ASA 5505 VPN client can't ping inside LAN

Unanswered Question
Aug 7th, 2010
User Badges:

Hello everyone,

I tried to search for an answer to this question but I couldn't find the answer. So here it goes:


I configured the VPN on the ASA, I can get a client to connect to the ASA just fine, however I can't ping any interfaces on the ASA or on the inside LAN. I'm giving VPN clients IP's of 192.168.60.x/24 and the inside network is 192.168.1.x/24. I got this to work the last time I configured an ASA but I forgot all the things I did. I'm sure it's something small. Any help is greatly appreciated.



ASA Version 7.2(4)

!

hostname max

domain-name default.domain.invalid

enable password xxxxxxx encrypted

passwd xxxxx encrypted

names

name 192.168.1.3 Xbox description IP address for Xbox

!

interface Vlan1

description Default internal vlan on max

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

description Internet vlan on max

nameif Internet

security-level 0

ip address dhcp setroute

ospf cost 10

!

interface Vlan3

description DMZ vlan on max

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 10.100.100.1 255.0.0.0

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service Xbox_port tcp-udp

description TCP-UDP 3074

port-object eq 3074

object-group service Xbox_port_2 udp

description UDP port 88

port-object eq 88

object-group network Internal_Networks

network-object 10.0.0.0 255.255.255.0

network-object 10.1.0.0 255.255.255.0

network-object 172.16.0.0 255.255.255.0

network-object 10.20.0.0 255.255.255.0

network-object 10.30.0.0 255.255.255.0

access-list Internet_access_in extended permit udp any interface Internet eq 3074 inactive

access-list Internet_access_in extended permit tcp any interface Internet eq 3074 inactive

access-list Internet_access_in extended permit udp any interface Internet eq 88 inactive

access-list inside_access_in extended permit ip any any

access-list acl-outside extended permit icmp any any echo-reply

access-list acl-outside extended permit icmp any any unreachable

access-list acl-outside extended permit icmp any any traceroute

access-list acl-outside extended permit icmp any any time-exceeded

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 object-group Internal_Networks

access-list nonat extended permit ip any 192.168.60.0 255.255.255.240

access-list Split_Tunnel_List remark The network behind the ASA

access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging buffer-size 10000

logging buffered critical

logging asdm informational

logging debug-trace

mtu inside 1500

mtu Internet 1500

mtu DMZ 1500

ip local pool VPN_Client_IP_Pool 192.168.60.2-192.168.60.11 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp deny any Internet

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (Internet) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.1.0 255.255.255.0

access-group inside_access_in in interface inside

access-group acl-outside in interface Internet

!

router ospf 1

router-id 192.168.1.1

network 192.168.1.0 255.255.255.0 area 0

log-adj-changes

redistribute static subnets

default-information originate

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map Internet_dyn_map 20 set pfs group1

crypto dynamic-map Internet_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Internet_map 65535 ipsec-isakmp dynamic Internet_dyn_map

crypto map Internet_map interface Internet

crypto isakmp enable Internet

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 76.10.192.197 255.255.255.255 Internet

ssh timeout 30

console timeout 0

dhcpd auto_config Internet

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!


tftp-server inside 192.168.1.2 /asaconfig

group-policy darin.personal internal

group-policy xxxxxx attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value default.domain.invalid

username xxxxx password xxxxxxx encrypted privilege 0

username xxxxxx attributes

vpn-group-policy xxxxxx

username xxxxx password xxxxxxx encrypted privilege 15

tunnel-group xxxxxx type ipsec-ra

tunnel-group xxxxxx general-attributes

address-pool VPN_Client_IP_Pool

default-group-policy xxxxxxxx

tunnel-group xxxxxxxxx ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context


: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ufuk guler Sat, 08/07/2010 - 11:33
User Badges:

Hello Darin,


               Could you add below line to your outside acl and test again. Hope it can help you.


access-list acl-outside extended permit icmp any any echo



Ufuk Guler

darin.miller Sat, 08/07/2010 - 11:53
User Badges:

Hello,

I added the line but it didn't help. Besides, I don't want to enable ping for the entire outside interface but full access to the inside network. I'm beginning to think that I need to set my ASA as the default gateway for VPN clients. It's not defined when I connect.

ufuk guler Sat, 08/07/2010 - 12:12
User Badges:

Hi Darin,


         Could you enable icmp inspection and try it again. Just add "inspect icmp" command under "class inspection_default" section. At the same time i think that you are able to access local resource via vpn, except icmp. isn't it?


policy-map global_policy
    class inspection_default
     inspect icmp


Ufuk Guler

darin.miller Sat, 08/07/2010 - 18:17
User Badges:

Nope I can't access any inside resources through the VPN at all. Ping, telnet, ssh, nothing. I'm thinking I might need a NAT statement in there somewhere.

Nagaraja Thanthry Sat, 08/07/2010 - 18:30
User Badges:
  • Cisco Employee,

Hello,


Can you please post the latest configuration here (x out all the public IP addresses).


Regards,


NT

darin.miller Sat, 08/07/2010 - 19:13
User Badges:


ASA Version 7.2(4)

!

hostname max

domain-name default.domain.invalid

enable password xxxx encrypted

passwd xxxx encrypted

names

name 192.168.1.3 Xbox description IP address for Xbox

!

interface Vlan1

description Default internal vlan on max

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

description Internet vlan on max

nameif Internet

security-level 0

ip address dhcp setroute

ospf cost 10

!

interface Vlan3

description DMZ vlan on max

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 10.100.100.1 255.0.0.0

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner exec You are logged into Max's firewall

banner login Max's firewall

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service Xbox_port tcp-udp

description TCP-UDP 3074

port-object eq 3074

object-group service Xbox_port_2 udp

description UDP port 88

port-object eq 88

object-group network Internal_Networks

network-object 10.0.0.0 255.255.255.0

network-object 10.1.0.0 255.255.255.0

network-object 172.16.0.0 255.255.255.0

network-object 10.20.0.0 255.255.255.0

network-object 10.30.0.0 255.255.255.0

access-list Internet_access_in extended permit udp any interface Internet eq 3074 inactive

access-list Internet_access_in extended permit tcp any interface Internet eq 3074 inactive

access-list Internet_access_in extended permit udp any interface Internet eq 88 inactive

access-list inside_access_in extended permit ip any any

access-list acl-outside extended permit icmp any any echo-reply

access-list acl-outside extended permit icmp any any unreachable

access-list acl-outside extended permit icmp any any traceroute

access-list acl-outside extended permit icmp any any time-exceeded

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 object-group Internal_Networks

access-list Split_Tunnel_List remark The network behind the ASA

access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0

access-list nonat-in extended permit ip 192.168.1.0 255.255.255.0 object-group Internal_Networks

pager lines 24

logging enable

logging buffer-size 10000

logging buffered critical

logging asdm informational

logging debug-trace

mtu inside 1500

mtu Internet 1500

mtu DMZ 1500

ip local pool VPN_Client_IP_Pool 192.168.60.2-192.168.60.11 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp deny any Internet

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (Internet) 1 interface

nat (inside) 0 access-list nonat-in

nat (inside) 1 192.168.1.0 255.255.255.0

access-group inside_access_in in interface inside

access-group acl-outside in interface Internet

!

router ospf 1

router-id 192.168.1.1

network 192.168.1.0 255.255.255.0 area 0

log-adj-changes

redistribute static subnets

default-information originate

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map Internet_dyn_map 20 set pfs group1

crypto dynamic-map Internet_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Internet_map 65535 ipsec-isakmp dynamic Internet_dyn_map

crypto map Internet_map interface Internet

crypto isakmp enable Internet

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh x.x.x.x 255.255.255.255 Internet

ssh timeout 30

console timeout 0

dhcpd auto_config Internet

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!


tftp-server inside 192.168.1.2 /asaconfig

group-policy darin.personal internal

group-policy darin.personal attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list none

default-domain value default.domain.invalid

username darin.miller password xxxx encrypted privilege 0

username darin.miller attributes

vpn-group-policy darin.personal

username darin password xxxx encrypted privilege 15

tunnel-group darin.personal type ipsec-ra

tunnel-group darin.personal general-attributes

address-pool VPN_Client_IP_Pool

default-group-policy darin.personal

tunnel-group darin.personal ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxxx

: end

Nagaraja Thanthry Sat, 08/07/2010 - 19:22
User Badges:
  • Cisco Employee,

Hello,


You are correct. The nonat rule is incorrect. Please add the following

lines:


access-list nonat-in extended permit ip object-group Internal_Networks 192.168.60.0 255.255.255.0

access-list nonat-in extended permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0


management-access inside


Hope this helps.


Regards,


NT


Message was edited by: Nagaraja Thanthry

darin.miller Sun, 08/08/2010 - 20:58
User Badges:

Nope, didn't work. I was able to connect, and this time my VPN-client's ipconfig listed 192.168.60.1 as the default gateway.

darin.miller Mon, 08/09/2010 - 01:13
User Badges:

What I need is to be able to have my home LAN (192.168.1.0/24) the Secured Route and everything else goes through my local LAN.

darin.miller Mon, 08/09/2010 - 03:37
User Badges:

I reset everything to the original way I had it and ran a packet trace:



max# pac input internet icmp 192.168.60.2 0 8 192.168.1.2 det


Phase: 1

Type: CP-PUNT

Subtype: l2-selective

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x39d6bf8, priority=12, domain=punt, deny=false

        hits=12667, user_data=0x4299570, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000


Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x39f1fa0, priority=1, domain=permit, deny=false

        hits=6376931, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000


Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow


Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.1.0     255.255.255.0   inside


Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group acl-outside in interface Internet

access-list acl-outside extended permit icmp any any echo-reply

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x3a793e8, priority=12, domain=permit, deny=false

        hits=6, user_data=0x3a78038, cs_id=0x0, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x39f4828, priority=0, domain=permit-ip-option, deny=true

        hits=12341, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 7

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x42a06e0, priority=79, domain=punt, deny=true

        hits=9, user_data=0x3637180, cs_id=0x0, flags=0x0, protocol=0

        src ip=192.168.60.2, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 8

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x3a6f5d8, priority=69, domain=ipsec-tunnel-flow, deny=false

        hits=9, user_data=0x7d1d6c, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=192.168.60.2, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 9

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x39f3ba0, priority=66, domain=inspect-icmp-error, deny=false

        hits=75, user_data=0x39f3ad0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 10

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x41892e0, priority=0, domain=host-limit, deny=false

        hits=55, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 11

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 1 192.168.1.0 255.255.255.0

  match ip inside 192.168.1.0 255.255.255.0 Internet any

    dynamic translation to pool 1 (75.187.60.114 [Interface PAT])

    translate_hits = 46, untranslate_hits = 1

Additional Information:

Forward Flow based lookup yields rule:

out id=0x4256e30, priority=1, domain=nat-reverse, deny=false

        hits=53, user_data=0x4256c90, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0


Result:

input-interface: Internet

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

darin.miller Mon, 08/09/2010 - 13:49
User Badges:

OK check this out. I got my hands on a previous config I did for a customer. I found out that IT WAS a NAT statement that was missing, so I added these 3 statements:



nat (inside) 0 access-list LAN_nat0_outbound

access-list LAN_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.0

access-list LAN_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0


So, now VPN clients can ping the 192.168.1.0/24 internal network and vice versa, but VPN clients still can't telnet into devices in the 192.168.1.0/24 subnet. I'm guessing PAT is needed but where?

Actions

This Discussion