Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
0
Helpful
1
Replies

Can't ping or access anything after VPN connection is established.

dclarolh1
Level 1
Level 1

‎09-23-2010 08:35 AM

Yesterday this was working pefectly. Randomly I now can't ping anything or access anything while connected to the VPN. The negotiation completes too. I am using the Thick Client. Let me know if you need anymore information.

Thanks.

Here is the running config:

ASA Version 8.2(2)19

!

hostname ***-DC-SR1-5510-1

domain-name ******.local

enable password ds4hdW4uvMnfKnfo encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.245.2.0 ***LAN description 10.245.2.x

name 10.245.2.14 Switchvox description Phone System

name x.x.x.x XXX description Mike's Static Home IP

!

interface Ethernet0/0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

shutdown

nameif Outside2

security-level 100

no ip address

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 10.245.253.1 255.255.255.0

!

interface Ethernet0/3

shutdown

nameif Inside2

security-level 100

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.245.1.2 255.255.255.0

management-only

!

boot system disk0:/asa822-19-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name ***financial.local

same-security-traffic permit inter-interface

access-list outside_access_in extended permit icmp ***LAN 255.255.255.0 any echo-reply

access-list outside_access_in extended permit esp ***LAN 255.255.255.0 host x.x.x.x

access-list outside_access_in extended permit udp ***LAN 255.255.255.0 eq isakmp host x.x.x.x

access-list outside_access_in extended permit udp ***LAN 255.255.255.0 eq 4500 host x.x.x.x

access-list outside_access_in extended permit udp ***LAN 255.255.255.0 eq 1701 host x.x.x.x

access-list outside_access_in extended permit udp any eq sip host Switchvox

access-list outside_access_in extended permit udp host xxx interface outside eq sip

access-list ***VPN_splitTunnelAcl standard permit ***LAN 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu Outside2 1500

mtu inside 1500

mtu Inside2 1500

mtu management 1500

ip local pool ***VPNPOOL 10.245.50.50-10.245.50.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-632.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,outside) udp interface sip Switchvox sip netmask 255.255.255.255

access-group outside_access_in in interface outside

route inside 10.245.0.0 255.255.0.0 10.245.253.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http ***LAN 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=***-DC-SR1-5510-1

crl configure

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.245.0.0 255.255.0.0 inside

ssh timeout 30

console timeout 30

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy ***VPN internal

group-policy ***VPN attributes

banner value Welcome to *** *** VPN!

banner value

banner value This connection is monitored. If you require assistance please call ***.

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ***VPN_splitTunnelAcl

default-domain value ******.local

username sshuser1 password QeDXBFUts7/E3/zS encrypted privilege 15

username dclaro password 7hgN6nCxTAeewqbW encrypted

username dclaro attributes

vpn-group-policy ***VPN

vpn-tunnel-protocol IPSec l2tp-ipsec

service-type remote-access

username mchamberland password x5xm.7lKZwodeqRp encrypted

username mchamberland attributes

vpn-group-policy ***VPN

service-type remote-access

tunnel-group ***VPN type remote-access

tunnel-group ***VPN general-attributes

address-pool ***VPNPOOL

default-group-policy ***VPN

tunnel-group ***VPN ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:e6343b255915691e8ee103bd5643300f

: end

Labels:
0 Helpful
1 Reply 1

dclarolh1
Level 1
Level 1

‎09-23-2010 10:45 AM

I'm seeing this in the log:

5 Sep 23 2010 10:27:33  10.245.2.1    Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.245.50.50 dst inside:10.245.2.1 (type 8, code 0) denied due to NAT reverse path failure

I am trying to ping 10.245.2.1 from the VPN client which is 10.245.50.50.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents