Cannot ping Cisco ASA Inside interface using anyconnect

ahmed-ejaz — Fri, 21 Feb 2020 14:18:03 GMT

Hi,

I am configuring Cisco ASA 5505 for Anyconnect VPN, the VPN is working fine and I can access the local network 192.168.222.0 through the VPN but for some reason I cannot ping the inside interface of the firewall or open ASDM through the VPN, I can ping and access other hosts on the same subnet. The VPN subnet is 10.100.1.0/24.

ASA Version 9.2(4)13
!
terminal width 511
hostname xxxxx
domain-name uk.mazars.com
enable password xxxxx
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool SSL_VPN_POOL 10.100.1.100-10.100.1.150 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 717
!
interface Ethernet0/3
switchport access vlan 717
!
interface Ethernet0/4
switchport access vlan 717
!
interface Ethernet0/5
switchport access vlan 717
!
interface Ethernet0/6
switchport access vlan 717
!
interface Ethernet0/7
switchport access vlan 717
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 81.138.182.1 255.255.255.248
!
interface Vlan717
nameif inside
security-level 100
ip address 192.168.222.1 255.255.255.0
!
banner login Access permited Only to Authorised Users!! If you are not an authorised user disconnect now!
banner motd Authorised Access Only!!!
boot system disk0:/asa924-13-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name uk.mazars.com
object network PTSRV00
host 192.168.222.1xx
object network RDPtoPTSRV00
host 192.168.222.1xxx
object network RDPtoPTSRV01
host 192.168.222.xxx
object network SSHtoPTSRV02
host 192.168.222.xxx
object network PTSRV01
host 192.168.222.xxx
object network PTSRV02
host 192.168.222.xxx
object network SSHtoINSRV01
host 192.168.222.xxx
object network INSRV01
host 192.168.222.xxx
object network Router-INTERNAL
host 192.168.222.1
object network tmp_xxxxSRV01
host 192.168.222.20
object network NETWORK_OBJ_10.100.1.0_24
subnet 10.100.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object host 8.8.4.4
network-object host 8.8.8.8
access-list ALLOW_EXTERNAL_ACCESS_TO_LAB extended permit tcp any object PTSRV00 eq xxx
access-list ALLOW_EXTERNAL_ACCESS_TO_LAB extended permit tcp any object PTSRV01 eq xxx
access-list ALLOW_EXTERNAL_ACCESS_TO_LAB extended permit tcp any object PTSRV02 eq xxx
access-list ALLOW_EXTERNAL_ACCESS_TO_LAB extended permit tcp any object INSRV01 eq xxx
access-list ALLOW_EXTERNAL_ACCESS_TO_LAB extended permit tcp any object PTSRV01 eq xxx
access-list ALLOW_EXTERNAL_ACCESS_TO_LAB remark VPN Allow ALL
access-list ALLOW_EXTERNAL_ACCESS_TO_LAB extended permit ip object NETWORK_OBJ_10.100.1.0_24 any
access-list ALLOW_EXTERNAL_ACCESS_TO_LAB extended permit ip object-group DM_INLINE_NETWORK_1 192.168.222.0 255.255.255.0
access-list ALLOW_EXTERNAL_ACCESS_TO_LAB extended deny ip any any
access-list ALLOW_LAB extended permit ip any any
access-list SecurityLabLAN standard permit 192.168.222.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list SPLIT_TUNNEL extended permit ip 10.100.1.0 255.255.255.0 any
pager lines 24
logging enable
logging timestamp
logging trap errors
logging asdm warnings
logging device-id string CYBER-SEC-FW
logging host inside xxxxx
logging permit-hostdown
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-743.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.100.1.0_24 NETWORK_OBJ_10.100.1.0_24 no-proxy-arp route-lookup
!
object network RDPtoPTSRV00
nat (inside,outside) static interface service tcp 3389 50010
object network RDPtoPTSRV01
nat (inside,outside) static interface service tcp 3389 50020
object network SSHtoPTSRV02
nat (inside,outside) static interface service tcp ssh 50021
object network SSHtoINSRV01
nat (inside,outside) static interface service tcp ssh 50030
object network tmp_50044toPTSRV01
nat (inside,outside) static interface service tcp 4444 50044
!
nat (inside,outside) after-auto source dynamic any interface
access-group ALLOW_EXTERNAL_ACCESS_TO_LAB in interface outside
access-group ALLOW_LAB in interface inside
route outside 0.0.0.0 0.0.0.0 81.138.182.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.222.0 255.255.255.0 inside
http 10.100.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
auth-prompt prompt Authorised User Access Only!! If you are not an Authorised user disconnect now
auth-prompt accept Logged on Successfully
auth-prompt reject Logon Unsuccessful
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
subject-name CN=CYBER-SEC-FW
keypair ASDM_LAUNCHER
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment self
subject-name CN=CYBER-SEC-FW
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint2
certificate 85f58557
30820260 308201c9 a0030201 02020485 f5855730 0d06092a 864886f7 0d010105
05003042 31153013 06035504 03130c43 59424552 2d534543 2d465731 29302706
092a8648 86f70d01 0902161a 43594245 522d5345 432d4657 2e756b2e 6d617a61
72732e63 6f6d301e 170d3136 30383135 31333239 32365a17 0d323630 38313331
33323932 365a3042 31153013 06035504 03130c43 59424552 2d534543 2d465731
29302706 092a8648 86f70d01 0902161a 43594245 522d5345 432d4657 2e756b2e
6d617a61 72732e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00
30818902 818100d3 b559592f 505ed21f 37da941d 4105261f c5a40e20 c323a5e2
7891e848 1ae722ae 3b1d5e5a 6ddc00e1 915c63d9 105f9fbe 4bae8d93 bca26a26
5246c7aa 9b47c3e5 2e7026cf 9fe5a646 88d7092e 947c3b8e 558ad81b 82bba1bd
edd85a93 ec2a7d10 7e69ceb7 711dae99 80138ad9 5b35dae0 5ba1e97b 7ac664fa
81d51448 ffebf502 03010001 a3633061 300f0603 551d1301 01ff0405 30030101
ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 8014d795
7b49548c e9fca72e 43f077d1 cb11a58f 16e6301d 0603551d 0e041604 14d7957b
49548ce9 fca72e43 f077d1cb 11a58f16 e6300d06 092a8648 86f70d01 01050500
03818100 722f4bc9 5aebe3f7 30e50ea2 43b86ca0 cbd5d8ca 0ebb09f0 ebf709d5
3f7c8c7c 80d960d9 37405ef3 296f2fc2 df60a131 e38d07e3 6a75c9d6 569d9625
4a19d703 19e9dbb9 283dc296 1c116f09 0ccf0f7a c1482fd9 55e9a16f cc5f2a80
a2467d73 9ee9cec6 2715e26f dea46a46 a33df861 e846167f 83ac34a1 f5a4e28e
ed6a5785
quit
crypto ca certificate chain ASDM_TrustPoint3
certificate 1b70b659
30820300 308201e8 a0030201 0202041b 70b65930 0d06092a 864886f7 0d010105
05003042 31153013 06035504 03130c43 59424552 2d534543 2d465731 29302706
092a8648 86f70d01 0902161a 43594245 522d5345 432d4657 2e756b2e 6d617a61
72732e63 6f6d301e 170d3137 30393133 31303131 30305a17 0d323730 39313131
30313130 305a3042 31153013 06035504 03130c43 59424552 2d534543 2d465731
29302706 092a8648 86f70d01 0902161a 43594245 522d5345 432d4657 2e756b2e
6d617a61 72732e63 6f6d3082 0122300d 06092a86 4886f70d 01010105 00038201
0f003082 010a0282 01010099 ffc593b2 ba1cd45f 8f64a511 a7928927 f6b0d085
390b5139 0369be84 b81ede93 bbc71c34 cbb260a1 5080fdc3 2148f7b8 eb12cbc3
1eb38a7d 65b8654a 11ada1cb 73cfc4b7 2a566190 fcbc362a 44f893ea b3a09ee0
020d04b5 3546aef8 d6fc0923 17f00be7 8a21a93d 3e3edef4 14e7e1e1 c6d7f420
7165293b 552defe3 827a2e4b 92680a22 4867615c da9ad85c 8a4a5f59 42456ffd
83e8398b 9c2c001b bb67e6af b41c23fa 7b475323 76bc4f75 4ad264e3 65da36ce
8c3cde62 89107093 00222419 05783b49 d8db4d24 9d02c699 dba0bd9c c123d416
13e1ff48 211c6f3e 67aae8c4 8f406911 6a83fa22 42b1ffb4 80978755 8d8b5595
18a1d8ce 420118ff dd0ffd02 03010001 300d0609 2a864886 f70d0101 05050003
82010100 7f9f3ebb e212578d 22b78101 8cba6159 d734620c 7d6b40b5 44ec3879
45cb6ed3 d2fb03ef ad4d10f5 c9719d5a 3feddbf8 b4d4546b 9faffb43 10b511ec
1263b527 5367a53c baa6a8a8 c352b365 49bccd36 6272d502 528ac1dd 562ccce5
53b73311 74df1d2a 5598d919 a424fe5a 30b5a2fb 12698486 65975442 8c4923d9
caf08cdb 8f27eb37 1021abd8 b74ec2ed 02ad9b96 55ed1c5b 223b6953 02d476fb
20c39de9 e1eebf2c 3a45033c 3178c086 3d5f0393 5a16411a 97533d4d 2e0d34b2
803acad7 4db79a12 b8fa7364 b92d932e 6bcf06ec 4077b7de 38f3e683 fd64b0ae
fb10bfc6 ab26159b 7a5fdf40 eb1a35a2 4f239e59 5ffb42d0 1336589b 041d7856
5fec32e1
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh 192.168.222.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
vpn-addr-assign local reuse-delay 1
no ipv6-vpn-addr-assign aaa

dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 192.168.222.150-192.168.222.250 inside
dhcpd enable inside
!
no threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 143.210.16.201 source outside prefer
ssl trust-point ASDM_TrustPoint2 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_ANYCONNECT_VPN internal
group-policy GroupPolicy_ANYCONNECT_VPN attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ssl-client
default-domain value uk.mazars.com
xxxxxxxxx

xxxxxxxx
tunnel-group ANYCONNECT_VPN type remote-access
tunnel-group ANYCONNECT_VPN general-attributes
address-pool SSL_VPN_POOL
default-group-policy GroupPolicy_ANYCONNECT_VPN
tunnel-group ANYCONNECT_VPN webvpn-attributes
group-alias ANYCONNECT_VPN enable
!
!
!
policy-map global_policy
class class-default
user-statistics accounting
inspect icmp
!
service-policy global_policy global
prompt hostname context

Re: Cannot ping Cisco ASA Inside interface using anyconnect

Spooster IT Services — Wed, 13 Sep 2017 17:01:33 GMT

Hi Ahmed,

Add the following commands

management-access inside

http 10.100.1.0 255.255.255.0 inside

ssh 10.100.1.0 255.255.255.0 inside

Re: Cannot ping Cisco ASA Inside interface using anyconnect

ahmed-ejaz — Fri, 15 Sep 2017 09:08:00 GMT

Hi,

I got it working in the end applying the same command which was indeed missing. Thank you so much, spot on.

Regards,

Ahmed

topic Cannot ping Cisco ASA Inside interface using anyconnect in Network Security

Cannot ping Cisco ASA Inside interface using anyconnect

Re: Cannot ping Cisco ASA Inside interface using anyconnect

Re: Cannot ping Cisco ASA Inside interface using anyconnect