Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5505 split tunneling enabled, still can't ping

I set up a Cisco ASA 5505 for remote access, and a point to point to a collocation facility. Recently local lan access

was not working so I configured the split tunnel access list. Local Lan access now works but when connected to the vpn

I still cannot ping anything on the opposite side of the tunnel. I could never ping anything on the other side. Can anyone

look at my config and tell me what I have configured wrong? I'm also unsure about the order or the ACE's in my ACL. The main office is using 192.168.10.x. The VPN dhcp pool

192.168.11.x. The co-location facility uses 192.168.4.x. here is my config. Thanks in advance.

26 REPLIES

Re: ASA 5505 split tunneling enabled, still can't ping

Hi Chad

Try following

no access-list CompanyX_splitTunnelAcl standard permit 192.168.11.0 255.255.255.240

no access-list CompanyX_splitTunnelAcl standard permit 64.x.x.x 255.255.255.0

no access-list CompanyX_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

access-list CompanyX_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.11.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.240

no access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0

Regards

Community Member

Re: ASA 5505 split tunneling enabled, still can't ping

I made the changes you suggested and everything is still the same. I cannot ping directly from my workstation to the remote office. While rdp'd into a remote workstation, I can ping to my collocation facility on the point-to-point. Nothing has changed. Also when I try and do an nslookup from my machine I get this:

P:\>nslookup

*** Can't find server name for address 192.168.10.200: Non-existent domain

*** Can't find server name for address 192.168.10.201: Non-existent domain

Here is my ipconfig /all for the vpn connection:

IP Address. . . . . . . . . . . . : 192.168.11.1

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 192.168.10.200

192.168.10.201

Primary WINS Server . . . . . . . : 192.168.10.200

Secondary WINS Server . . . . . . : 192.168.10.201

Any other ideas?

Re: ASA 5505 split tunneling enabled, still can't ping

Right-click VPN icon in right-bottom, click statistics, then click route details and please take a screenshot and upload here

Also issue the following in your config and post the final config

polic-map global_policy

class inspection_default

inspect icmp

also run "clear xlate"

Community Member

Re: ASA 5505 split tunneling enabled, still can't ping

Here is a screenshot of the route details. I still have to run the commands you mentioned. I will post the final config as soon as I can. Thanks.

Re: ASA 5505 split tunneling enabled, still can't ping

Route details are fine, waiting for final config

Community Member

Re: ASA 5505 split tunneling enabled, still can't ping

I'm still trying to make those changes to the config. Having trouble with ssh and telnet even though I have configured access through the ASDM. I'll post my config once I make the changes.

Re: ASA 5505 split tunneling enabled, still can't ping

Ok, durig this time, please check if any software firewall set in client you try to ping, if firewall is on and exceptions are set, please check if exceptions allows local subnet only or any.

Community Member

Re: ASA 5505 split tunneling enabled, still can't ping

Any way I can enable ping through the ASDM? I am not able to telnet or SSH even though I have it configured. I tried doing it through the ASDM at : Properties - Device Admin - ICMP rules, inside, permit, any. Still no go.

Re: ASA 5505 split tunneling enabled, still can't ping

I cant remember where it is exactly in ASDM. In ASDM, click tools then click Command Line Interface. Choose multiple line, paste commands there then click send. Then type sh run, click send and paste the output.

Community Member

Re: ASA 5505 split tunneling enabled, still can't ping

Here is my latest config after making the suggested changes. I still can't ping any workstations or servers. I can however ping a network printer and get a reply. I even went into the default domain policy and disabled Windows Firewall. It has to be my config since I can ping fine when I remoted into one of the servers or workstations. Any ideas?

Re: ASA 5505 split tunneling enabled, still can't ping

add this

crypto isakmp nat-traversal 20

Community Member

Re: ASA 5505 split tunneling enabled, still can't ping

Will this command apply if I chose PAT instead of NAT when I used the wizard?

Re: ASA 5505 split tunneling enabled, still can't ping

Yes it will.

Community Member

Re: ASA 5505 split tunneling enabled, still can't ping

I submitted crypto isakmp nat-traversal 20 via the CLI in the ASDM and it went through. I connected to the vpn and still nothing. Again the only ping that responds is to a network printer.

Re: ASA 5505 split tunneling enabled, still can't ping

Lets rephrase

You get an ip within 11.x, and you can ping a device in 10.x which is network printer, but you cant ping other servers or devices in 10.x corect?

What default gateway IP does the server you want to ping have?

Can you establish RDP instead ping?

Your old nat ACL statements still exists, can you please apply the changes in my first post? After that, wr mem and reload the device.

Community Member

Re: ASA 5505 split tunneling enabled, still can't ping

The gateway for the machines I'm trying to ping is 192.168.10.1. RDP works fine. I am unable to submit the commands you gave me:

access-list caliperwest_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

because it tells me that the input is invalid starting at the second 192 address.

Re: ASA 5505 split tunneling enabled, still can't ping

Here is the corrected one

no access-list CompanyX_splitTunnelAcl standard permit 192.168.11.0 255.255.255.240

no access-list CompanyX_splitTunnelAcl standard permit 64.x.x.x 255.255.255.0

no access-list CompanyX_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

access-list CompanyX_splitTunnelAcl standard permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.11.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.240

no access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0

Re: ASA 5505 split tunneling enabled, still can't ping

Here is my review about the issue

1)You can RDP into 10.x server

2)You can PING a device in 10.x

3)But you cant PING 10.x server

What above means is,

1)All VPN configuration is correct

2)ICMP is permitted (inspect icmp)

3)10.x server has most probably a software that blocks ICMP from any scopes other than 192.168.10.0/24 scope. Maybe servers get an exception rule for ICMP for local subnet only via policy.

Re: ASA 5505 split tunneling enabled, still can't ping

dont forget to run these following after config changes

clear xlate

clear arp

Community Member

Re: ASA 5505 split tunneling enabled, still can't ping

All Windows firewalls are disabled through group policy. Cannot ping any Windows box from my workstation over vpn. When I rdp into any box while on vpn, I can ping anything I want to. The signs point to vpn for me. Anyone else?

Community Member

Re: ASA 5505 split tunneling enabled, still can't ping

I finally got ssh configured and I tried to run the commands to change the split tunnel lists. It wouldn't let me do it because it said they were attached to certain group policies that needed to be removed first. At this point I'm gonna leave it as it is. Should this affect anything ??? Everything seems to work except ping.

Community Member

Re: ASA 5505 split tunneling enabled, still can't ping

You should try ot avoid using any in your no nat access-list. Also client vpn traffic is not defined in your intresting traffic. Try to add the following lines:

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 192.168.4.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.11.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.11.0 255.255.255.0 192.168.4.0 255.255.255.0

keep in mind you will also have to define the return traffic on the other side of the tunnel (colo fac)..

something like this (don't have that config to look at, so guessing)

access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.4.0 255.255.255.0 192.168.11.0 255.255.255.0

Re: ASA 5505 split tunneling enabled, still can't ping

Don,

Thanks for pointing out the issues that I already stated.

Issue is not the connectivity between RA client and colo fac, addin colofac-RA related config would make confusion yet the nat statement shouldnt be issued into inside_nat_outbound since colo fac is at outside interface. A exempt nat for outside interface should be created

"When I rdp into any box while on vpn, I can ping anything I want to."

Issue is getting wierd and wierd :) So you connect VPN, ping server in 10.x, no replies, RDP into that server successfully and pings to that server start working?

Re: ASA 5505 split tunneling enabled, still can't ping

"Should this affect anything ??? Everything seems to work except ping."

Well it shouldnt, it doesnt atm also but just in case...

Enter commands in following respective order

access-list CompanyX_splitTunnelAcl standard permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

no access-list CompanyX_splitTunnelAcl standard permit 192.168.11.0 255.255.255.240

no access-list CompanyX_splitTunnelAcl standard permit 64.x.x.x 255.255.255.0

no access-list CompanyX_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

Also can you please confirm my above question about PING? What VPN client version do you have? Below 5.0?

Community Member

Re: ASA 5505 split tunneling enabled, still can't ping

"Issue is getting wierd and wierd :) So you connect VPN, ping server in 10.x, no replies, RDP into that server successfully and pings to that server start working?"

Answer: Yes. I connect to vpn. No Ping. Only while rdp'd into remote box does ping work on remote box but still NOT on my machine to remote box. Hope this clears things up.

My vpn client version is 5.0.01.0600

I will have to revisit this on Tuesday after the holiday. Thanks to everyone for all your help. You guys are great.

Re: ASA 5505 split tunneling enabled, still can't ping

"Only while rdp'd into remote box does ping work on remote box but still NOT on my machine to remote box"

Ahh, you mean remote box can ping another box witihn same subnet. When you have time, let me know an I will request you to open ASDM syslogs and follow the logs being generated when you try to ping from your local machine to remote box.

403
Views
0
Helpful
26
Replies
CreatePlease to create content