cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13136
Views
0
Helpful
12
Replies

ASA 5505 VPN client can't ping inside LAN

darin.miller
Level 1
Level 1

Hello everyone,

I tried to search for an answer to this question but I couldn't find the answer. So here it goes:

I configured the VPN on the ASA, I can get a client to connect to the ASA just fine, however I can't ping any interfaces on the ASA or on the inside LAN. I'm giving VPN clients IP's of 192.168.60.x/24 and the inside network is 192.168.1.x/24. I got this to work the last time I configured an ASA but I forgot all the things I did. I'm sure it's something small. Any help is greatly appreciated.

ASA Version 7.2(4)

!

hostname max

domain-name default.domain.invalid

enable password xxxxxxx encrypted

passwd xxxxx encrypted

names

name 192.168.1.3 Xbox description IP address for Xbox

!

interface Vlan1

description Default internal vlan on max

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

description Internet vlan on max

nameif Internet

security-level 0

ip address dhcp setroute

ospf cost 10

!

interface Vlan3

description DMZ vlan on max

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 10.100.100.1 255.0.0.0

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service Xbox_port tcp-udp

description TCP-UDP 3074

port-object eq 3074

object-group service Xbox_port_2 udp

description UDP port 88

port-object eq 88

object-group network Internal_Networks

network-object 10.0.0.0 255.255.255.0

network-object 10.1.0.0 255.255.255.0

network-object 172.16.0.0 255.255.255.0

network-object 10.20.0.0 255.255.255.0

network-object 10.30.0.0 255.255.255.0

access-list Internet_access_in extended permit udp any interface Internet eq 3074 inactive

access-list Internet_access_in extended permit tcp any interface Internet eq 3074 inactive

access-list Internet_access_in extended permit udp any interface Internet eq 88 inactive

access-list inside_access_in extended permit ip any any

access-list acl-outside extended permit icmp any any echo-reply

access-list acl-outside extended permit icmp any any unreachable

access-list acl-outside extended permit icmp any any traceroute

access-list acl-outside extended permit icmp any any time-exceeded

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 object-group Internal_Networks

access-list nonat extended permit ip any 192.168.60.0 255.255.255.240

access-list Split_Tunnel_List remark The network behind the ASA

access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging buffer-size 10000

logging buffered critical

logging asdm informational

logging debug-trace

mtu inside 1500

mtu Internet 1500

mtu DMZ 1500

ip local pool VPN_Client_IP_Pool 192.168.60.2-192.168.60.11 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp deny any Internet

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (Internet) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.1.0 255.255.255.0

access-group inside_access_in in interface inside

access-group acl-outside in interface Internet

!

router ospf 1

router-id 192.168.1.1

network 192.168.1.0 255.255.255.0 area 0

log-adj-changes

redistribute static subnets

default-information originate

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map Internet_dyn_map 20 set pfs group1

crypto dynamic-map Internet_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Internet_map 65535 ipsec-isakmp dynamic Internet_dyn_map

crypto map Internet_map interface Internet

crypto isakmp enable Internet

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 76.10.192.197 255.255.255.255 Internet

ssh timeout 30

console timeout 0

dhcpd auto_config Internet

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

tftp-server inside 192.168.1.2 /asaconfig

group-policy darin.personal internal

group-policy xxxxxx attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value default.domain.invalid

username xxxxx password xxxxxxx encrypted privilege 0

username xxxxxx attributes

vpn-group-policy xxxxxx

username xxxxx password xxxxxxx encrypted privilege 15

tunnel-group xxxxxx type ipsec-ra

tunnel-group xxxxxx general-attributes

address-pool VPN_Client_IP_Pool

default-group-policy xxxxxxxx

tunnel-group xxxxxxxxx ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

: end

12 Replies 12

ufuk guler
Level 1
Level 1

Hello Darin,

               Could you add below line to your outside acl and test again. Hope it can help you.

access-list acl-outside extended permit icmp any any echo

Ufuk Guler

Hello,

I added the line but it didn't help. Besides, I don't want to enable ping for the entire outside interface but full access to the inside network. I'm beginning to think that I need to set my ASA as the default gateway for VPN clients. It's not defined when I connect.

Hi Darin,

         Could you enable icmp inspection and try it again. Just add "inspect icmp" command under "class inspection_default" section. At the same time i think that you are able to access local resource via vpn, except icmp. isn't it?

policy-map global_policy
    class inspection_default
     inspect icmp

Ufuk Guler

Nope I can't access any inside resources through the VPN at all. Ping, telnet, ssh, nothing. I'm thinking I might need a NAT statement in there somewhere.

Hello,

Can you please post the latest configuration here (x out all the public IP addresses).

Regards,

NT

ASA Version 7.2(4)

!

hostname max

domain-name default.domain.invalid

enable password xxxx encrypted

passwd xxxx encrypted

names

name 192.168.1.3 Xbox description IP address for Xbox

!

interface Vlan1

description Default internal vlan on max

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

description Internet vlan on max

nameif Internet

security-level 0

ip address dhcp setroute

ospf cost 10

!

interface Vlan3

description DMZ vlan on max

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 10.100.100.1 255.0.0.0

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner exec You are logged into Max's firewall

banner login Max's firewall

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service Xbox_port tcp-udp

description TCP-UDP 3074

port-object eq 3074

object-group service Xbox_port_2 udp

description UDP port 88

port-object eq 88

object-group network Internal_Networks

network-object 10.0.0.0 255.255.255.0

network-object 10.1.0.0 255.255.255.0

network-object 172.16.0.0 255.255.255.0

network-object 10.20.0.0 255.255.255.0

network-object 10.30.0.0 255.255.255.0

access-list Internet_access_in extended permit udp any interface Internet eq 3074 inactive

access-list Internet_access_in extended permit tcp any interface Internet eq 3074 inactive

access-list Internet_access_in extended permit udp any interface Internet eq 88 inactive

access-list inside_access_in extended permit ip any any

access-list acl-outside extended permit icmp any any echo-reply

access-list acl-outside extended permit icmp any any unreachable

access-list acl-outside extended permit icmp any any traceroute

access-list acl-outside extended permit icmp any any time-exceeded

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 object-group Internal_Networks

access-list Split_Tunnel_List remark The network behind the ASA

access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0

access-list nonat-in extended permit ip 192.168.1.0 255.255.255.0 object-group Internal_Networks

pager lines 24

logging enable

logging buffer-size 10000

logging buffered critical

logging asdm informational

logging debug-trace

mtu inside 1500

mtu Internet 1500

mtu DMZ 1500

ip local pool VPN_Client_IP_Pool 192.168.60.2-192.168.60.11 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp deny any Internet

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (Internet) 1 interface

nat (inside) 0 access-list nonat-in

nat (inside) 1 192.168.1.0 255.255.255.0

access-group inside_access_in in interface inside

access-group acl-outside in interface Internet

!

router ospf 1

router-id 192.168.1.1

network 192.168.1.0 255.255.255.0 area 0

log-adj-changes

redistribute static subnets

default-information originate

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map Internet_dyn_map 20 set pfs group1

crypto dynamic-map Internet_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Internet_map 65535 ipsec-isakmp dynamic Internet_dyn_map

crypto map Internet_map interface Internet

crypto isakmp enable Internet

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh x.x.x.x 255.255.255.255 Internet

ssh timeout 30

console timeout 0

dhcpd auto_config Internet

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

tftp-server inside 192.168.1.2 /asaconfig

group-policy darin.personal internal

group-policy darin.personal attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list none

default-domain value default.domain.invalid

username darin.miller password xxxx encrypted privilege 0

username darin.miller attributes

vpn-group-policy darin.personal

username darin password xxxx encrypted privilege 15

tunnel-group darin.personal type ipsec-ra

tunnel-group darin.personal general-attributes

address-pool VPN_Client_IP_Pool

default-group-policy darin.personal

tunnel-group darin.personal ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxxx

: end

Hello,

You are correct. The nonat rule is incorrect. Please add the following

lines:

access-list nonat-in extended permit ip object-group Internal_Networks 192.168.60.0 255.255.255.0

access-list nonat-in extended permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0

management-access inside

Hope this helps.

Regards,

NT

Message was edited by: Nagaraja Thanthry

-

Nope, didn't work. I was able to connect, and this time my VPN-client's ipconfig listed 192.168.60.1 as the default gateway.

What I need is to be able to have my home LAN (192.168.1.0/24) the Secured Route and everything else goes through my local LAN.

I reset everything to the original way I had it and ran a packet trace:

max# pac input internet icmp 192.168.60.2 0 8 192.168.1.2 det

Phase: 1

Type: CP-PUNT

Subtype: l2-selective

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x39d6bf8, priority=12, domain=punt, deny=false

        hits=12667, user_data=0x4299570, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x39f1fa0, priority=1, domain=permit, deny=false

        hits=6376931, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.1.0     255.255.255.0   inside

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group acl-outside in interface Internet

access-list acl-outside extended permit icmp any any echo-reply

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x3a793e8, priority=12, domain=permit, deny=false

        hits=6, user_data=0x3a78038, cs_id=0x0, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x39f4828, priority=0, domain=permit-ip-option, deny=true

        hits=12341, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x42a06e0, priority=79, domain=punt, deny=true

        hits=9, user_data=0x3637180, cs_id=0x0, flags=0x0, protocol=0

        src ip=192.168.60.2, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x3a6f5d8, priority=69, domain=ipsec-tunnel-flow, deny=false

        hits=9, user_data=0x7d1d6c, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=192.168.60.2, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x39f3ba0, priority=66, domain=inspect-icmp-error, deny=false

        hits=75, user_data=0x39f3ad0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x41892e0, priority=0, domain=host-limit, deny=false

        hits=55, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 1 192.168.1.0 255.255.255.0

  match ip inside 192.168.1.0 255.255.255.0 Internet any

    dynamic translation to pool 1 (75.187.60.114 [Interface PAT])

    translate_hits = 46, untranslate_hits = 1

Additional Information:

Forward Flow based lookup yields rule:

out id=0x4256e30, priority=1, domain=nat-reverse, deny=false

        hits=53, user_data=0x4256c90, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0

Result:

input-interface: Internet

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

OK check this out. I got my hands on a previous config I did for a customer. I found out that IT WAS a NAT statement that was missing, so I added these 3 statements:

nat (inside) 0 access-list LAN_nat0_outbound

access-list LAN_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.0

access-list LAN_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

So, now VPN clients can ping the 192.168.1.0/24 internal network and vice versa, but VPN clients still can't telnet into devices in the 192.168.1.0/24 subnet. I'm guessing PAT is needed but where?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: