cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1098
Views
0
Helpful
6
Replies

Remote Access VPN - Unable to ping or access any service

dedra_live
Level 1
Level 1

Hello,

I have configured Remote Access VPN on ASA 7.2 version for access to our inside network from the internet. The Cisco VPN client successfully connects and is assigned an internal IP. However, after connectivity is established I am not able to ping or telnet service on any of the inside host.

Below is my configuration. Please advise what I may be missing in the configs. For now we want to access inside host 192.168.168.221.

Thanks.


access-list inside_nat0_outbound_1 extended permit ip any host 192.168.168.221
access-list COVPN_splitTunnelAcl standard permit any

ip local pool COVPN_Pool 192.168.168.221-192.168.168.230 mask 255.255.255.0


nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 192.168.168.0 255.255.255.0


group-policy COVPN internal
group-policy COVPN attributes

vpn-simultaneous-logins 50
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value COVPN_splitTunnelAcl


crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  30

tunnel-group COVPN type ipsec-ra
tunnel-group COVPN general-attributes
address-pool COVPN_Pool
default-group-policy COVPN
tunnel-group COVPN ipsec-attributes
pre-shared-key *

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

You can't assign the vpn client 192.168.168.221 if that is actually an ip address in your internal host that you would like to access.

I would recommend that you change the ip pool to a unique subnet from the inside network.

Assuming that subnet 192.168.100.0/24 is unique/available to be used,

Here is example as per your config posted:

tunnel-group COVPN general-attributes
    no address-pool COVPN_Pool

no ip local pool COVPN_Pool 192.168.168.221-192.168.168.230 mask  255.255.255.0

ip local pool COVPN_Pool 192.168.100.221-192.168.100.230 mask  255.255.255.0

tunnel-group COVPN general-attributes
    address-pool COVPN_Pool

access-list inside_nat0_outbound_1 extended permit ip 192.168.168.0 255.255.255.0 192.168.100.0 255.255.255.0

no access-list inside_nat0_outbound_1 extended permit ip any host  192.168.168.221

access-list COVPN_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0

no access-list COVPN_splitTunnelAcl standard permit any

"clear xlate" after the above changes, and reconnect to your vpn client.

The above should resolve your issue. Hope that helps.

Thanks for the reply.

We only have two segments defined; inside and outside. Hence I cannot assign a unique subnet other than the inside. I have configured Remote Access VPN on another ASA with similar segmentation and it has worked fine.

So I am using 192.168.168.221 - 192.168.168.230 for VPN client pool. And no other inside host is assigned this IP. Hence I am sure there would not be any conflict. As I am the first one to connect over VPN, the IP assigned is 192.168.168.221.

For now, this is my configuration and it is still not able to ping any live unqiue host on the inside network.

access-list COVPN_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.168.0 255.255.255.0 host 192.168.168.221

ip local pool COVPN_Pool 192.168.168.221-192.168.168.230 mask 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 192.168.168.0 255.255.255.0

group-policy COVPN internal
group-policy COVPN attributes vpn-simultaneous-logins 50
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value COVPN_splitTunnelAcl

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  30


tunnel-group COVPN type ipsec-ra
tunnel-group COVPN general-attributes
address-pool COVPN_Pool
default-group-policy COVPN
tunnel-group COVPN ipsec-attributes
pre-shared-key *

Ok. I am able to do telnet now on several ports such as RDP etc. However, I am still not able to ping. The windows firewall has been set to off

on the destination hosts. Is something specific required to enable pings on remote access vpn for inside hosts.

Add the following, it should allow ping:

policy-map global_policy
class inspection_default

     inspect icmp

Hope that helps.

The inspect icmp is already added to global policy map. Yet the ping is not responding.

Can you please advise which ip address you are trying to ping on the inside, as well as when you are connected to the VPN, what ip address is being assigned? Pls also post the whole config.

As advised earlier, it is recommended to have different subnet between the inside and the ip pool for the VPN so traffic can be routed correctly.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

If you check the sample configuration, the inside network is in 10.11.1.0/24 subnet while the ip pool for VPN is in 10.16.20.0/24.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: