05-14-2010 11:23 PM - edited 02-21-2020 04:39 PM
Hello,
I have configured Remote Access VPN on ASA 7.2 version for access to our inside network from the internet. The Cisco VPN client successfully connects and is assigned an internal IP. However, after connectivity is established I am not able to ping or telnet service on any of the inside host.
Below is my configuration. Please advise what I may be missing in the configs. For now we want to access inside host 192.168.168.221.
Thanks.
access-list inside_nat0_outbound_1 extended permit ip any host 192.168.168.221
access-list COVPN_splitTunnelAcl standard permit any
ip local pool COVPN_Pool 192.168.168.221-192.168.168.230 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 192.168.168.0 255.255.255.0
group-policy COVPN internal
group-policy COVPN attributes
vpn-simultaneous-logins 50
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value COVPN_splitTunnelAcl
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
tunnel-group COVPN type ipsec-ra
tunnel-group COVPN general-attributes
address-pool COVPN_Pool
default-group-policy COVPN
tunnel-group COVPN ipsec-attributes
pre-shared-key *
05-15-2010 12:24 AM
You can't assign the vpn client 192.168.168.221 if that is actually an ip address in your internal host that you would like to access.
I would recommend that you change the ip pool to a unique subnet from the inside network.
Assuming that subnet 192.168.100.0/24 is unique/available to be used,
Here is example as per your config posted:
tunnel-group COVPN general-attributes
no address-pool COVPN_Pool
no ip local pool COVPN_Pool 192.168.168.221-192.168.168.230 mask 255.255.255.0
ip local pool COVPN_Pool 192.168.100.221-192.168.100.230 mask 255.255.255.0
tunnel-group COVPN general-attributes
address-pool COVPN_Pool
access-list inside_nat0_outbound_1 extended permit ip 192.168.168.0 255.255.255.0 192.168.100.0 255.255.255.0
no access-list inside_nat0_outbound_1 extended permit ip any host 192.168.168.221
access-list COVPN_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
no access-list COVPN_splitTunnelAcl standard permit any
"clear xlate" after the above changes, and reconnect to your vpn client.
The above should resolve your issue. Hope that helps.
05-15-2010 03:16 AM
Thanks for the reply.
We only have two segments defined; inside and outside. Hence I cannot assign a unique subnet other than the inside. I have configured Remote Access VPN on another ASA with similar segmentation and it has worked fine.
So I am using 192.168.168.221 - 192.168.168.230 for VPN client pool. And no other inside host is assigned this IP. Hence I am sure there would not be any conflict. As I am the first one to connect over VPN, the IP assigned is 192.168.168.221.
For now, this is my configuration and it is still not able to ping any live unqiue host on the inside network.
access-list COVPN_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.168.0 255.255.255.0 host 192.168.168.221
ip local pool COVPN_Pool 192.168.168.221-192.168.168.230 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 192.168.168.0 255.255.255.0
group-policy COVPN internal
group-policy COVPN attributes vpn-simultaneous-logins 50
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value COVPN_splitTunnelAcl
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
tunnel-group COVPN type ipsec-ra
tunnel-group COVPN general-attributes
address-pool COVPN_Pool
default-group-policy COVPN
tunnel-group COVPN ipsec-attributes
pre-shared-key *
05-15-2010 03:40 AM
Ok. I am able to do telnet now on several ports such as RDP etc. However, I am still not able to ping. The windows firewall has been set to off
on the destination hosts. Is something specific required to enable pings on remote access vpn for inside hosts.
05-15-2010 04:20 AM
Add the following, it should allow ping:
policy-map global_policy
class inspection_default
inspect icmp
Hope that helps.
05-15-2010 11:23 AM
The inspect icmp is already added to global policy map. Yet the ping is not responding.
05-15-2010 04:13 PM
Can you please advise which ip address you are trying to ping on the inside, as well as when you are connected to the VPN, what ip address is being assigned? Pls also post the whole config.
As advised earlier, it is recommended to have different subnet between the inside and the ip pool for the VPN so traffic can be routed correctly.
Here is a sample configuration for your reference:
If you check the sample configuration, the inside network is in 10.11.1.0/24 subnet while the ip pool for VPN is in 10.16.20.0/24.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide