Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN user authenticated but cannot ping inside interface

Not very experienced with Cisco and I'm trying to configure an ASA 5520 for remote access VPN.

We currently have a pair of PIX 515e's that are being replaced and I've been cheating off of their config a bit. I have the ASA here in the office and I am trying to get as much configuration done as possible before we move it into production. At the office we are behind a cable modem and the IP of that device is set as the the default route in my ASA when I do my testing.

When it's time to test I connect the cable modem to the outside interface and my laptop to the inside interface and begin testing.

I authenticate and connect with the VPN client and I can ping my laptop that I have connected directly to the inside interface on the ASA but I am unable to ping the inside interface. The log shows a build-up and and tear-down of the ICMP requests but the I still get no response on the vpn client side. It seems like the traffic isn't making it back out to the VPN tunnel.

Any help that anyone could give would be very much appreciated.

: Saved

:

ASA Version 7.0(8)

!

hostname FW-Primary

domain-name viapeople.com

enable password xxxxxxxxx encrypted

passwd xxxxxxxx encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 173.12.54.189 255.255.255.252

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

<--- More --->

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit intra-interface

access-list ciscoclient extended permit ip 10.0.0.0 255.0.0.0 any

access-list PERMIT_IN extended permit tcp any host 66.150.232.166 eq www

access-list PERMIT_IN extended permit tcp any host 66.150.232.166 eq https

access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq smtp

access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq www

access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq https

access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq pop3

access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq 8484

access-list PERMIT_IN extended permit tcp any host 66.150.232.167 eq https

access-list PERMIT_IN extended permit tcp any host 66.150.232.167 eq www

access-list PERMIT_IN extended permit tcp host 70.91.40.205 host 66.150.232.169 eq 990

access-list PERMIT_IN extended permit tcp host 70.91.40.205 host 66.150.232.166 eq 990

access-list PERMIT_IN extended permit tcp host 70.91.40.205 host 66.150.232.167 eq 990

access-list PERMIT_IN extended permit tcp host 70.91.40.205 host 66.150.232.167 range 25025 25030

access-list PERMIT_IN extended permit tcp host 70.91.40.205 host 66.150.232.166 range 25025 25030

access-list PERMIT_IN extended permit tcp host 70.91.40.205 host 66.150.232.169 range 25025 25030

access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq 990

access-list PERMIT_IN extended permit tcp any host 66.150.232.168 range 25025 25050

access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq ssh

access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq 2021

access-list PERMIT_IN extended permit tcp any host 66.150.232.172 eq https

access-list PERMIT_IN extended permit tcp any host 66.150.232.176 eq https

access-list PERMIT_IN extended permit tcp any host 66.150.232.176 eq www

access-list PERMIT_IN extended permit tcp any host 66.150.232.177 eq www

access-list PERMIT_IN extended permit tcp any host 66.150.232.177 eq https

access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq smtp

access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq www

access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq https

access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq pop3

access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq 8484

access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq 990

access-list PERMIT_IN extended permit tcp any host 66.150.232.173 range 25025 25050

access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq ssh

access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq 2021

access-list PERMIT_IN extended permit tcp any host 66.150.232.179 eq www

access-list PERMIT_IN extended permit tcp any host 66.150.232.179 eq https

access-list PERMIT_IN extended permit tcp any host 66.150.232.180 eq https

access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq www

access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq https

access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq smtp

access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq pop3

access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq imap4

access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq 993

access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq 8484

access-list PERMIT_IN extended permit tcp any host 66.150.232.190 range 25025 25050

access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq ssh

access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq 2021

access-list PERMIT_IN extended permit tcp any host 66.150.232.181 eq www

access-list PERMIT_IN extended permit tcp any host 66.150.232.181 eq https

access-list PERMIT_IN extended permit tcp any host 66.150.232.182 eq https

access-list PERMIT_IN extended permit tcp any host 66.150.232.182 eq www

access-list PERMIT_IN extended permit tcp any host 66.150.232.183 eq https

access-list PERMIT_IN extended permit tcp any host 66.150.232.183 eq www

access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq 135

access-list PERMIT_IN extended permit tcp any host 66.150.232.184 eq https

access-list PERMIT_IN extended permit tcp any host 66.150.232.184 eq www

access-list PERMIT_IN extended permit tcp any host 66.150.232.180 eq www

access-list PERMIT_IN extended permit tcp any host 66.150.232.185 eq www

access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq 587

access-list PERMIT_IN extended permit ip any host 66.150.232.171

access-list PERMIT_IN extended permit esp any any

access-list PERMIT_IN extended permit udp any any eq isakmp

access-list PERMIT_IN extended permit icmp any any

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.5.0 255.255.255.0

pager lines 24

logging enable

logging trap informational

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnpool 10.0.5.1-10.0.5.254 mask 255.255.255.0

no failover

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-508.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 66.150.232.168 10.0.0.3 netmask 255.255.255.255

static (inside,outside) 66.150.232.172 10.0.0.7 netmask 255.255.255.255

static (inside,outside) 66.150.232.169 10.0.0.6 netmask 255.255.255.255

static (inside,outside) 66.150.232.179 10.0.0.52 netmask 255.255.255.255

static (inside,outside) 66.150.232.173 10.0.0.13 netmask 255.255.255.255

static (inside,outside) 66.150.232.190 10.0.0.8 netmask 255.255.255.255

static (inside,outside) 66.150.232.177 10.0.0.22 netmask 255.255.255.255

static (inside,outside) 66.150.232.182 10.0.0.21 netmask 255.255.255.255

static (inside,outside) 66.150.232.176 10.0.0.23 netmask 255.255.255.255

static (inside,outside) 66.150.232.183 10.0.0.100 netmask 255.255.255.255

static (inside,outside) 66.150.232.181 10.0.0.26 netmask 255.255.255.255

static (inside,outside) 66.150.232.184 10.0.0.27 netmask 255.255.255.255

static (inside,outside) 66.150.232.180 10.0.0.11 netmask 255.255.255.255

static (inside,outside) 66.150.232.185 10.0.0.14 netmask 255.255.255.255

static (inside,outside) 66.150.232.167 10.0.0.28 netmask 255.255.255.255

static (inside,outside) 66.150.232.166 10.0.0.29 netmask 255.255.255.255

access-group PERMIT_IN in interface outside

route outside 0.0.0.0 0.0.0.0 173.12.54.190 1

route inside 10.0.0.0 255.255.0.0 10.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 20

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp enable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ciscoclient

default-domain none

split-dns none

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

client-firewall none

client-access-rule none

webvpn

functions url-entry

port-forward-name value Application Access

group-policy ciscoclient internal

group-policy ciscoclient attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ciscoclient

webvpn

username xxxxxxxx password xxxxxxxxxxxxx encrypted privilege 0

username xxxxxxxx attributes

vpn-group-policy ciscoclient

webvpn

http server enable

http 10.0.0.0 255.255.255.0 inside

http 10.0.5.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

isakmp ipsec-over-tcp port 10000

tunnel-group DefaultRAGroup general-attributes

authentication-server-group none

tunnel-group ciscoclient type ipsec-ra

tunnel-group ciscoclient general-attributes

address-pool vpnpool

authentication-server-group none

default-group-policy ciscoclient

tunnel-group ciscoclient ipsec-attributes

pre-shared-key *

telnet 10.0.0.0 255.255.255.0 inside

telnet 10.0.5.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:d535896783757491dc98bed2232b2834

: end

2 REPLIES
Cisco Employee

Re: VPN user authenticated but cannot ping inside interface

Configure "management-access inside" then you can access/ping the inside interface over a vpn tunnel.

Without this command you can only access the inside interface from the inside.

Note, apart from ping this will also enable you to telnet to the inside interface over the tunnel, and use ASDM.

hth

Herbert

New Member

Re: VPN user authenticated but cannot ping inside interface

Glancing back at the PIX config I do see that on there.

You've probably solved it. I will test later tonight and confirm!

477
Views
0
Helpful
2
Replies
CreatePlease to create content