Problem after successful VPN connection - cant ping anything!

Unanswered Question
Feb 4th, 2010
User Badges:

Hi All


Im new to ASAs, I managed to setup a little ASA 5505 for remote vpn using the nice little built in vlans 1 and 2


I have started to configure an ASA 5540 (IOS 7.2 ASDM 5.2) for remote vpn and have come across a problem, VPN connects fine but the VPN client cannot ping anything. I think it is something to do with the IP pools and asa interface addresses but im stuck, please help!


Config:


: Saved
: Written by enable_15 at 11:40:27.315 UTC Thu Feb 4 2010
!
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 213.212.66.52 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.1.2-192.168.1.253 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 213.212.66.50 1
!
router rip
network 192.168.1.0
default-information originate
version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 161.161.32.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
group-policy test internal
group-policy test attributes
vpn-tunnel-protocol IPSec
username lloydt password *********************** encrypted privilege 0
username lloydt attributes
vpn-group-policy test
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
address-pool testpool
default-group-policy test
tunnel-group test ipsec-attributes
pre-shared-key test
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9164745af8d9026e14bbfb70ec77f97d
: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pudawat Fri, 02/05/2010 - 11:38
User Badges:

Hi Tim,


You inside interface IP address is 192.168.1.1 and VPN pool is 192.168.1.2-253.Are there any IPs left for private network?




If you want to keep the VPN pool same i.e 192.168.1.x leave some ip addresses and the NONAT ACL would be:

access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


OTHERWISE,


Change you test pool to something else other than 192.168.1.x


edit the NONAT statement: access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

(taking the test pool as 192.168.2.x)




Thanks and Regards,

Pradhuman

Actions

This Discussion