Cisco VPN Client cannot ping internal LAN IP's

Answered Question
Feb 27th, 2014
User Badges:

Hello


I apologise in advance for my lack of knowledge on this matter but I have been handed an ASA 5510 running software version 7.2 (2) and been asked to configure a site-site with a client, I managed to get this configured and all is working well. Additionally I created an ipsec-ra tunnel group for users to connect to a particular server 192.168.10.100/24 remotely, although the connection establishes succesfully I cannot ping any IP on the LAN 192.168.10.0/24 that sits behind the ASA and when I ping the inside interface on the ASA it returns the public IP of the outside intreface.


If someone out there could give me a nudge in the right direction it would be hugely appreciated! Below is the running config of the device.


Thanks in advance.


: Saved

:

ASA Version 7.2(2)

!

hostname ciscoasa5510

domain-name domain.local

enable password .123456789/ encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

pppoe client vpdn group ISP

ip address 12.34.56.789 255.255.255.255 pppoe setroute

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 123456789 encrypted



ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

domain-name domain.local

access-list outside_20_cryptomap extended permit ip 192.168.10.0 255.255.255.0 host 10.16.2.124

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 host 10.16.2.124

access-list Split_Tunnel_List remark The corporate network behind the ASA

access-list Split_Tunnel_List standard permit 192.168.10.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool domain_vpn_pool 192.168.11.1-192.168.11.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 12.34.56.789 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy domain_vpn internal

group-policy domain_vpn attributes

dns-server value 212.23.3.100 212.23.6.100

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

username domain_ra_vpn password 123456789 encrypted

username domain_ra_vpn attributes

vpn-group-policy domain_vpn

username user password .123456789 encrypted

username user password .123456789 encrypted

username user password .123456789 encrypted privilege 15

username user password .123456789 encrypted

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set peer 987.65.43.21

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 3600

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 987.65.43.21 type ipsec-l2l

tunnel-group 987.65.43.21 ipsec-attributes

pre-shared-key *

tunnel-group domain_vpn type ipsec-ra

tunnel-group domain_vpn general-attributes

address-pool domain_vpn_pool

default-group-policy domain_vpn

tunnel-group domain_vpn ipsec-attributes

pre-shared-key *

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 5

console timeout 0

vpdn group ISP request dialout pppoe

vpdn group ISP localname [email protected]

vpdn group ISP ppp authentication chap

vpdn username [email protected] password *********

dhcpd dns 212.23.3.100 212.23.6.100

dhcpd lease 691200

dhcpd ping_timeout 500

dhcpd domain domain.local

!

dhcpd address 192.168.10.10-192.168.10.200 inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1234567890987654321

: end

Correct Answer by Jouni Forss about 3 years 4 months ago

Hi,


Seems to me that you are atleast missing the NAT0 configuration for your VPN Client connection.


This configuration is meant to enable the VPN Client to communicate with the LAN with their original IP addresses. Though the main reason this is required is to avoid matching this traffic to the normal Dynamic PAT rule which would drop this traffic and is dropping this traffic at the moment.


You can add a single ACL rule to the existing NAT0 ACL you have above and the NAT configuration should be fine then


Add this


access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0


Hope this helps


Let me know how it goes


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jouni Forss Thu, 02/27/2014 - 03:40
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Seems to me that you are atleast missing the NAT0 configuration for your VPN Client connection.


This configuration is meant to enable the VPN Client to communicate with the LAN with their original IP addresses. Though the main reason this is required is to avoid matching this traffic to the normal Dynamic PAT rule which would drop this traffic and is dropping this traffic at the moment.


You can add a single ACL rule to the existing NAT0 ACL you have above and the NAT configuration should be fine then


Add this


access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0


Hope this helps


Let me know how it goes


- Jouni

sharpy84_123 Thu, 02/27/2014 - 05:57
User Badges:

Hi JouniForss


Thank you so much for your help, that was exactly what was missing from the config. It now works a treat.


Thanks again, your assistance is very much appreciated.


Regards

Actions

This Discussion

Related Content