Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco asa 5510 vpn config not able to ping internal network

Hi,

     we tring to configure clinet vpn from vpn client am able to login vpn with username and password it's taking ip from my ip pool but the firewall ip and other ip in my inside network are not ping and also not able to access the intside network.

Kindly find my configuration

ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ============= encrypted
passwd ============ encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 115.119.XX.XXX 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 128.83.0.3 255.255.0.0
!
interface Ethernet0/2
nameif local
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
object-group service Lotusserver tcp
port-object range 1532 1532
port-object eq www
object-group service SIPSERVICE tcp
port-object eq sip
port-object range sip sip
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 115.119.XX.XXX
access-list outside_access_in extended permit tcp any host 115.119.XX.XXX
access-list outside_access_in extended permit udp any host 115.119.XX.XXX
access-list outside_access_in extended permit icmp any host 115.119.XX.XXX
access-list outside_access_in extended permit tcp host 202.54.112.194 host 115.119.XX.XXX eq sip
access-list outside_access_in extended permit ip any host 115.119.XX.XXX
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp 128.83.0.0 255.255.0.0 192.168.100.0 255.255.255.0
access-list local_access_in extended permit ip any any
access-list local_access_in extended permit tcp 192.168.100.0 255.255.255.0 any

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 128.83.0.0 255.255.255.0
access-list nonat extended permit ip 128.83.0.0 255.255.255.0 128.83.0.0 255.255.255.0
access-list nonat extended permit ip 128.83.0.0 255.255.0.0 128.83.0.128 255.255.255.128
access-list nonat extended permit ip interface inside 128.83.0.128 255.255.255.128

access-list capout extended permit ip host 115.119.XX.XXX host 202.54.112.194
access-list capout extended permit ip host 202.54.112.194 host 115.119.XX.XXX
access-list capin extended permit ip host 192.168.100.100 host 202.54.112.194
access-list capin extended permit ip host 202.54.112.194 host 192.168.100.100

access-list VPNTUNNEL_splitTunnelAcl remark any
access-list VPNTUNNEL_splitTunnelAcl standard permit 128.83.0.0 255.255.0.0

pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging trap debugging
logging asdm informational
logging facility 16
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu local 1500
mtu management 1500

ip local pool vpnip 128.83.0.181-128.83.0.230 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 115.119.26.186
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (local) 2 0.0.0.0 0.0.0.0
static (inside,outside) 115.119.XX.XXX 128.83.0.100 netmask 255.255.255.255
static (inside,outside) 115.119.XX.XXX 128.83.0.253 netmask 255.255.255.255
static (local,outside) 115.119.XX.XXX 192.168.100.100 netmask 255.255.255.255

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group local_access_in in interface local

route outside 0.0.0.0 0.0.0.0 115.119.26.177 1

route inside 10.32.32.0 255.255.255.0 128.83.0.254 1
route inside 10.32.36.0 255.255.255.0 128.83.0.254 1
route inside 172.21.0.0 255.255.255.0 128.83.0.254 1
route inside 172.200.0.0 255.255.255.0 128.83.0.254 1
route inside 192.168.20.0 255.255.255.0 128.83.0.254 1
route inside 206.156.1.0 255.255.255.0 128.83.0.254 1
route inside 206.156.100.0 255.255.255.0 128.83.0.254 1
route inside 128.2.0.0 255.255.0.0 128.83.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
url-server (inside) vendor websense host 64.233.161.83 timeout 30 protocol UDP version 4
aaa authentication http console LOCAL
http server enable
http 110.234.147.237 255.255.255.255 outside
http 110.234.147.234 255.255.255.255 outside
http 203.101.43.88 255.255.255.255 outside
http 128.83.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 management
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 110.234.147.237 255.255.255.255 outside
telnet 110.234.147.234 255.255.255.255 outside
telnet 128.83.0.0 255.255.0.0 inside
telnet timeout 5
ssh 203.101.43.88 255.255.255.255 outside
ssh 203.101.43.118 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
group-policy volexvpn internal
group-policy volexvpn attributes
dns-server value 121.242.190.180 121.242.190.211
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNTUNNEL_splitTunnelAcl

username volex password XXXXXXXXXXX encrypted privilege 0
username volex attributes
vpn-group-policy volexvpn
username cisco password XXXXXXXXXX encrypted
tunnel-group volexvpn type ipsec-ra
tunnel-group volexvpn general-attributes
address-pool vpnip
default-group-policy volexvpn
tunnel-group volexvpn ipsec-attributes
pre-shared-key *
tunnel-group-map default-group volax
!
class-map sip_traffic
match port tcp eq sip
class-map inspection
!
!
policy-map global_policy
class inspection
  inspect sip
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect ftp

KINDLY SUGGEST WHAT MISTAKE I DONE

Everyone's tags (4)
1 REPLY

Re: Cisco asa 5510 vpn config not able to ping internal network

Hi,

Not sure why you're using a public IP range for the VPN pool.

Change it to be a private IP.

Also include the commands:

management-access inside

crypto isakmp nat-t

And check if you can PING the inside IP of the ASA.

Also try to PING the internal LAN, make sure the default gateway is the ASA and check if you see packets encrypted/decrypted with ''sh cry ips sa''

Federico.

2299
Views
0
Helpful
1
Replies
CreatePlease to create content