Can't ping internal VPN network.

Answered Question

I am trying to figure out why my VPN client can not ping my internal network of 192.168.0.X. For example I can access my server thru a map network drive of \\192.168.0.14\Drive but I can't ping it. I am trying to troubleshoot some Avaya VPN phones and want to ensure that I can ping the required machines.


Thanks,

Manny



Here is my config



xxxx-ASA5505# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname xxxxxx
domain-name xxxx.com
enable password xxxxxxxx
passwd xxxxxx
names
name 192.168.2.0 Roosevelt
!
interface Vlan1
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 173.x.x.x. 255.255.255.240
!
interface Ethernet0/0
description Link to xx.x.x. Router
switchport access vlan 2
!
interface Ethernet0/1
description LINK to Linksys SR2024
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name xxxxx.com
same-security-traffic permit intra-interface
access-list 110 extended permit tcp any host 173.xxxx eq 3389
access-list 110 extended permit tcp any host 173.xxxx eq www
access-list 110 extended permit tcp any host 173.xxxx eq smtp
access-list 110 extended permit tcp any host 173.xxxx eq domain
access-list 110 extended permit tcp any host 173.xxxx eq https
access-list 110 extended permit tcp any host 173.xxxx eq ftp
access-list 110 extended permit icmp any any
access-list 110 extended permit tcp any host 173.xxxx eq 3389
access-list 110 extended permit tcp any host 173.165.93.164 eq www
access-list 110 extended permit tcp any host 173.165.93.164 eq smtp
access-list 110 extended permit tcp any host 173.165.93.164 eq domain
access-list 110 extended permit tcp any host 173.165.93.164 eq https
access-list 110 extended permit tcp any host 173.165.93.164 eq ftp
access-list 110 extended permit tcp any host 173.165.93.163 eq 3389
access-list 110 extended permit tcp any host 173.165.93.163 eq www
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 Roosevelt 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 10.10.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 Roosevelt 255.255.255.0
access-list CSC_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging buffer-size 1000000
logging buffered debugging
logging asdm informational
mtu Inside 1500
mtu outside 1500
ip local pool VPNPool 10.10.1.1-10.10.1.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 5 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 5 0.0.0.0 0.0.0.0
static (Inside,outside) 173.xxxx 192.168.0.14 netmask 255.255.255.255
static (Inside,outside) 173.xxxx 192.168.0.17 netmask 255.255.255.255
static (Inside,outside) 173.xxxx 192.168.0.12 netmask 255.255.255.255
static (Inside,outside) 173.xxxx 192.168.0.11 netmask 255.255.255.255
static (Inside,outside) 173.xxxx 192.168.0.13 netmask 255.255.255.255
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 173.xxxx 1
timeout xlate 3:00:00
timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 Inside
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 99.xxxxx
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha    
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd dns 192.168.0.14 68.87.77.130
dhcpd wins 192.168.0.14
dhcpd domain xxxx.com
!
dhcpd address 192.168.0.50-192.168.0.150 Inside
dhcpd enable Inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy CSC internal
group-policy CSC attributes
wins-server value 192.168.0.14
vpn-idle-timeout none
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CSC_splitTunnelAcl
username lrodriguez password xxxxxx
username lrodriguez attributes
vpn-simultaneous-logins 10
username jthomas password xxxxx
username mramirez password xxxxx
tunnel-group 99.xxxx type ipsec-l2l
tunnel-group 99.xxxx ipsec-attributes
pre-shared-key *
tunnel-group CSC type remote-access
tunnel-group CSC general-attributes
address-pool VPNPool
default-group-policy CSC
tunnel-group CSC ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
smtp-server 192.168.0.xx
prompt hostname context

Correct Answer by Jennifer Halim about 6 years 12 months ago

On the VPN Client PC, see if there is any firewall enabled. Tried to disable the firewall if it's on.

I also assume that the Avaya server default gateway is 192.168.0.1?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Fri, 05/28/2010 - 02:46
User Badges:
  • Cisco Employee,

To ping servers behind ASA, please add the following:


policy-map global_policy
  class inspection_default

     inspect icmp


Hope that helps.

Jennifer Halim Fri, 05/28/2010 - 05:17
User Badges:
  • Cisco Employee,

Can you please add "management-access inside" and see if you can ping 192.168.0.1.


Also what ip address are you trying to ping earlier? Please check that the PC firewall on the host does not block the inbound ping. Sometimes if ping is not from the same subnet, it is blocked by default by the firewall.

Jennifer Halim Fri, 05/28/2010 - 05:22
User Badges:
  • Cisco Employee,

Also, you have configured split tunnel ACL, however, the split tunnel is permit any --> ie: no split tunnel.


If you do not want split tunnel, please configure the following instead:

- remove the current split tunnel ACL:

group-policy CSC attributes
   no split-tunnel-network-list value  CSC_splitTunnelAcl

   split-tunnel-policy tunnelall


Alternatively, if you would like split tunnel, then you should change the ACL:

From: access-list CSC_splitTunnelAcl standard permit any

To: access-list CSC_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

Ok now I am able to ping internal host but now VPN users can not access the internet. Here is the latest config after making the changes you suggested which were.


group-policy CSC attributes
   no split-tunnel-network-list value  CSC_splitTunnelAcl

   split-tunnel-policy tunnelall

access-list CSC_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0


: Saved
:
ASA Version 8.0(4)
!
hostname xxxx-ASA5505
domain-name x.com
enable password YSIeNPszkUwsmi4A encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.0 Roosevelt
!
interface Vlan1
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 173.xxxxx 255.255.255.240
!
interface Ethernet0/0
description Link to Comcast Router
switchport access vlan 2
!
interface Ethernet0/1
description LINK to Linksys SR2024
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name xxx.com
same-security-traffic permit intra-interface
access-list 110 extended permit tcp any host 173.xxx eq 3389
access-list 110 extended permit tcp any host 173.xxx eq www
access-list 110 extended permit tcp any host 173.xxx eq smtp
access-list 110 extended permit tcp any host 173.xxx eq domain
access-list 110 extended permit tcp any host 173.xxx eq https
access-list 110 extended permit tcp any host 173.xxx eq ftp
access-list 110 extended permit icmp any any
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 Roosevelt 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 10.10.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 Roosevelt 255.255.255.0
access-list CSC_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1000000
logging buffered debugging
logging asdm informational
mtu Inside 1500
mtu outside 1500
ip local pool VPNPool 10.10.1.1-10.10.1.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 5 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 5 0.0.0.0 0.0.0.0
static (Inside,outside) 173.xxxx 192.168.0.14 netmask 255.255.255.255
static (Inside,outside) 173.xxxx 192.168.0.17 netmask 255.255.255.255
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 173.xxxxx 1
timeout xlate 3:00:00
timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 Inside
snmp-server community xxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 99.55.80.118
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha    
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
management-access Inside
dhcpd dns 192.168.0.14 68.87.77.130
dhcpd wins 192.168.0.14
dhcpd domain xxx.com
!
dhcpd address 192.168.0.50-192.168.0.150 Inside
dhcpd enable Inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy CSC internal
group-policy CSC attributes
wins-server value 192.168.0.14
vpn-idle-timeout none
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelall
tunnel-group 99.xxx type ipsec-l2l
tunnel-group 99.xxx ipsec-attributes
pre-shared-key *
tunnel-group CSC type remote-access
tunnel-group CSC general-attributes
address-pool VPNPool
default-group-policy CSC
tunnel-group CSC ipsec-attributes
pre-shared-key *
!            
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect icmp
!

How would I go about adding the management interface without disrupting anything? Would it be like this?


interface Management
nameif management
security-level 50
ip address 192.168.0.XXX 255.255.255.0
management-only


Also I have tried pinging a printer or wireless access point that returns pings to me from within the network. I have another site that I have setup long time ago that alows pings but I have gone line thru line and can't seem to find the correct command. I will post that config in about 1 hour and maybe you will notice something.


Thanks.

Jennifer Halim Fri, 05/28/2010 - 05:28
User Badges:
  • Cisco Employee,

No, you don't need to configure a management interface. You only need to add this 1 line of command: management-access inside

That would allow you to ping the ASA inside interface from the VPN session.


What is the printer and wireless gateway default gateway? Is the default gateway the ASA firewall? or somewhere else? If it is another router, you would need to add the ip pool subnet (10.10.1.0/24) to be routed towards the ASA inside interface (192.168.0.1).

Jennifer Halim Fri, 05/28/2010 - 18:07
User Badges:
  • Cisco Employee,

Thanks, good to hear it's working now.

What do you mean by for internal network to access 10.10.1.0/24? 10.10.1.0/24 is the ip pool subnet assigned when VPN Client connects, and once it's connected, the internal network 192.168.0.x should have access to the VPN Client PC. Is this what you are trying to achieve? Normally it's the other way round, ie: vpn client connects, get assigned ip from 10.10.1.0/24 pool and they would access the internal network 192.168.0.x. What would you like to access from internal network back towards the vpn client?

The reason I want the 192.168.0.X network to access the 10.10.1.X network is because there is a VOIP Server on the 192.168.0.X and when the Avaya IP Phones VPN they get access into the 192.168.0.X but communication is lost. I am not sure if the Avaya VOIP server can't communicate back to the 10.10.1.X network? From the Avaya server,(192.168.0.30) I can not ping a VPN client on  a 10.10.1.2.

Correct Answer
Jennifer Halim Sat, 05/29/2010 - 00:15
User Badges:
  • Cisco Employee,

On the VPN Client PC, see if there is any firewall enabled. Tried to disable the firewall if it's on.

I also assume that the Avaya server default gateway is 192.168.0.1?

Actions

This Discussion