No ping to inside via VPN connect

nguyenthac86 · ‎08-04-2010

I configure asa with remote access VPN.

VLAN 1:

ASA5505(config)# interface VLAN 1

ASA5505(config-if)# nameif inside

ASA5505(config-if)# security-level 100

ASA5505(config-if)# ip address 100.11.32.251 255.255.255.0

ASA5505(config-if)# no shutdown

VLAN 2:

ASA5505(config)# interface VLAN 2

ASA5505(config-if)# nameif outside

ASA5505(config-if)# security-level 0

ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0

ASA5505(config-if)# no shutdown

Allow Ethernet 0/0 access VLAN 2 (outside)

ASA5505(config)# interface Ethernet 0/0

ASA5505(config-if)# switchport mode access

ASA5505(config-if)# switchport access VLAN 2

ASA5505(config-if)# no shutdown

Allow Ethernet 0/1-7 access VLAN 1 (inside)

ASA5505(config)# interface Ethernet 0/1

ASA5505(config-if)# switchport mode access

ASA5505(config-if)# switchport access VLAN 1

ASA5505(config-if)# no shutdown

ASA5505(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.2 1

ASA5505(config)# isakmp policy 2

ASA5505(config-isakmp-policy)# authentication pre-share

ASA5505(config-isakmp-policy)# encryption des

ASA5505(config-isakmp-policy)# hash md5

ASA5505(config-isakmp-policy)# exit

Enable isakmp on interface outside

ASA5505(config)#crypto isakmp identity address
ASA5505(config)#crypto isakmp enable outside

Creat IP pool with name VPNclient and have IP range : 192.168.168.1-192.168.168.254/24

ASA5505(config)# ip local pool VPNclient 192.168.168.1-

192.168.168.254 mask 255.255.255.0

Creat username/password for VPN client that used for authentication on Local

ASA5505(config)# username xxxxx password xxxxxxx privilege 15

Creat transform-set with name myset

ASA5505(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac

Select tunnel-group type/attributes

ASA5505(config)# tunnel-group IM type ipsec-ra
ASA5505(config)# tunnel-group IM general-attributes
ASA5505(config-tunnel-general)# address-pool VPNclient
ASA5505(config-tunnel-general)# exit

Creat user/password for group authentication

ASA5505(config)# tunnel-group IM ipsec-attributes
ASA5505(config-tunnel-ipsec)# pre-shared-key xxxxxxx

Creat access-list for interesting traffic

ASA5505(config)# access-list Client permit ip 100.11.32.0 255.255.255.0 192.168.168.0 255.255.255.0
ASA5505(config)# nat (inside) 0 access-list Client

Creat dynamic map

ASA5505(config)# crypto dynamic-map dyn1 1 set transform-set myset
ASA5505(config)# crypto dynamic-map dyn1 1 set reverse-route

Creat crypto map and assign it on outside interface

ASA5505(config)# crypto map mymap 10 ipsec-isakmp dynamic dyn1

ASA5505(config)# crypto map mymap interface outside

But when i connect VPN to ASA , i can't ping to my server in inside. my server have got ip address 110.11.32.20/ (not set default gateway).

Please, help me!

Jitendriya Athavale · ‎08-04-2010

check no nat or nat exemption

your nat 0 access-list should have acl permit from internal network to pool ip's

enter this command

sysopt connection permit-vpn

crypto isa nat-t

i am not sure whether you want it this way but you have your private ip in less secure zone and public ip in the more secure zone

enter this commad "management-access"and check if you can ping the inside interface ip

if all this doesnt work

and paste the output of the following

show cypto ipsec sa

nguyenthac86 · ‎08-04-2010

Thanks.

I can ping to one inside. i still can't ping to the other ip inside.

when i show running configure. I see "icmp unreachable rate-limit 1 burst-size 1". I configured acl permit ip from inside to pool's ip.

how to do??

Jitendriya Athavale · ‎08-04-2010

check if you have routes to reach 110.11.32.20 on asa

check on the other layer 3 devices that you have in between the asa and 110.11.32.20 if they have routes to get to the vpn pool ip's

please paste sh cry ips sa

nguyenthac86 · ‎08-04-2010

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name aaaaa.com

enable password xxxxxx

passwd xxxxx encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.11.32.251 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 110.35.74.6 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name aaaaa.com

access-list client extended permit ip 10.11.32.0 255.255.255.0 192.168.168.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

ip local pool VPNclient 192.168.168.1-192.168.168.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list client

route outside 0.0.0.0 0.0.0.0 110.35.74.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set myset

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 10 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 2

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh 10.11.32.20 255.255.255.255 inside

ssh timeout 30

ssh version 2

console timeout 0

management-access inside

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username cccccc password xxxxxx encrypted privilege 15

tunnel-group IM type remote-access

tunnel-group IM general-attributes

address-pool VPNclient

tunnel-group IM ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:47981e187a1fdfa8206d5aa14a5de0ad

: end

nguyenthac86 · ‎08-04-2010

Yes,

This is my show run

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name aaaaa.com

enable password xxxxx encrypted

passwd xxxxx encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.11.32.251 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 110.35.74.6 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name aaaaa.com

access-list client extended permit ip 10.11.32.0 255.255.255.0 192.168.168.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

ip local pool VPNclient 192.168.168.1-192.168.168.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list client

route outside 0.0.0.0 0.0.0.0 110.35.74.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set myset

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 10 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 2

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh 10.11.32.20 255.255.255.255 inside

ssh timeout 30

ssh version 2

console timeout 0

management-access inside

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username thac password xxxxx encrypted privilege 15

tunnel-group IM type remote-access

tunnel-group IM general-attributes

address-pool VPNclient

tunnel-group IM ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:47981e187a1fdfa8206d5aa14a5de0ad

: end

Jitendriya Athavale · ‎08-04-2010

this is different from wht you had posted earlier

nguyenthac86 · ‎08-04-2010

sorry,

i post show cry ipsec sa

interface: outside
Crypto map tag: dyn1, seq num: 1, local addr: 110.35.74.6

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.168.1/255.255.255.255/0/0)
      current_peer: 110.35.74.5, username: thac86
      dynamic allocated peer ip: 192.168.168.1

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 76, #pkts decrypt: 76, #pkts verify: 76
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 110.35.74.6/10000, remote crypto endpt.: 110.35.74.5/4120
      path mtu 1500, ipsec overhead 94, media mtu 1500
      current outbound spi: DFEA853D

    inbound esp sas:
      spi: 0xB5FFB642 (3053434434)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={RA, Tunnel, TCP-Encaps, }
         slot: 0, conn_id: 40960, crypto-map: dyn1
         sa timing: remaining key lifetime (sec): 28751
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xDFEA853D (3756688701)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={RA, Tunnel, TCP-Encaps, }
         slot: 0, conn_id: 40960, crypto-map: dyn1
         sa timing: remaining key lifetime (sec): 28749
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Jitendriya Athavale · ‎08-05-2010

hi thac,

can you please confirm which is the correct config as you have pasted 2 diff config's

nguyenthac86 · ‎08-05-2010

Sorry for inconvenience

this is the correct configuration.

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name aaaaa.com

enable password xxxxx encrypted

passwd xxxxx encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.11.32.251 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 110.35.74.6 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name aaaaa.com

access-list client extended permit ip 10.11.32.0 255.255.255.0 192.168.168.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

ip local pool VPNclient 192.168.168.1-192.168.168.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list client

route outside 0.0.0.0 0.0.0.0 110.35.74.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set myset

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 10 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 2

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh 10.11.32.20 255.255.255.255 inside

ssh timeout 30

ssh version 2

console timeout 0

management-access inside

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username thac password xxxxx encrypted privilege 15

tunnel-group IM type remote-access

tunnel-group IM general-attributes

address-pool VPNclient

tunnel-group IM ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:47981e187a1fdfa8206d5aa14a5de0ad

: end

Nagaraja Thanthry · ‎08-05-2010

Hello,

I am assuming that you are using remote vpn clients. I don't see a group

policy configured for the vpn clients.

group-policy ipsec-attributes

pre-shared-key *

Hope this helps.

Regards,

NT

Jitendriya Athavale · ‎08-05-2010

i think the tunnel is fine bcoz we see spi's we can ping the inside ip with management-access inside

can you apply some captures and see

capture capin interface inside match ip host host

after this ping the internal ip

sh cap capin

see if the traffic is leaving the firewall and coming back

because i see decaps but no encaps

this mean check natting and routing