topic Re: AnyConnect VPN - Cannot ping internal network in Network Security

topic Re: AnyConnect VPN - Cannot ping internal network in Network Security https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832317#M26607 <P>Username : Rush Index : 35<BR />Assigned IP : 10.16.1.1 Public IP : 196.33.234.23<BR />Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel<BR />License : AnyConnect Essentials<BR />Encryption : AES128 Hashing : none SHA1<BR />Bytes Tx : 10780 Bytes Rx : 5679<BR />Group Policy : GroupPolicy_Home Tunnel Group : Home<BR />Login Time : 14:09:38 UTC Thu Apr 4 2019<BR />Duration : 0h:01m:26s<BR />Inactivity : 0h:00m:00s<BR />NAC Result : Unknown<BR />VLAN Mapping : N/A VLAN : none</P><P> </P><P>That's the result and yes I can ping the inside GW from the client </P> Thu, 04 Apr 2019 13:59:01 GMT machine23 2019-04-04T13:59:01Z AnyConnect VPN - Cannot ping internal network https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832035#M26603 <P> </P><P>Hi All, </P><P>          I have searched and attempted to troubleshoot the issue but still no luck , Hoping some more experienced folks can help out<IMG src="https://community.cisco.com/7.0.3.0/images/emoticons/confused.png" border="0" /> , </P><P>All of this is on a Home Test network.</P><P> </P><P>I configured the VPN AnyConnect to access my home network , Used Split tunnelling - got connected with the assigned pool all ok but I cannot access my internal network at home , I added the management-access inside command which enabled me to ping the inside network interface gateway but nothing else ...</P><P> </P><P>is there anything else I am missing ? maybe I need to configure an ACL as I'm using split tunnelling? but I am unsure the right ACL to be configured?</P><P> </P><P>running config:</P><P> </P><P> </P><P>ASA Version 8.6(1)2 </P><P>!</P><P>hostname ciscoasa</P><P>enable password sNVGYXTNm97n48wB encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>!</P><P>interface GigabitEthernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address dhcp setroute </P><P>!</P><P>interface GigabitEthernet0/1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0 </P><P>!</P><P>interface GigabitEthernet0/2</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P><--- More ---></P><P>              </P><P>interface GigabitEthernet0/3</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/4</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/5</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Management0/0</P><P> nameif Manage</P><P> security-level 100</P><P> ip address 192.168.0.1 255.255.255.0 </P><P> management-only</P><P>!</P><P><--- More ---></P><P>              </P><P>ftp mode passive</P><P>same-security-traffic permit inter-interface</P><P>object network Permit_Lan_IP</P><P> subnet 192.168.1.0 255.255.255.0</P><P>object network NETWORK_OBJ_192.168.250.0_26</P><P> subnet 192.168.250.0 255.255.255.192</P><P>object network inside</P><P> subnet 192.168.1.0 255.255.255.0</P><P>object network pool</P><P> subnet 192.168.250.0 255.255.255.0</P><P>object-group protocol DM_INLINE_PROTOCOL_2</P><P> protocol-object ip</P><P> protocol-object icmp</P><P>access-list 10 standard permit 192.168.1.0 255.255.255.0 </P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu Manage 1500</P><P>ip local pool pool 192.168.250.1-192.168.250.50 mask 255.255.255.0</P><P>no failover</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>no asdm history enable</P><P><--- More ---></P><P>              </P><P>arp timeout 14400</P><P>!</P><P>object network Permit_Lan_IP</P><P> nat (inside,outside) dynamic interface</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>user-identity default-domain LOCAL</P><P>http server enable</P><P>http 192.168.0.0 255.255.255.0 Manage</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart</P><P>crypto ipsec ikev2 ipsec-proposal DES</P><P> protocol esp encryption des</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal 3DES</P><P> protocol esp encryption 3des</P><P> protocol esp integrity sha-1 md5</P><P><--- More ---></P><P>              </P><P>crypto ipsec ikev2 ipsec-proposal AES</P><P> protocol esp encryption aes</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal AES192</P><P> protocol esp encryption aes-192</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal AES256</P><P> protocol esp encryption aes-256</P><P> protocol esp integrity sha-1 md5</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES</P><P>crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map outside_map interface outside</P><P>crypto ca trustpoint ASDM_TrustPoint0</P><P> enrollment terminal</P><P> subject-name CN=ciscoasa.null,O=Rush,C=UK</P><P> crl configure</P><P>crypto ca trustpoint ASDM_TrustPoint1</P><P> enrollment self</P><P> subject-name CN=ciscoasa</P><P> crl configure</P><P>crypto ca certificate chain ASDM_TrustPoint1</P><P> certificate ee55a25c</P><P>    308202d4 308201bc a0030201 020204ee 55a25c30 0d06092a 864886f7 0d010105 </P><P>    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648 </P><P><--- More ---></P><P>              </P><P>    86f70d01 09021608 63697363 6f617361 301e170d 31393034 30313138 32343239 </P><P>    5a170d32 39303332 39313832 3432395a 302c3111 300f0603 55040313 08636973 </P><P>    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082 </P><P>    0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100b4 </P><P>    9289c4f5 0cdc8bf1 9bce3aaa 11498b72 b603f9b9 e58a1b38 e795a300 66fd99eb </P><P>    e183a2ac 81e998d8 fd7c0333 2cd4108b 0a5ab89d e5f4a87f 827a9185 bdf689b9 </P><P>    25d877d7 35f01aae 684c58d8 cf5d8cab 9bf98a8c 9788d522 18a5b3cc 857bf695 </P><P>    103eaff8 7f022b19 4377d1e8 855734ca 994e6500 73dbd67a a6a70688 8897d18d </P><P>    0481b05b ff67f992 37e8cdb4 86da7e16 893e640e bfafb6ef 93918986 baa2e60c </P><P>    bb5120c6 e403e47b 0c78927f c25d1826 63c1c82c e7104d9e 13ae1b11 05c9b360 </P><P>    d20bb25b ea4a8652 b14b7590 13394b47 778c43e7 40ac5c2a 67e3a5a4 f3fd2a2b </P><P>    d4614101 2c3c24a6 ae5c0084 b7b564c4 56d1ef53 eb59a718 57f6743f 3e298702 </P><P>    03010001 300d0609 2a864886 f70d0101 05050003 82010100 982d21e7 18e535ce </P><P>    8b8295e5 4e99269a a8451268 dec0dbfc 7f1b5198 4af8c293 85633883 2dd03a5e </P><P>    9b9fe2aa 9c455788 de135890 6f1b9f9c 103aa30a b998c1eb 046c3ff5 85be6a6e </P><P>    5288a75a d08062d9 f4e2df2e 352d773f db4a7e57 6ca18e5f 88ccc522 1a435528 </P><P>    6bafc001 ffc78294 f6e49bc1 218d697c 87e8006c 25bb1ccc 76b2df87 da3f7aac </P><P>    9d378d75 769e0760 43532a92 d7f7f0af b64f2c94 27a3c4d8 74d8181d 089c7c66 </P><P>    cb8b9435 0040b8f5 e6a899f4 e1b4176e 769add02 5a7a74d3 b6ed422b c2d03ce3 </P><P>    0b0aaa54 b90bd778 8b75c69c 50c58897 cb8bceac 04c50b16 cd5ec6e2 d7ddd99b </P><P>    b9328ab8 bcc5b1c6 720496b1 9da321d3 8fb5b6ad 9f29ac0e</P><P>  quit</P><P>crypto ikev2 policy 1</P><P> encryption aes-256</P><P><--- More ---></P><P>              </P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 10</P><P> encryption aes-192</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 20</P><P> encryption aes</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 30</P><P> encryption 3des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 40</P><P> encryption des</P><P><--- More ---></P><P>              </P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 enable outside client-services port 443</P><P>crypto ikev2 remote-access trustpoint ASDM_TrustPoint1</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>management-access inside</P><P>dhcpd dns 4.2.2.2</P><P>!</P><P>dhcpd address 192.168.1.10-192.168.1.254 inside</P><P>dhcpd enable inside</P><P>!</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>ssl trust-point ASDM_TrustPoint1 outside</P><P>webvpn</P><P> enable outside</P><P> anyconnect-essentials</P><P> anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1</P><P> anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2</P><P><--- More ---></P><P>              </P><P> anyconnect image disk0:/anyconnect-macos-4.4.01054-webdeploy-k9.pkg 3</P><P> anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 4</P><P> anyconnect profiles Home_client_profile disk0:/Home_client_profile.xml</P><P> anyconnect profiles Rush_client_profile disk0:/Rush_client_profile.xml</P><P> anyconnect enable</P><P> tunnel-group-list enable</P><P>group-policy GroupPolicy_Home internal</P><P>group-policy GroupPolicy_Home attributes</P><P> wins-server none</P><P> vpn-tunnel-protocol ikev2 ssl-client </P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value 10</P><P> default-domain none</P><P> webvpn</P><P>  anyconnect profiles value Home_client_profile type user</P><P>username Rush password wtb6igjZWtCLWRft encrypted</P><P>username Rush password VRA13ZzEzDp8PnFO encrypted</P><P>tunnel-group Home type remote-access</P><P>tunnel-group Home general-attributes</P><P> address-pool pool</P><P> default-group-policy GroupPolicy_Home</P><P>tunnel-group Home webvpn-attributes</P><P> group-alias Home enable</P><P>!</P><P><--- More ---></P><P>              </P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>  message-length maximum client auto</P><P>  message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>  inspect dns preset_dns_map </P><P>  inspect ftp </P><P>  inspect h323 h225 </P><P>  inspect h323 ras </P><P>  inspect ip-options </P><P>  inspect netbios </P><P>  inspect rsh </P><P>  inspect rtsp </P><P>  inspect skinny  </P><P>  inspect esmtp </P><P>  inspect sqlnet </P><P>  inspect sunrpc </P><P>  inspect tftp </P><P>  inspect sip  </P><P><--- More ---></P><P>              </P><P>  inspect xdmcp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>no call-home reporting anonymous</P><P>call-home</P><P> profile CiscoTAC-1</P><P>  no active</P><P>  destination address http <A href="https://tools.cisco.com/its/service/oddce/services/DDCEService" target="_blank" rel="noopener">https://tools.cisco.com/its/service/oddce/services/DDCEService</A></P><P>  destination address email callhome@cisco.com</P><P>  destination transport-method httpA</P><P>  subscribe-to-alert-group diagnostic</P><P>  subscribe-to-alert-group environment</P><P>  subscribe-to-alert-group inventory periodic monthly 26</P><P>  subscribe-to-alert-group configuration periodic monthly 26</P><P>  subscribe-to-alert-group telemetry periodic daily</P><P>Cryptochecksum:2594791be0e41bc1bd142612ed137d88</P><P>: end       </P> Thu, 04 Apr 2019 09:12:11 GMT https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832035#M26603 machine23 2019-04-04T09:12:11Z Re: AnyConnect VPN - Cannot ping internal network https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832136#M26604 <P>You may need a "No NAT" for the Anyconnect Pool and your internal addressing. I see there is currently a PAT setup.</P><P> </P><P>Try adding the following -</P><P> </P><P>nat (inside,outside) source static Permit_Lan_IP Permit_Lan_IP destination static pool pool</P> Thu, 04 Apr 2019 11:05:42 GMT https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832136#M26604 GRANT3779 2019-04-04T11:05:42Z Re: AnyConnect VPN - Cannot ping internal network https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832233#M26605 <P>Hi Sorry I had made some changes on the config .. just the vpn pool ip changed to avoid some confusion .. </P><P>but when I issued your command it said doesn't match an existing object or object-group ... here is the new config:</P><P> </P><P><BR />ASA Version 8.6(1)2<BR />!<BR />hostname ciscoasa<BR />enable password sNVGYXTNm97n48wB encrypted<BR />passwd 2KFQnbNIdI.2KYOU encrypted<BR />names<BR />!<BR />interface GigabitEthernet0/0<BR />nameif outside<BR />security-level 0<BR />ip address dhcp setroute<BR />!<BR />interface GigabitEthernet0/1<BR />nameif inside<BR />security-level 100<BR />ip address 192.168.1.1 255.255.255.0<BR />!<BR />interface GigabitEthernet0/2<BR />shutdown<BR />no nameif<BR />no security-level<BR />no ip address<BR />!<BR /><--- More ---> interface GigabitEthernet0/3<BR />shutdown<BR />no nameif<BR />no security-level<BR />no ip address<BR />!<BR />interface GigabitEthernet0/4<BR />shutdown<BR />no nameif<BR />no security-level<BR />no ip address<BR />!<BR />interface GigabitEthernet0/5<BR />shutdown<BR />no nameif<BR />no security-level<BR />no ip address<BR />!<BR />interface Management0/0<BR />nameif Manage<BR />security-level 100<BR />ip address 192.168.0.1 255.255.255.0<BR />management-only<BR />!<BR /><--- More ---> ftp mode passive<BR />same-security-traffic permit inter-interface<BR />object network Permit_Lan_IP<BR />subnet 192.168.1.0 255.255.255.0<BR />object network inside<BR />subnet 192.168.1.0 255.255.255.0<BR />object network NETWORK_OBJ_10.16.1.0_27<BR />subnet 10.16.1.0 255.255.255.224<BR />object-group protocol DM_INLINE_PROTOCOL_2<BR />protocol-object ip<BR />protocol-object icmp<BR />access-list Internal standard permit 192.168.1.0 255.255.255.0<BR />access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0<BR />pager lines 24<BR />logging enable<BR />logging asdm informational<BR />mtu outside 1500<BR />mtu inside 1500<BR />mtu Manage 1500<BR />ip local pool pool 10.16.1.1-10.16.1.20 mask 255.255.255.0<BR />no failover<BR />icmp unreachable rate-limit 1 burst-size 1<BR />no asdm history enable<BR />arp timeout 14400<BR /><--- More ---> nat (inside,outside) source static any any destination static NETWORK_OBJ_10.16.1.0_27 NETWORK_OBJ_10.16.1.0_27 no-proxy-arp route-lookup<BR />!<BR />object network Permit_Lan_IP<BR />nat (inside,outside) dynamic interface<BR />timeout xlate 3:00:00<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />dynamic-access-policy-record DfltAccessPolicy<BR />user-identity default-domain LOCAL<BR />http server enable<BR />http 192.168.0.0 255.255.255.0 Manage<BR />no snmp-server location<BR />no snmp-server contact<BR />snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart<BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac<BR /><--- More ---> crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac<BR />crypto ipsec ikev2 ipsec-proposal DES<BR />protocol esp encryption des<BR />protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal 3DES<BR />protocol esp encryption 3des<BR />protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal AES<BR />protocol esp encryption aes<BR />protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal AES192<BR />protocol esp encryption aes-192<BR />protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal AES256<BR />protocol esp encryption aes-256<BR />protocol esp integrity sha-1 md5<BR />crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5<BR />crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES<BR />crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP<BR />crypto map outside_map interface outside<BR />crypto ca trustpoint ASDM_TrustPoint0<BR /><--- More ---> enrollment terminal<BR />subject-name CN=ciscoasa.null,O=Rush,C=UK<BR />crl configure<BR />crypto ca trustpoint ASDM_TrustPoint1<BR />enrollment self<BR />subject-name CN=ciscoasa<BR />crl configure<BR />crypto ca certificate chain ASDM_TrustPoint1<BR />certificate ee55a25c<BR />308202d4 308201bc a0030201 020204ee 55a25c30 0d06092a 864886f7 0d010105<BR />0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648<BR />86f70d01 09021608 63697363 6f617361 301e170d 31393034 30313138 32343239<BR />5a170d32 39303332 39313832 3432395a 302c3111 300f0603 55040313 08636973<BR />636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082<BR />0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100b4<BR />9289c4f5 0cdc8bf1 9bce3aaa 11498b72 b603f9b9 e58a1b38 e795a300 66fd99eb<BR />e183a2ac 81e998d8 fd7c0333 2cd4108b 0a5ab89d e5f4a87f 827a9185 bdf689b9<BR />25d877d7 35f01aae 684c58d8 cf5d8cab 9bf98a8c 9788d522 18a5b3cc 857bf695<BR />103eaff8 7f022b19 4377d1e8 855734ca 994e6500 73dbd67a a6a70688 8897d18d<BR />0481b05b ff67f992 37e8cdb4 86da7e16 893e640e bfafb6ef 93918986 baa2e60c<BR />bb5120c6 e403e47b 0c78927f c25d1826 63c1c82c e7104d9e 13ae1b11 05c9b360<BR />d20bb25b ea4a8652 b14b7590 13394b47 778c43e7 40ac5c2a 67e3a5a4 f3fd2a2b<BR />d4614101 2c3c24a6 ae5c0084 b7b564c4 56d1ef53 eb59a718 57f6743f 3e298702<BR />03010001 300d0609 2a864886 f70d0101 05050003 82010100 982d21e7 18e535ce<BR /><--- More ---> 8b8295e5 4e99269a a8451268 dec0dbfc 7f1b5198 4af8c293 85633883 2dd03a5e<BR />9b9fe2aa 9c455788 de135890 6f1b9f9c 103aa30a b998c1eb 046c3ff5 85be6a6e<BR />5288a75a d08062d9 f4e2df2e 352d773f db4a7e57 6ca18e5f 88ccc522 1a435528<BR />6bafc001 ffc78294 f6e49bc1 218d697c 87e8006c 25bb1ccc 76b2df87 da3f7aac<BR />9d378d75 769e0760 43532a92 d7f7f0af b64f2c94 27a3c4d8 74d8181d 089c7c66<BR />cb8b9435 0040b8f5 e6a899f4 e1b4176e 769add02 5a7a74d3 b6ed422b c2d03ce3<BR />0b0aaa54 b90bd778 8b75c69c 50c58897 cb8bceac 04c50b16 cd5ec6e2 d7ddd99b<BR />b9328ab8 bcc5b1c6 720496b1 9da321d3 8fb5b6ad 9f29ac0e<BR />quit<BR />crypto ikev2 policy 1<BR />encryption aes-256<BR />integrity sha<BR />group 5 2<BR />prf sha<BR />lifetime seconds 86400<BR />crypto ikev2 policy 10<BR />encryption aes-192<BR />integrity sha<BR />group 5 2<BR />prf sha<BR />lifetime seconds 86400<BR />crypto ikev2 policy 20<BR />encryption aes<BR />integrity sha<BR /><--- More ---> group 5 2<BR />prf sha<BR />lifetime seconds 86400<BR />crypto ikev2 policy 30<BR />encryption 3des<BR />integrity sha<BR />group 5 2<BR />prf sha<BR />lifetime seconds 86400<BR />crypto ikev2 policy 40<BR />encryption des<BR />integrity sha<BR />group 5 2<BR />prf sha<BR />lifetime seconds 86400<BR />crypto ikev2 enable outside client-services port 443<BR />crypto ikev2 remote-access trustpoint ASDM_TrustPoint1<BR />crypto ikev1 enable outside<BR />crypto ikev1 policy 10<BR />authentication crack<BR />encryption aes-256<BR />hash sha<BR />group 2<BR />lifetime 86400<BR /><--- More ---> crypto ikev1 policy 20<BR />authentication rsa-sig<BR />encryption aes-256<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 30<BR />authentication pre-share<BR />encryption aes-256<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 40<BR />authentication crack<BR />encryption aes-192<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 50<BR />authentication rsa-sig<BR />encryption aes-192<BR />hash sha<BR />group 2<BR />lifetime 86400<BR /><--- More ---> crypto ikev1 policy 60<BR />authentication pre-share<BR />encryption aes-192<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 70<BR />authentication crack<BR />encryption aes<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 80<BR />authentication rsa-sig<BR />encryption aes<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 90<BR />authentication pre-share<BR />encryption aes<BR />hash sha<BR />group 2<BR />lifetime 86400<BR /><--- More ---> crypto ikev1 policy 100<BR />authentication crack<BR />encryption 3des<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 110<BR />authentication rsa-sig<BR />encryption 3des<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 120<BR />authentication pre-share<BR />encryption 3des<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 130<BR />authentication crack<BR />encryption des<BR />hash sha<BR />group 2<BR />lifetime 86400<BR /><--- More ---> crypto ikev1 policy 140<BR />authentication rsa-sig<BR />encryption des<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 150<BR />authentication pre-share<BR />encryption des<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />telnet timeout 5<BR />ssh timeout 5<BR />console timeout 0<BR />management-access inside<BR />dhcpd dns 4.2.2.2<BR />!<BR />dhcpd address 192.168.1.10-192.168.1.254 inside<BR />dhcpd enable inside<BR />!<BR />threat-detection basic-threat<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR /><--- More ---> ssl trust-point ASDM_TrustPoint1 outside<BR />webvpn<BR />enable outside<BR />anyconnect-essentials<BR />anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1<BR />anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2<BR />anyconnect image disk0:/anyconnect-macos-4.4.01054-webdeploy-k9.pkg 3<BR />anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 4<BR />anyconnect profiles Home_client_profile disk0:/Home_client_profile.xml<BR />anyconnect profiles Rush_client_profile disk0:/Rush_client_profile.xml<BR />anyconnect enable<BR />tunnel-group-list enable<BR />group-policy DfltGrpPolicy attributes<BR />split-tunnel-network-list value NONAT<BR />group-policy GroupPolicy_Home internal<BR />group-policy GroupPolicy_Home attributes<BR />wins-server none<BR />dns-server value 8.8.8.8<BR />vpn-tunnel-protocol ikev2 ssl-client<BR />split-tunnel-policy tunnelspecified<BR />split-tunnel-network-list value Internal<BR />default-domain none<BR />webvpn<BR />anyconnect profiles value Home_client_profile type user<BR /><--- More ---> username Rush password wtb6igjZWtCLWRft encrypted<BR />username Rushmach password VRA13ZzEzDp8PnFO encrypted<BR />tunnel-group Home type remote-access<BR />tunnel-group Home general-attributes<BR />address-pool pool<BR />default-group-policy GroupPolicy_Home<BR />tunnel-group Home webvpn-attributes<BR />group-alias Home enable<BR />!<BR />class-map inspection_default<BR />match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />parameters<BR />message-length maximum client auto<BR />message-length maximum 512<BR />policy-map global_policy<BR />class inspection_default<BR />inspect dns preset_dns_map<BR />inspect ftp<BR />inspect h323 h225<BR />inspect h323 ras<BR />inspect ip-options<BR /><--- More ---> inspect netbios<BR />inspect rsh<BR />inspect rtsp<BR />inspect skinny<BR />inspect esmtp<BR />inspect sqlnet<BR />inspect sunrpc<BR />inspect tftp<BR />inspect sip<BR />inspect xdmcp<BR />!<BR />service-policy global_policy global<BR />prompt hostname context<BR />no call-home reporting anonymous<BR />call-home<BR />profile CiscoTAC-1<BR />no active<BR />destination address http <A href="https://tools.cisco.com/its/service/oddce/services/DDCEService" target="_blank" rel="noopener">https://tools.cisco.com/its/service/oddce/services/DDCEService</A><BR />destination address email callhome@cisco.com<BR />destination transport-method http<BR />subscribe-to-alert-group diagnostic<BR />subscribe-to-alert-group environment<BR />subscribe-to-alert-group inventory periodic monthly 26<BR />subscribe-to-alert-group configuration periodic monthly 26<BR /><--- More ---> subscribe-to-alert-group telemetry periodic daily<BR />Cryptochecksum:6b09bd746e4908adff634726c98d8b94<BR />: end<BR />ciscoasa(config)#</P> Thu, 04 Apr 2019 12:55:45 GMT https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832233#M26605 machine23 2019-04-04T12:55:45Z Re: AnyConnect VPN - Cannot ping internal network https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832286#M26606 When you connect can you run the following command on the ASA -<BR />show vpn-sessiondb anyconnect<BR /><BR />Did you say you can ping the Inside GW from the anyconnect client? Thu, 04 Apr 2019 13:25:58 GMT https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832286#M26606 GRANT3779 2019-04-04T13:25:58Z Re: AnyConnect VPN - Cannot ping internal network https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832317#M26607 <P>Username : Rush Index : 35<BR />Assigned IP : 10.16.1.1 Public IP : 196.33.234.23<BR />Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel<BR />License : AnyConnect Essentials<BR />Encryption : AES128 Hashing : none SHA1<BR />Bytes Tx : 10780 Bytes Rx : 5679<BR />Group Policy : GroupPolicy_Home Tunnel Group : Home<BR />Login Time : 14:09:38 UTC Thu Apr 4 2019<BR />Duration : 0h:01m:26s<BR />Inactivity : 0h:00m:00s<BR />NAC Result : Unknown<BR />VLAN Mapping : N/A VLAN : none</P><P> </P><P>That's the result and yes I can ping the inside GW from the client </P> Thu, 04 Apr 2019 13:59:01 GMT https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832317#M26607 machine23 2019-04-04T13:59:01Z Re: AnyConnect VPN - Cannot ping internal network https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832353#M26608 <P>Is the ASA the GW for the Inside traffic or is there another layer 3 device in between? Do your inside hosts know how to get back to the VPN Subnet?</P><P> </P><P>How are you testing connectivity between the Anyconnect client and your inside network? Just ICMP?</P> Thu, 04 Apr 2019 14:46:18 GMT https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832353#M26608 GRANT3779 2019-04-04T14:46:18Z Re: AnyConnect VPN - Cannot ping internal network https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832357#M26609 <P>Hi Yes one port is configured to be the GW inside interface on the ASA and no other layer3 devices just an unmanaged SW to go to my inside network server/PC ( which iam trying to get to -192.168.1.11)</P><P> </P><P>Yes I am just trying to ping the GW from the AnyConnect client and that is successful.</P><P> </P><P><STRONG><SPAN>Do your inside hosts know how to get back to the VPN Subnet?  -- </SPAN></STRONG><SPAN>I don't think so .. should I create a NAT rule for that?</SPAN></P><P> </P><P><SPAN>thanks a lot for you input so far <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P><P> </P><P> </P> Thu, 04 Apr 2019 14:53:05 GMT https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832357#M26609 machine23 2019-04-04T14:53:05Z Re: AnyConnect VPN - Cannot ping internal network https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832377#M26610 Try adding the following on the FW under the global policy, currently you are not inspecting ICMP;<BR /><BR />policy-map global_policy<BR />class inspection_default<BR />inspect icmp Thu, 04 Apr 2019 15:12:34 GMT https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832377#M26610 GRANT3779 2019-04-04T15:12:34Z Re: AnyConnect VPN - Cannot ping internal network https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832493#M26611 That did not help I’m afraid <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span><BR /> Thu, 04 Apr 2019 18:07:33 GMT https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832493#M26611 machine23 2019-04-04T18:07:33Z Re: AnyConnect VPN - Cannot ping internal network https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832506#M26612 Are you sure the server is not receiving the icmp and just not replying / dropping it? I would run Wireshark on the server and test your pings to it. See if they reach the server.<BR />You can also run the embedded packet-tracer command on firewall to mimic traffic from anyconnect client to the server. I would check server first as if you can ping the GW I'd expect you be able to hit anything behind it. Thu, 04 Apr 2019 18:23:33 GMT https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832506#M26612 GRANT3779 2019-04-04T18:23:33Z Re: AnyConnect VPN - Cannot ping internal network https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832764#M26613 <P>Hi Grant , late last night I added Access rule outside access in , ip,icmp service and re configured the VPN from scratch and its all working now … Really appreciate your time and it definitely helped me troubleshoot thanks a lot <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 05 Apr 2019 07:19:08 GMT https://community.cisco.com/t5/network-security/anyconnect-vpn-cannot-ping-internal-network/m-p/3832764#M26613 machine23 2019-04-05T07:19:08Z