ASA 5510 - remote vpn client can login but only first client can ping and the rest cannot

Craigxxxxx · ‎12-09-2013

All Experts,

I have configured remote vpn server on ASA 5510.

All the remote vpn clients are able to login to remote vpn server.

The issue is that only first vpn client can ping to the internal network and the rest of the clients cannot ping even though they are able to login.

Could you please help to find out what's wrong with my configuration?

Please refer to the below configuration.

Thanks.

ciscoasa#sh run

ASA Version 8.0(2)

!

hostname ciscoasa

domain-name test.com

enable password S3tnQLXTAbsdcawi encrypted

names

!

interface Ethernet0/0

description *** INTERNAL CONNECTION ***

nameif inside

security-level 100

ip address 10.215.1.1 255.255.255.0

!

interface Ethernet0/1

description *** WAN CONNECTION ***

nameif outside

security-level 0

ip address 210.x.x.x 255.255.255.252

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST 10

dns server-group DefaultDNS

domain-name test.com

access-list outside_access_in extended permit icmp any any

access-list inside_access_in extended permit icmp any any

access-list NONAT extended permit ip 10.0.0.0 255.0.0.0 10.215.2.0 255.255.255.0

pager lines 24

logging enable

logging monitor debugging

logging buffered debugging

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

ip local pool VPNPOOL 10.215.2.1-10.215.2.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 210.x.x.x 1

route inside 10.0.0.0 255.0.0.0 10.215.1.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.215.0.0 255.255.0.0 inside

http 192.168.1.0 255.255.255.0 management

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac

crypto dynamic-map DYN_MAP 10 set transform-set RA-TS

crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP

crypto map VPN_MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

no crypto isakmp nat-traversal

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 10

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

group-policy it-policy internal

group-policy it-policy attributes

wins-server value 10.215.1.11

dns-server value 10.215.1.12

vpn-idle-timeout 30

username testuser password k83iXWPan0Gg1s04 encrypted

username admin password TOyVyM6G6TXcuQ5w encrypted privilege 15

username user password enq05bKrudsJMMBu encrypted

tunnel-group itvpnclient type remote-access

tunnel-group itvpnclient general-attributes

address-pool VPNPOOL

default-group-policy it-policy

tunnel-group itvpnclient ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:6da9a4e00b5e6e1a914ec571becaf38f

: end

JORGE RODRIGUEZ · ‎12-09-2013

Hi Craig,

Try enabling NAT-T , you have it disabled, try that and let us know e.g crypto isakmp nat-traversal 20

troublesghooting reference

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Regards

Jorge Rodriguez

Craigxxxxx · ‎12-10-2013

Hi Gorge,

Thanks for your advice.

I will try that and let you know the update.

Regards,

Craig

Craigxxxxx · ‎12-11-2013

Hi Gorge,

I am able to ping from any remote client after enabling crypto isakmp nat-traversal 20.

Thank you so much for your advice.

Hi William,

Thanks for your advice too even though I did not need to add "inspect icmp" under class inspection_default.

Appreciate for your help.

Regards,

Craig

WILLIAM STEGMAN · ‎12-10-2013

You might also try adding inspect icmp under your class inspection_default policy map.