topic Re: Unable to ping across VPN Tunnel in Network Security

Unable to ping across VPN Tunnel

jf1134 — Thu, 29 Jul 2021 14:40:00 GMT

The have a site-to-site VPN up and passing traffic on my ASA. I can RDP from one site to the other but if I do a ping, I get no replies.

I assume it's something on the ASA that's blocking it but I just don't know what it is.

Any help would be great

Re: Unable to ping across VPN Tunnel

balaji.bandi — Thu, 29 Jul 2021 15:01:18 GMT

Do you have ICMP allowed ? by nature FW Drop ICMP. or end host has FW where you pinging.

check this ICMP rule like example : ( also hope you have inspect icmp)

access-list Outside_access_in extended permit icmp any any

Re: Unable to ping across VPN Tunnel

jf1134 — Thu, 29 Jul 2021 15:07:38 GMT

Yeah I have these two rules

access-list outside_access_in_1 extended permit ip any any
access-list outside_access_in_1 extended permit icmp any any

Re: Unable to ping across VPN Tunnel

balaji.bandi — Thu, 29 Jul 2021 15:42:18 GMT

is this allowed both the sides ? if yes

Then you need to troubleshoot, ping continous with ping -t and observe the logs in FW see where it dropping,

packet tracer is good, but i like to live traffic than simulation.

Re: Unable to ping across VPN Tunnel

jf1134 — Thu, 29 Jul 2021 15:45:51 GMT

Yeah I tried packet tracer with a continuous ping running and it comes back good

Re: Unable to ping across VPN Tunnel

Marvin Rhoads — Thu, 29 Jul 2021 17:15:28 GMT

As @balaji.bandi noted, please also check for "inspect icmp" in your policy-map.

Re: Unable to ping across VPN Tunnel

balaji.bandi — Thu, 29 Jul 2021 18:26:12 GMT

You need to check both the side Logs, May be one side leaving is this allowed other side ?

Re: Unable to ping across VPN Tunnel

paul driver — Thu, 29 Jul 2021 18:52:23 GMT

Hello
By default ASA global security policy denys icmp from originating from a lower level interface to a higher level interface, so in this case when you initiate icmp from one asa to another the returning echo-reply will be denied, So to alow this you can append a access-list as already stated or allow inspection through the global policy of the asa

example:

policy-map global_policy
class inspection_default
inspect icmp

Re: Unable to ping across VPN Tunnel

jf1134 — Thu, 29 Jul 2021 19:07:45 GMT

So I added this and still seeing the same thing

policy-map global_policy
class inspection_default
inspect icmp

Re: Unable to ping across VPN Tunnel

jf1134 — Thu, 29 Jul 2021 19:09:28 GMT

Here is my config.. Maybe there is something else that I am missing

ALX-Backup# sh run
: Saved
:
: Serial Number: JMX1210L1E7
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
:
ASA Version 9.1(7)32
!
hostname ALX-Backup
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
name 172.16.0.0 AustinCorporate
name 10.5.0.0 Ashburn
name 172.16.128.0 ASIAlex
name 10.40.3.4 ONRTS1
dns-guard
ip local pool VPN_Users 172.17.7.2-172.17.7.254 mask 255.255.255.0
!
interface Ethernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 50.x.x.x 255.255.255.0
!
interface Ethernet0/1
speed 1000
duplex full
shutdown
no nameif
security-level 0
no ip address
!
interface Ethernet0/2
no nameif
security-level 100
ip address 10.10.254.1 255.255.255.0
!
interface Ethernet0/3
duplex full
nameif inside
security-level 100
ip address 172.16.128.2 255.255.128.0
!
interface Management0/0
management-only
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa917-32-k8.bin
boot system disk0:/asa917-21-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
name-server 10.250.2.10
name-server 10.250.2.11
same-security-traffic permit intra-interface
object network AustinCorporate
subnet 172.16.0.0 255.255.128.0
object network ASIAlex
subnet 172.16.128.0 255.255.128.0
object network obj-10.4.8.0
subnet 10.4.8.0 255.255.255.192
object network obj-10.1.0.0
subnet 10.1.0.0 255.255.0.0
object network obj-10.0.0.0
subnet 10.0.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 0.us.pool.ntp.org
host 129.250.35.251
object network 1.us.pool.ntp.org
host 208.53.158.34
object network 2.us.pool.ntp.org
host 173.255.246.13
object network 3.us.pool.ntp.org
host 169.237.206.190
object network time.windows.com
host 104.41.150.68
object network NETWORK_OBJ_172.16.0.0_17
subnet 172.16.0.0 255.255.128.0
object network AusOnrvpn-172.17.0.0
subnet 172.17.0.0 255.255.128.0
object network OnrAusvpn-10.41.0.0
subnet 10.41.0.0 255.255.0.0
object service Debug
service tcp destination range 4020 4022
description Debug
object network AzureASIUS-10.100.13.0
subnet 10.100.13.0 255.255.255.0
object network NETWORK_OBJ_172.16.128.0
host 172.16.128.0
object network NETWORK_OBJ_172.16.128.0_17
subnet 172.16.128.0 255.255.128.0
object network ASI_VPN-172.17.7.0
subnet 172.17.7.0 255.255.255.0
description VPN Network
object network Duo
host 54.241.191.167
object network Azure_Network
subnet 10.250.0.0 255.255.0.0
object network ASIVPN
subnet 172.17.7.0 255.255.255.0
object network obj-inside
subnet 172.16.0.0 255.255.128.0
object network 172.16.10.115
host 172.16.10.115
object network 172.16.10.123
host 172.16.10.123
object network 172.16.10.170
host 172.16.10.170
object network 172.16.10.179
host 172.16.10.179
object network 172.16.10.232
host 172.16.10.232
object network 172.16.10.186
host 172.16.10.186
object network AnyConnect
subnet 10.10.0.0 255.255.0.0
object network Azure_Client_VPN
subnet 10.201.1.0 255.255.255.0
object network inside-subnet
subnet 172.16.128.0 255.255.128.0
object network NETWORK_OBJ_172.16.0.0
host 172.16.0.0
object network 10.99.250.0
subnet 10.99.250.0 255.255.255.240
object network 10.160.0.0
subnet 10.160.0.0 255.255.0.0
object-group network Threat_Detect
description Threat_Detect
network-object object 172.16.10.115
network-object object 172.16.10.123
network-object object 172.16.10.170
network-object object 172.16.10.179
network-object object 172.16.10.232
network-object object 172.16.10.186
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_TCP_10 tcp
port-object eq www
port-object eq https
object-group network obj-us.pool.ntp.org
description server IP addresses for us.pool.ntp.org
network-object object 0.us.pool.ntp.org
network-object object 1.us.pool.ntp.org
network-object object 2.us.pool.ntp.org
network-object object 3.us.pool.ntp.org
network-object object time.windows.com
object-group network AzureVPN-Network
description Azure-Virtual-Networks
network-object 10.0.1.0 255.255.255.0
object-group network AzureVPN
description Azure-VPN-Networks
network-object 10.0.1.0 255.255.255.0
object-group network AzureNetworks
description Azure-Virtual-Networks
network-object 10.250.0.0 255.255.0.0
network-object 10.99.250.0 255.255.255.240
network-object object 10.160.0.0
object-group network OnpremisesNetworks
description Onpremises-Networks
network-object Ashburn 255.255.0.0
object-group network DM_INLINE_NETWORK_1
network-object object AnyConnect
network-object object Azure_Client_VPN
network-object object Azure_Network
object-group network DM_INLINE_NETWORK_2
network-object host AustinCorporate
network-object object ASI_VPN-172.17.7.0
object-group network DM_INLINE_NETWORK_3
network-object object AnyConnect
group-object AzureNetworks
object-group network DM_INLINE_NETWORK_4
network-object AustinCorporate 255.255.128.0
network-object object AnyConnect
access-list inside_outbound_nat0_acl extended permit ip any object ASI_VPN-172.17.7.0
access-list inside_outbound_nat0_acl extended permit ip any 172.16.128.0 255.255.128.0
access-list inside_outbound_nat0_acl extended permit ip any 10.250.0.0 255.255.0.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.40.0.0 255.255.0.0
access-list VPN_Split standard permit 172.16.128.0 255.255.128.0
access-list VPN_Split standard permit 172.16.0.0 255.255.128.0
access-list VPN_Split standard permit 10.250.0.0 255.255.0.0
access-list VPN_Split standard permit 172.17.7.0 255.255.255.0
access-list Onramp_vpn_splitTunnelAcl standard permit 10.5.0.0 255.255.0.0
access-list Onramp_vpn_splitTunnelAcl standard permit 172.16.128.0 255.255.128.0
access-list Onramp_vpn_splitTunnelAcl standard permit 172.16.0.0 255.255.128.0
access-list Onramp_vpn_splitTunnelAcl standard permit 10.250.0.0 255.255.0.0
access-list Onramp_vpn_splitTunnelAcl standard permit 10.40.0.0 255.255.0.0
access-list Onramp_vpn_splitTunnelAcl standard permit 10.1.0.0 255.255.0.0
access-list global_mpc extended deny tcp any4 any4
access-list outside_access_in remark blocking because of RDP Guard and security log info
access-list outside_access_in extended deny ip object-group Blocked_IPs any4
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended deny ip any4 any4
access-list outside_access_in remark blocking because of RDP Guard and security log info
access-list outside_access_in remark OnRamp terminal server
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit udp any object-group obj-us.pool.ntp.org eq ntp inactive
access-list inside_access_in extended permit ip any object-group AzureNetworks
access-list inside_access_in extended permit ip any 172.17.7.0 255.255.255.0
access-list inside_access_in extended permit ip any 10.250.0.0 255.255.0.0 inactive
access-list inside_access_in extended deny udp any 207.200.46.224 255.255.255.224 eq ntp inactive
access-list inside_access_in extended permit ip any4 any4
access-list inside_access_in_1 extended permit ip any object AustinCorporate
access-list inside_access_in_1 extended permit ip any object-group AzureNetworks
access-list inside_access_in_1 extended permit ip any object AnyConnect
access-list inside_access_in_1 extended permit ip any object ASI_VPN-172.17.7.0
access-list inside_access_in_1 extended permit icmp any any inactive
access-list inside_access_in_1 extended permit ip any any
access-list outside_cryptomap extended permit ip 172.16.0.0 255.255.128.0 object-group DM_INLINE_NETWORK_1 inactive
access-list outside_cryptomap_1 extended permit ip 172.16.0.0 255.255.128.0 object-group DM_INLINE_NETWORK_2 inactive
access-list outside_access_in_1 extended permit ip any any
access-list outside_cryptomap_4 extended permit ip 172.16.128.0 255.255.128.0 172.16.0.0 255.255.128.0
access-list outside_cryptomap_4 extended permit ip any object AnyConnect
access-list outside_cryptomap_5 extended permit ip 172.16.128.0 255.255.128.0 object-group AzureNetworks
pager lines 25
logging enable
logging timestamp
logging buffered debugging
logging trap debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-733.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static any any destination static NETWORK_OBJ_172.16.0.0_17 NETWORK_OBJ_172.16.0.0_17 no-proxy-arp
nat (any,any) source static any any destination static Azure_Network Azure_Network no-proxy-arp
nat (any,any) source static any any destination static AnyConnect AnyConnect no-proxy-arp
nat (inside,outside) source static any any no-proxy-arp inactive
nat (inside,outside) source static ASIAlex ASIAlex destination static NETWORK_OBJ_172.16.0.0 NETWORK_OBJ_172.16.0.0 no-proxy-arp route-lookup inactive
nat (inside,outside) source static ASIAlex ASIAlex destination static AustinCorporate AustinCorporate no-proxy-arp route-lookup inactive
nat (inside,outside) source static any any destination static Azure_Network Azure_Network no-proxy-arp route-lookup inactive
nat (inside,outside) source static NETWORK_OBJ_172.16.128.0 NETWORK_OBJ_172.16.128.0 destination static Azure_Network Azure_Network no-proxy-arp route-lookup inactive
nat (inside,outside) source static ASIAlex ASIAlex destination static Azure_Network Azure_Network no-proxy-arp route-lookup inactive
nat (inside,outside) source static NETWORK_OBJ_172.16.128.0_17 NETWORK_OBJ_172.16.128.0_17 destination static Azure_Network Azure_Network no-proxy-arp route-lookup inactive
nat (inside,outside) source static NETWORK_OBJ_172.16.128.0_17 NETWORK_OBJ_172.16.128.0_17 destination static AustinCorporate AustinCorporate no-proxy-arp route-lookup inactive
nat (inside,outside) source static NETWORK_OBJ_172.16.128.0_17 NETWORK_OBJ_172.16.128.0_17 destination static NETWORK_OBJ_172.16.0.0_17 NETWORK_OBJ_172.16.0.0_17 no-proxy-arp route-lookup inactive
nat (any,any) source static NETWORK_OBJ_172.16.128.0_17 NETWORK_OBJ_172.16.128.0_17 destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 no-proxy-arp
nat (inside,outside) source static NETWORK_OBJ_172.16.128.0_17 NETWORK_OBJ_172.16.128.0_17 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup
!
object network inside-subnet
nat (inside,outside) dynamic interface
access-group outside_access_in_1 in interface outside
access-group inside_access_in_1 in interface inside
route outside 0.0.0.0 0.0.0.0 50.x.x.x 1
route inside 10.10.0.0 255.255.0.0 172.16.128.10 1
route inside 10.250.0.0 255.255.0.0 172.16.128.10 1
route inside AustinCorporate 255.255.128.0 172.16.128.10 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask enable default webvpn
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server TXUTIL protocol nt
aaa-server Duo-LDAP protocol ldap
aaa-server ASHDC1 protocol ldap
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
sysopt connection tcpmss 1300
no sysopt connection permit-vpn
service resetinbound
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal SHA-256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal sha
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 40.x.x.x
crypto map outside_map 1 set ikev2 ipsec-proposal SHA-256 AES256 AES192 AES 3DES DES sha
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set security-association lifetime kilobytes 102400000
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 74.x.x.x
crypto map outside_map 2 set ikev2 ipsec-proposal SHA-256 AES256 AES192 AES 3DES DES sha
crypto map outside_map 2 set security-association lifetime seconds 3600
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 1 match address outside_cryptomap_4
crypto map outside_map0 1 set peer 74.x.x.x
crypto map outside_map0 1 set ikev2 ipsec-proposal SHA-256 AES256 AES192 AES 3DES DES sha
crypto map outside_map0 1 set security-association lifetime kilobytes 86400
crypto map outside_map0 2 match address outside_cryptomap_5
crypto map outside_map0 2 set peer 40.x.x.x
crypto map outside_map0 2 set ikev2 ipsec-proposal AES256 sha
crypto map outside_map0 2 set ikev2 pre-shared-key
crypto map outside_map0 2 set security-association lifetime seconds 3600
crypto map outside_map0 2 set security-association lifetime kilobytes 102400000
crypto map outside_map0 interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint onrvpntp
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint0
keypair ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint0-1
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint5
keypair ASDM_TrustPoint5
crl configure
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
no threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl server-version tlsv1-only
webvpn
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-64-3.1.14018-k9.pkg 3
anyconnect profiles ASIVPN_MFA_Client_Profile disk0:/asivpn_mfa_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.40.3.1
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value ASI
group-policy Onramp_vpn internal
group-policy Onramp_vpn attributes
dns-server value 10.40.2.1 10.40.3.1
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
group-policy GroupPolicy_74.x.x.x internal
group-policy GroupPolicy_74.x.x.x attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_74.x.x.x internal
group-policy GroupPolicy_74.x.x.x attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy GroupPolicy_40.x.x.x internal
group-policy GroupPolicy_40.x.x.x attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_MFA internal
group-policy GroupPolicy_MFA attributes
wins-server none
dns-server value 10.250.2.10 10.250.2.11
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split
default-domain value asi.local
webvpn
anyconnect profiles value ASIVPN_MFA_Client_Profile type user
group-policy GroupPolicy_74.x.x.x internal
group-policy GroupPolicy_74.x.x.x attributes
vpn-tunnel-protocol ikev2
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key
tunnel-group DefaultWEBVPNGroup general-attributes
dhcp-server 10.40.3.1
tunnel-group MFAVPN type remote-access
tunnel-group MFAVPN general-attributes
address-pool VPN_Users
authentication-server-group ASHDC1
secondary-authentication-server-group Duo-LDAP use-primary-username
default-group-policy GroupPolicy_MFA
tunnel-group MFAVPN webvpn-attributes
group-alias ASI-VPN-ONR disable
group-alias ASIOnrVPN disable
group-alias ASIVPN disable
group-alias ASIVPN-Backup enable
group-alias ASIVPNONR disable
group-alias MFA disable
group-alias MFA-VPN disable
group-alias MFA-VPN-Test disable
tunnel-group 74.x.x.x type ipsec-l2l
tunnel-group 74.x.x.x general-attributes
default-group-policy GroupPolicy_74.x.x.x
tunnel-group 74.x.x.x ipsec-attributes
ikev1 pre-shared-key
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
tunnel-group 74.x.x.x type ipsec-l2l
tunnel-group 74.x.x.x general-attributes
default-group-policy GroupPolicy_74.x.x.x
tunnel-group 74.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
tunnel-group 74.x.x.x type ipsec-l2l
tunnel-group 74.x.x.x general-attributes
default-group-policy GroupPolicy_74.x.x.x
tunnel-group 74.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
tunnel-group 40.x.x.x type ipsec-l2l
tunnel-group 40.x.x.x general-attributes
default-group-policy GroupPolicy_40.x.x.x
tunnel-group 40.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
no tunnel-group-map enable peer-ip
!
class-map tunnel
match flow ip destination-address
match tunnel-group 64.x.x.x
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
class-map tunnel2
match flow ip destination-address
match tunnel-group 74.x.x.x
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class global-class
ips inline fail-open
class class-default
user-statistics accounting
policy-map limit
class tunnel
police output 2097000 1500
class tunnel2
priority
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:77602046e4f8932fdc310afe0e1a6b4c
: end
ALX-Backup#

Re: Unable to ping across VPN Tunnel

paul driver — Fri, 30 Jul 2021 11:18:37 GMT

Hello

@jf1134 wrote:

I can RDP from one site to the other but if I do a ping, I get no replies

Yeah I tried packet tracer with a continuous ping running and it comes back good

Confusing! - Can you elaborate where are you trying to ping from, the asa itself or a host behind the asa

Re: Unable to ping across VPN Tunnel

jf1134 — Fri, 30 Jul 2021 12:50:49 GMT

I am trying to ping from hosts in my office to hosts in the other office.

Re: Unable to ping across VPN Tunnel

balaji.bandi — Fri, 30 Jul 2021 15:55:19 GMT

Can we get the Source IP and Destination IP ?

when you sending ping is this leaving your FW - what is the results on other side ? do you have access on other side ?

Re: Unable to ping across VPN Tunnel

jf1134 — Fri, 30 Jul 2021 17:13:08 GMT

So now I can ping from my office location to the remote location but I am unable to ping from the remote location to the office location.

Office: 172.16.10.186 --> Remote: 172.16.129.253 Works

Remote: 172.16.129.253 --> Office: 172.16.10.186 Does not work

Re: Unable to ping across VPN Tunnel

balaji.bandi — Fri, 30 Jul 2021 21:26:45 GMT

As we have been saying from every reply - have you checked other end is the same rules in place to pingback

Remote: 172.16.129.253 --> Office: 172.16.10.186 Does not work

On another side when they initiate ping, do you see Logs in your FW?

Re: Unable to ping across VPN Tunnel

paul driver — Fri, 30 Jul 2021 21:42:03 GMT

Hello

Apply ICMP inspection on the global policy Of the remote ASA.