ASA 5505 AnyConnect VPN Can RDP to clients but can't ping/icmp

Alan Herriman · ‎02-27-2012

Hello all,

I've been searching all day for a solution to this problem. I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. It may be something simple and I would appreciate any help. Most of the time people end up posting their config so I will as well.

MafSecASA# show run

: Saved

:

ASA Version 8.2(1)

!

hostname MafSecASA

domain-name mafsec.com

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.4.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 7.3.3.2 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 172.20.1.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

speed 100

duplex full

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 3

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name mafsec.com

same-security-traffic permit intra-interface

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object tcp

protocol-object udp

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object udp

protocol-object tcp

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_4

protocol-object ip

protocol-object icmp

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in remark allow remote users to internal users

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

access-list inside_split_tunnel standard permit 10.4.0.0 255.255.255.0

access-list inside_split_tunnel standard permit 10.5.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool SSLVPNPool2 10.5.0.1-10.5.0.254 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 7.3.3.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.4.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.4.0.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd option 6 ip 8.8.8.8 8.8.4.4

!

dhcpd address 10.4.0.15-10.4.0.245 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd lease 86400 interface inside

dhcpd option 3 ip 10.4.0.1 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy SSLVPN internal

group-policy SSLVPN attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol svc

group-lock none

split-tunnel-policy tunnelspecified

split-tunnel-network-list value inside_split_tunnel

vlan none

address-pools value SSLVPNPool2

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username user1 password

username user1 attributes

service-type remote-access

username user2 password

tunnel-group SSLVPNGROUP type remote-access

tunnel-group SSLVPNGROUP general-attributes

address-pool SSLVPNPool2

default-group-policy SSLVPN

tunnel-group SSLVPNGROUP webvpn-attributes

group-alias SSLVPN enable

!

prompt hostname context

Cryptochecksum:3b16cbc9bbdfa20e6987857c1916a396

: end

Thank in advance for any help!

Jason Gervia · ‎02-27-2012

Your config actually looks good (you have the ACL that would allow the echo-reply back since you don't have inspection turned on) - are you sure this isn't a windows firewall issue on the PCs? I'd try pinging a router or switch just to make sure.

--Jason

Alan Herriman · ‎02-27-2012

Hi Jason,

Thanks for the reply, would that acl be applied on the outside interface coming in? I guess I'm not exactly sure what interface or if the VPN terminates on a specific interface.

Best Regards!

Alan Herriman · ‎02-28-2012

I also tried pinging a switch and client and neither worked. I can ping from the client to the VPN users though and I can ping between clients internally.