Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyconnect VPN peers cannot ping, RDP each other

I have an ASA5505 running ASA 8.3(1) and ASDM 7.1(1).  I have a remote access VPN set up and the remote access users are able to log in and access LAN resources.   I can ping the VPN peers from the remote LAN.    My problem that the VPN peers cannot ping (RDP, ectc..) each other.   Pinging one VPN peer from another reveals the following error in the ASA Log.

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.10.8 dst outside:10.10.10.9 (type 8, code 0) denied due to NAT reverse path failure. 

Below is my ASA running-config:

ASA Version 8.3(1)

!

hostname ciscoasa

domain-name dental.local

enable password 9ddwXcOYB3k84G8Q encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.1.128

domain-name dental.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network RAVPN

subnet 10.10.10.0 255.255.255.0

object network NETWORK_OBJ_10.10.10.0_28

subnet 10.10.10.0 255.255.255.240

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

access-list Local_LAN_Access remark VPN client local LAN access

access-list Local_LAN_Access standard permit host 0.0.0.0

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list VpnPeers remark allow vpn peers to ping each other

access-list VpnPeers extended permit ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28

pager lines 24

logging enable

logging asdm informational

logging mail informational

logging from-address wketchel@gmail.com

logging recipient-address wketchel@gmail.com level informational

logging rate-limit 1 600 level 6

mtu outside 1500

mtu inside 1500

ip local pool VPNPool 10.10.10.5-10.10.10.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

nat (inside,any) source static any any destination static RAVPN RAVPN

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28

!

object network obj_any

nat (inside,outside) dynamic interface

object network RAVPN

nat (any,outside) dynamic interface

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint LOCAL-CA-SERVER

keypair LOCAL-CA-SERVER

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

keypair billvpnkey

proxy-ldc-issuer

crl configure

crypto ca server

cdp-url http://ciscoasa/+CSCOCA+/asa_ca.crl

issuer-name CN=ciscoasa

smtp from-address admin@ciscoasa

crypto ca certificate chain LOCAL-CA-SERVER

certificate ca 01

   **hidden**

  quit

crypto ca certificate chain ASDM_TrustPoint0

certificate 10bdec50

    **hidden**

  quit

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

client-update enable

telnet 192.168.1.1 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.1.50-192.168.1.99 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

svc image disk0:/anyconnect-win-3.1.04072-k9.pkg 1

svc profiles DellStudioClientProfile disk0:/dellstudioclientprofile.xml

svc enable

tunnel-group-list enable

internal-password enable

smart-tunnel list SmartTunnelList RDP mstsc.exe platform windows

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.1.128

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value dental.local

webvpn

  svc modules value vpngina

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

dns-server value 192.168.1.128

vpn-tunnel-protocol l2tp-ipsec

default-domain value dental.local

group-policy DfltGrpPolicy attributes

dns-server value 192.168.1.128

vpn-simultaneous-logins 4

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-lock value RAVPN

split-tunnel-network-list value Local_LAN_Access

default-domain value dental.local

webvpn

  url-list value DentalMarks

  svc modules value vpngina

  svc profiles value dellstudio type user

  svc ask enable default webvpn

  smart-tunnel enable SmartTunnelList

username wketchel1 password 5c5OoeNtCiX6lGih encrypted

username wketchel1 attributes

vpn-group-policy DfltGrpPolicy

webvpn

  svc profiles value DellStudioClientProfile type user

username wketchel password 5c5OoeNtCiX6lGih encrypted privilege 15

username wketchel attributes

vpn-group-policy DfltGrpPolicy

webvpn

  svc modules none

  svc profiles value DellStudioClientProfile type user

username jenniferk password 5.TcqIFN/4yw0Vq1 encrypted privilege 0

username jenniferk attributes

vpn-group-policy DfltGrpPolicy

webvpn

  svc profiles value DellStudioClientProfile type user

tunnel-group DefaultRAGroup general-attributes

address-pool VPNPool

authorization-server-group LOCAL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

authentication ms-chap-v2

authentication eap-proxy

tunnel-group RAVPN type remote-access

tunnel-group RAVPN general-attributes

address-pool VPNPool

authorization-server-group LOCAL

tunnel-group RAVPN webvpn-attributes

group-alias RAVPN enable

tunnel-group RAVPN ipsec-attributes

pre-shared-key *****

tunnel-group RAVPN ppp-attributes

authentication pap

authentication ms-chap-v2

authentication eap-proxy

tunnel-group WebSSLVPN type remote-access

tunnel-group WebSSLVPN webvpn-attributes

group-alias WebSSLVPN enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

smtp-server 173.194.64.108

prompt hostname context

hpm topN enable

Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8

: end

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Anyconnect VPN peers cannot ping, RDP each other

Hi,

Seems to me that you could clean up the current NAT configuration a bit and make it a bit clearer.

I would suggest the following changes

object network VPN-POOL

subnet 10.10.10.0 255.255.255.0

object network LAN

subnet 192.168.1.0 255.255.255.0

object-group network PAT-SOURCE

network-object 192.168.1.0 255.255.255.0

network-object 10.10.10.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

The above should enable

  • Dynamic PAT for LAN and VPN users
  • NAT0 for the traffic between LAN and VPN
  • NAT0 for traffic between VPN users

You could then remove the previous NAT configurations. Naturally please do backup the configuration before doing the change if you wish to move back to the original configuration.

no nat (inside,any) source static any any destination static RAVPN RAVPN

no nat  (inside,outside) source static NETWORK_OBJ_192.168.1.0_24  NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28  NETWORK_OBJ_10.10.10.0_28

no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28

no object network obj_any

no object network RAVPN

In the event that you dont want to change the configurations that much you might be fine just by adding this

object network VPN-POOL

subnet 10.10.10.0 255.255.255.0

nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL

But the other above configurations changes would make the current NAT configurations simpler and clearer to see each "nat" configurations purpose.

- Jouni

3 REPLIES
Super Bronze

Re: Anyconnect VPN peers cannot ping, RDP each other

Hi,

Seems to me that you could clean up the current NAT configuration a bit and make it a bit clearer.

I would suggest the following changes

object network VPN-POOL

subnet 10.10.10.0 255.255.255.0

object network LAN

subnet 192.168.1.0 255.255.255.0

object-group network PAT-SOURCE

network-object 192.168.1.0 255.255.255.0

network-object 10.10.10.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

The above should enable

  • Dynamic PAT for LAN and VPN users
  • NAT0 for the traffic between LAN and VPN
  • NAT0 for traffic between VPN users

You could then remove the previous NAT configurations. Naturally please do backup the configuration before doing the change if you wish to move back to the original configuration.

no nat (inside,any) source static any any destination static RAVPN RAVPN

no nat  (inside,outside) source static NETWORK_OBJ_192.168.1.0_24  NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28  NETWORK_OBJ_10.10.10.0_28

no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28

no object network obj_any

no object network RAVPN

In the event that you dont want to change the configurations that much you might be fine just by adding this

object network VPN-POOL

subnet 10.10.10.0 255.255.255.0

nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL

But the other above configurations changes would make the current NAT configurations simpler and clearer to see each "nat" configurations purpose.

- Jouni

New Member

Re:Anyconnect VPN peers cannot ping, RDP each other

I added the lines you recommended and the problem is fixed. Thank you!


Sent from Cisco Technical Support Android App

Super Bronze

Anyconnect VPN peers cannot ping, RDP each other

Hi,

Great to hear its working

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

595
Views
5
Helpful
3
Replies