet to the far side host?  Enable a bidirectional packet capture on the ASA's inside interface to validate if the traffic is leaving/entering the ASA.  Make sure that Layer 3 devices along the path know how to get to the 192.168.162.0/24 network by way of the ASA.

FRANCISCO IBARRA Tue, 12/22/2009 - 15:44

Could you tell me the steps to do what you suggest, Thanks.
On the client if I that increases the encrypted packets. but packets are still coming.

busterswt Tue, 12/22/2009 - 20:25

Hello,

As the previous reader noted, you'll want to make sure your inbound ACL permits traffic from the 192.168.162.0/24 subnet, OR that sysopt connection permit-vpn is enabled:

cisco# sh run all sysopt

...

(no) sysopt connection permit-vpn

...

If that says 'no' in front of it, then you need to allow the 192.168.162.0 network on the inbound ACL. If it doesn't say no, then the ACL is being bypassed completely and we have a different situation here. If necessary, you can change the setting above by issuing the command in global config mode with or without the 'no' in front. Keep in mind by enabling this setting you are bypassing the inbound ACL for *all* VPN connections.

You might also check to make sure that the VPN client is modifying your route table. A 'netstat -nr' on the PC will show you what your default gateway is. It should be the IP you received from the ip pool (192.168.162.x). If it's not, and is still the IP of your PC's local network gateway, then the tunneling is not working properly.

If you could post your config (sanitized) then we might be able to tell you better what the problem could be.

James

P.S. If you need to run a bi-directional capture on the ASA, try this:

asa(config)# access-list traffic-cap extended permit ip 192.168.162.0 255.255.255.0 192.168.0.0 255.255.255.0

asa(config)# access-list traffic-cap extended permit ip 192.168.0.0 255.255.255.0 192.168.162.0 255.255.255.0

asa# capture mycap access-list traffic-cap interface outside
.... generate traffic from client to server over VPN (ie. ICMP) ...
asa# sh capture mycap
!!!!!!!(sample output)!!!!!!!
4 packets captured
   1: 22:41:44.305419 802.1Q vlan#2 P0 66.39.5.121 > 76.198.72.162: icmp: echo request
   2: 22:41:44.305770 802.1Q vlan#2 P0 76.198.72.162 > 66.39.5.121: icmp: echo reply
   3: 22:41:45.306838 802.1Q vlan#2 P0 66.39.5.121 > 76.198.72.162: icmp: echo request
   4: 22:41:45.306975 802.1Q vlan#2 P0 76.198.72.162 > 66.39.5.121: icmp: echo reply
4 packets shown
You can paste the output here (if there is any) so that someone can take a look.
FRANCISCO IBARRA Wed, 12/23/2009 - 14:46

Hi,
I tested with the command sh run sysopt all I get the following output:

sysopt connection permit-vpn

Also check the client and the routing table entry appears to me

0.0.0.0 .0.0.0.0 192.168.162.2 192.168.162.1 26

and this would be the configuration


: Saved
:
ASA Version 7.2(4)
!
hostname asaprincipal

interface Ethernet0/0
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address *.*.*.* 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
  no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address *.*.*.* 255.255.255.0
management-only
!
ftp mode passive

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.162.0 255.255.255.240
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool Rmx 192.168.162.1-192.168.162.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.*.* 255.255.255.255 inside
http 192.168.*.* 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer *.*.*.*
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy GRU internal
group-policy GRU attributes
vpn-tunnel-protocol IPSec
username usuario
username usuario attributes
vpn-group-policy
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group 1*.*.* type ipsec-l2l
tunnel-group 1*.*.* ipsec-attributes
pre-shared-key *
tunnel-group GRU type ipsec-ra
tunnel-group GRU general-attributes
address-pool Rmx
default-group-policy GRU
pre-shared-key *
tunnel-group GRU type ipsec-ra
tunnel-group GRU general-attributes
address-pool Rmc
default-group-policy GRU
tunnel-group GRU ipsec-attributes
pre-shared-key *
!
class-map csc_outbound_class
match access-list inspect_outbound
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map csc_out_policy
class csc_outbound_class
  csc fail-open
!
service-policy global_policy global

: end

I hope you can help me

busterswt Wed, 12/23/2009 - 15:47

Hi Francisco,

Is the client's local network *also* 192.168.162.0? Meaning, when you're not connected through VPN, what IP address does the client machine have?

The client VPN ip pool should be different from the client's normal network. From the look of it, your PC is configured with 192.168.162.1 and is getting 192.168.162.2 assigned to it as well when connected through the VPN. Unless I'm reading this incorrectly, you'll want to change the ip pool on the firewall to a different network completely, and also change the NAT exemption ACL to match.

James

FRANCISCO IBARRA Wed, 12/23/2009 - 16:08

hi,

The computer where I run vpn client is at first a 192.168.1.x ip when I make the connection the network card follows this direction. The interface of the cisco vpn is a direction-changing 192.168.162.x

thanks

Actions

This Discussion