Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
2
Replies

Need help experts - VPN 5505 and pat

shaun.connor
Level 1
Level 1

‎07-17-2010 11:07 AM

I have a asa 5505 setup with a single IP address, I need to do PAT for my internal web server and also need to support ssl vpn witht he anyconnect client.  I can get the connection working, but I cannot ping from my vpn pool to my internal addresses, I have tried everything, any ideas??

I have this setup in lab right now with the following config:

external ip 192.168.1.10

Internal IP is 192.168.5.10

VPN pool is 192.168.30.10-20

I can ping from 192.168.5.16 to 192.168.30.10, but I cannot ping from 192.168.30.10 to 192.168.5.16

Here is my config, any help is appreciated

ASA Version 8.2(2)
!
hostname ciscoasa
enable password fYGjIZ.r.8FYvTjF encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
access-list nonat extended permit ip 192.168.5.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp 192.168.30.0 255.255.255.0 any
access-list inside_access_in extended permit icmp any any
pager lines 24
logging enable
logging console errors
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.30.10-192.168.30.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.5.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.5.14-192.168.5.45 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

webvpn
port 5000
enable outside
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username sconnor password NTX.dtr/jCYdHIag encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_Pool
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa# cis

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-17-2010 03:09 PM

Base on the configuration, the vpn client should be able to ping the internal host.

You might want to check if there is any personal firewall on the internal host that might be blocking inbound ping from different subnet (normally that is the issue).

You can add the following command:

management-access inside

Then try to ping the ASA inside interface 192.168.5.10 from the vpn client. If that works just fine, then you might want to check your internal host itself, or try to see if you can ping any other 192.168.5.x hosts (pls make sure that you disable the personal firewall which normally is the culprit).

Hope that helps.

0 Helpful

shaun.connor
Level 1
Level 1
In response to Jennifer Halim

‎07-17-2010 03:18 PM

Thanks for the reply, I will check that, I have turned on the management interface and I can ping that on the 192.168.5.1 network

0 Helpful
Customers Also Viewed These Support Documents