topic ASA 5505 - Virtual Private Network users cannot ping Local area network devices behind firewall in Network Security

ASA 5505 - Virtual Private Network users cannot ping Local area network devices behind firewall

Mikke Wahlgreen — Tue, 12 Mar 2019 08:19:34 GMT

Internet works fine from inside.
Ping is possible from inside to inside.
Ping is not possible inside to outside (8.8.8.8).
Local area network devices have internet.
Virtual Private Network users have internet, but cannot ping other Local area network devices except gateway (Firewall).

I have two setups with same config, but different IP's and password.
Physical location different.
The remote one is running fine and the other have the issues for Virtual Private Network users.

Hello

I hobe someone out there can help me to an solution of a rather annoying challenge.

The Cisco A-S-A 5505 is something rather new to me, however I'm fairly good at setting up switches and other network hardware. Mostly I'm use to Hewlett Packet switches.

----- My post is ending up in the S-P,A'M filter. I will post the rest below -----

Seri-al communication using

Mikke Wahlgreen — Mon, 26 Sep 2016 12:56:40 GMT

Seri-al communication using Put-ty and C-L-I, is something I have plenty of experience with concerning hardware.

I have loads of firewalls to test on and I'm trying to understand and change my former colleges setups.

My colleges and I use the firewall on two different setups: An Internet Service Provider provided Static IP address and an Internet Service Provider provided dynamic IP address (DHCP) for the outside IP address.

Right now I'm trying to make my way through setting up our Static IP address setup on my own and I have encountered a challenge. Even my colleges have not been able to solve it when going through the config.

I have been googling my issue and found plenty of other similar topics here in this forum, however none of them have led me to a solution.

As described in the summary I have two ASA 5505, one at the office for testing and one in the field.
The one in the field is working as a charm and has Setup 2 (sanitized version).
I have access to it through VPN and then ASDM.

The other for testing is located here at my office. It is not working as intended and has Setup 1 (sanitized version), which seems to be a replica of Setup 2 with only change in the VPN-key and the outside IP address.
I have access to connect to it with: Serial for programming, VPN, local Ethernet/Patch cable, and ASDM
I'm using Cisco VPN client on Win7 for VPN connection. I'm also familiar with the Cisco AnyConnect Secure Mobility Client and running it on Win10 as a beginner.

Off topic: To help others with RS232 problems: My USB-serial converter/adapter is bugging me (Prolific driver) and I'm using Terminal by Bray combined with Putty for RS232 communication without having to restart every time Putty crashed the converter/adapter.

The ASA 5505 at the remote location have a DSL Modem with a Static IP address provided from the ISP. (x.y.z.t subnet 255.255.255.252)
Whereas the ASA 5505 I have in the office have a Static IP address on our local Office network. (10.10.10.230 subnet 255.255.255.0)

I can login on the Office ASA with VPN, from an IP address :10.10.10.50 subnet 255.255.255.0
Here I can ping the GW, but not other LAN devices such as 192.168.10.2, 192.168.10.4, or 192.168.10.10
From several of the LAN devices (198.168.10.10 and 198.168.10.235) I cannot ping 8.8.8.8, but I can ping the GW, 192.168.10.2, and 192.168.10.4.
All LAN devices are online.

On the remote ASA I can login with VPN and ping GW, 192.168.10.2, 192.168.10.4, or 192.168.10.10 easily.
All LAN devices are online and can ping 8.8.8.8

What seems odd is that the two configs are very similar except for external IPs and passwords.

I have tried to move my Office ASA to a mobile boardband router with a statik IP of 192.168.1.254 subnet 255.255.255.0 and a gateway of 192.168.1.1. The DHCP range of this router is between 50-99. Here I see the same behavior when I'm connected with a laptop and have DHCP leased IP of 192.168.1.55 subnet 255.255.255.0. I can connect on the VPN, however not cable of pinging anything except the GW.

On the Office ASA my IP address when connected via VPN is 192.168.11.1 and on the remote ASA my IP address when connected via VPN is 192.168.11.2.

What am I doing wrong on my test setup for that not to work?

I would like to keep my current images on the ASA (asa901-k8.bin and asdm-711-52.bin), even if there have been updates, due to policies from my colleges.

Anything you dream on I have forgotten to mention please don't hesitate to ask.

Hi,

Aditya Ganjoo — Mon, 26 Sep 2016 13:28:52 GMT

Hi,

Since we are able to ping the inside IP of the ASA from the VPN users that means pings are reaching to the ASA.

Could you apply debug icmp trace on the ASA and initiate a ping from the VPN client towards any device behind the ASA and check if the pings reach to the ASA ?

If you see requests hitting the ASA and no replies then probably we are missing a reverse route on the downstream switch for the VPN-pool 192.168.10.1-192.168.10.49.

Try configuring a static route for the pool on the switch with ASA as its next hop.

Use undebug all to stop the debugs.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

When pinging the GW on a VPN,

Mikke Wahlgreen — Tue, 27 Sep 2016 07:04:01 GMT

When pinging the GW on a VPN, the ASA gives the following:
ICMP echo request from 192.168.10.1 to 192.168.1.1 ID=1 seq=7 len=32
ICMP echo reply from 192.168.1.1 to 192.168.10.1 ID=1 seq=7 len=32

When pinging a LAN device on a VPN, the ASA gives the following:
ICMP echo request from outside:192.168.10.1 to inside:192.168.1.2 ID=1 seq=13 len=32
NO REPLY

I'll try to create the static route you are describing, however my knowledge on how to is rather limited on the ASA.

As I see it you want me to configure a static route from 192.168.10.1 to 192.168.1.1 is that correct understood?

Should my static route for 0.0.0.0 subnet 0.0.0.0 pointing at 10.10.10.254 not take care of that?

OK I'm properly doing

Mikke Wahlgreen — Tue, 27 Sep 2016 07:04:02 GMT

OK I'm properly doing something I should not, I get the following errors trying to set up yet another static route in the ASDM:

[ERROR] route inside 192.168.10.0 255.255.255.192 192.168.1.1 1
%Invalid next hop address, it belongs to one of our interfaces

[ERROR] route outside 192.168.10.0 255.255.255.192 192.168.1.1 1
%Invalid next hop address, it belongs to one of our interfaces

Could someone please explain me the following:
What to set Interface on: inside or outside?
What to set Network for: NETWORK_OBJ_192.168.170.0_26, NETWORK_Vpn (similar) or something different?
What to set as my Gateway: 10.10.10.254?

To create the reverse route Aditay is talking about.