topic Can't Ping Remote VPN Users in Network Security

Can't Ping Remote VPN Users

mario11584 — Tue, 12 Mar 2019 02:53:22 GMT

I apologize for the stupid question but I am so insanely rusty with ASA firewalls it's completely ridiculous! I have about 24 remote users connecting to our ASA 5510. These users pull an IP address from a DHCP scope setup on the firewall in the 172.16.16.100-172.16.16.250 range. I need to be able to ping these users machines over their VPN tunnels. I was under the impression that adding "same-security-traffic permit intra-interface" would allow this but it doesn't. Do I need an ACL for this? What would it look like? I've attached my running config. Maybe I should add that this firewalls only purpose is for these VPN users.

Thanks for the help in advance! You'll save my life!!

Can't Ping Remote VPN Users

Mariusz Bochen — Fri, 18 Oct 2013 14:35:42 GMT

Hi David.

Did you try to ping them from ASA directly or from your local network?

I am able to ping my remote hosts from my local PC, but not directly from ASA even if I use internal command the patern is not recognized to match crypto map (not sure why to be honest).

I think you need specifically direct this traffic via outsite interface by creating the following routing entry:

route outside 172.16.16.0 255.255.255.0 e.f.g.h 1

same-security-traffic permit intra-interface you need as well obviously, so don't delete that line

I hope that helps.

Regards

Mariusz

Can't Ping Remote VPN Users

amitaaga — Fri, 18 Oct 2013 15:00:28 GMT

Hi David,

Looks like you want one VPN user to be able to ping another VPN user (Eg: 172.16.100.101 to ping 172.16.1.102).

Do you have split tunneling enabled on the tunnel group where the VPN users are connecting (cant check as the tunnel group config is missing in the config)?

Also, would you be able to share the output of "show cry ipsec sa" when 2 VPN users are connected to the ASA?

Regards,

Amitashwa

Can't Ping Remote VPN Users

Marius Gunnerud — Fri, 18 Oct 2013 20:13:17 GMT

Are these windows machines you are trying to ping? Before going to deep into troubleshooting the config I would disable the windows firewall on the PC and then try pinging.

Can't Ping Remote VPN Users

mario11584 — Mon, 21 Oct 2013 16:26:33 GMT

Mariusz,

Thanks for the response.

I am trying to ping them directly from the ASA. None of my internal traffic is routed to this firewall. This firewall is only for external connections to one of our internal networks. I'll directly connect my laptop to one of my unused interfaces and test it that way.

I have route outside 0.0.0.0 0.0.0.0 e.f.g.h 1 in place. Isn't that a default route and would include the traffic for 172.16.16.0/24?

-Dave

Re: Can't Ping Remote VPN Users

mario11584 — Mon, 21 Oct 2013 16:39:42 GMT

Amitashwa,

I am not trying to ping from one VPN user to another. I just want to be able to ping them from the firewall, entirely for troubleshooting purposes.

No, we don't have split tunneling enabled. The units I am trying to ping are Avaya VPN desktop phones and do not need this feature. I apologize for for not having the tunnel group config. All of our users are local to the firewall and I was trying to protect their usernames and missed that config when I copied and pasted. If you are still interested:

tunnel-group avaya type remote-access

tunnel-group avaya general-attributes

address-pool AvayaPool

default-group-policy avaya

tunnel-group avaya ipsec-attributes

pre-shared-key *****

Attached is the output you requested for two connected VPN users.

Thanks!

Dave

Re: Can't Ping Remote VPN Users

mario11584 — Mon, 21 Oct 2013 16:41:28 GMT

Marius,

These are Avaya VPN desktop phones.

Thanks!

Dave

Can't Ping Remote VPN Users

Santhosha Shetty — Mon, 21 Oct 2013 16:51:08 GMT

Hi David,

Please follow these steps:

1. Ensure the vpn users are connected successfully. Try and PING ASA inside IP address from remote user machine over vpn tunnel. Are these PING successful? If yes then proceed with below.

2. While you generate traffic destined to active remote vpn users ensure you source it from inside intrface like "ping inside "

If you have issues with just accessing ASA inside IP addess, then please paste "sh run nat" output here for further review and if ASA is running post 8.3 append "no-proxy-arp route-lookup" to the corresponding NAT-EXEMPT(no nat ) rule.

Are vpn users able to PING ASA inside resource including INSIDE IP address?

Thanks,

Santhosh Shetty

Can't Ping Remote VPN Users

mario11584 — Mon, 21 Oct 2013 18:23:20 GMT

Santhosha,

Thanks for the reply and help. I am unable to ping from the remote user machine. It is an Avaya VPN phone and doesn't offer an option to ping unfortunately. I do know that they respond to pings, however.

Thanks,

Dave

Can't Ping Remote VPN Users

Santhosha Shetty — Tue, 22 Oct 2013 12:28:52 GMT

Hi David,

It need not be just ICMP, from avaya phone are you able to reach inside server over the tunnel(any traffic)?

Whats code is ASA running?

could you attach "sh run nat" and "sh nat details" output here along with ASA inside IP and pool ip.

Thanks,

Santhosh

Can't Ping Remote VPN Users

Marius Gunnerud — Tue, 22 Oct 2013 12:54:30 GMT

Have you examined the ASA logs while pinging the AVAYA phones? Do you see any deny packets, or something that could be preventing the flow of traffic?

For the sake of testing could you issue the command management-access inside and then test to see if you get a response.

If that doesn't work could you add the command sysopt connection permit-vpn and then test.

Can't Ping Remote VPN Users

mario11584 — Wed, 23 Oct 2013 16:45:41 GMT

From the ASA CLI I pinged 172.16.16.129. While pinging that the ASDM logs (in debugging) didn't show any denied packets. It just shows the ICMP session being built then torn down. Are there better logs to look at?

I tried the other two commands without any luck.

Can't Ping Remote VPN Users

Jouni Forss — Wed, 23 Oct 2013 16:57:58 GMT

Hi,

I would probably try to capture the ICMP traffic on your VPN ASA local interface and see if any ICMP return messages are coming from the VPN connection

For example

access-list PHONE-ICMP-CAP permit icmp any 172.16.16.0 255.255.255.0

access-list PHONE-ICMP-CAP permit icmp 172.16.16.0 255.255.255.0 any

capture PHONE-ICMP-CAP type raw-data access-list PHONE-ICMP-CAP interface inside buffer 1000000 circular-buffer

Then try to ping some of them phones

Then check

show capture PHONE-ICMP-CAP

and see if any replys are showing past the ASA

To remove the capture use

no capture PHONE-ICMP-CAP

no access-list PHONE-ICMP-CAP permit icmp any 172.16.16.0 255.255.255.0

no access-list PHONE-ICMP-CAP permit icmp 172.16.16.0 255.255.255.0 any

- Jouni

Can't Ping Remote VPN Users

mario11584 — Wed, 23 Oct 2013 17:58:36 GMT

JouniForss,

Thanks for the detailed instructions. Here is what I got when I tried to ping two different IPs.

ciscoasa(config)# show capture PHONE-ICMP-CAP

9 packets captured

1: 11:42:50.462225 10.128.0.2 > 172.16.16.118: icmp: echo request

2: 11:42:50.521945 172.16.16.118 > 10.128.0.2: icmp: echo reply

3: 11:43:03.820422 10.128.0.2 > 172.16.16.118: icmp: echo request

4: 11:43:03.878967 172.16.16.118 > 10.128.0.2: icmp: echo reply

5: 11:43:08.261628 10.128.0.2 > 172.16.16.118: icmp: echo request

6: 11:43:08.322905 172.16.16.118 > 10.128.0.2: icmp: echo reply

7: 11:43:18.773565 10.128.0.2 > 172.16.16.246: icmp: echo request

8: 11:44:13.093012 10.128.0.2 > 172.16.16.246: icmp: echo request

9: 11:44:45.288833 10.128.0.2 > 172.16.16.246: icmp: echo request

9 packets shown

Mariusz Bochen suggested pinging from inside the network but the network wasn't setup to allow that. I added routes internally to allow traffic to this firewall from my workstation, so I can ping from there instead of the firewall. From the above output pings 1 and 3 came from the firewall directly. But the firewall shows they timeout. Ping 5 is from my machine and it showed a reply. 7, 8, and 9 are from my machine as well but they timeout. Something must be wrong with that phone (.246). So that raises two questions. Why does the ASA show a timeout when in fact there is a response? And why is one phone confirmed connected to the VPN but not passing traffic? (I've actually confirmed a couple of phones are like this.)

Can't Ping Remote VPN Users

andduart — Wed, 23 Oct 2013 18:26:05 GMT

Hi,

I would suggest trying to connect using a PC with the client installed, we can take captures, also, please make sure to enable Nat-t as per a previous post and verify the

show crypto ipsec sa output to check encrypted and decrypted traffic

Regards,

Can't Ping Remote VPN Users

mario11584 — Wed, 23 Oct 2013 19:41:17 GMT

Santhosha,

I'm just now learning some of the phones can connect to an inside server and some can not. They are programmed to connect to our PBX server inside of our network once they establish a VPN connection. All of them can connect to the VPN successfully but 4 of them are unable to connect to the call server once connected to the VPN. I am unaware of how to test them to see if they can connect to any other servers. I have tested to see if the owners of these phones can connect using the IPSec VPN client on their laptops, which they can, as well as ping the the call server. Is that what you are asking?

We have version 8.2 running.

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.128.0.11 255.255.0.0

ip local pool AvayaPool 172.16.16.100-172.16.16.250 mask 255.255.255.0

ciscoasa# show run nat

nat (inside) 0 access-list NO_NAT

I couldn't get "show nat details" to work but I got "show nat"

NAT policies on Interface inside:

match ip inside any management any

NAT exempt