topic Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i in Network Security

ASA5520 AnyConnect SSL VPN Connected but unable to ping my inside LAN

Sander Zuijdam — Tue, 12 Mar 2019 02:23:59 GMT

Hi there, please forgive if I have missed any forum protocols as this is my first post.

I am trying to configure Anyconnect SSL VPN. I am able to connect to the VPN on a laptop, witch is able to download the anyconnect client from the ASA. I am unable to ping any of my IP's that are on the inside of my ASA. Before posting here I have spent many hours on forums and watching videos on anyconnect SSL VPN creation and I am following it to the T but still no ping. Any help would be very much appreciated.

Inside 192.168.1.254/24

Outside dhcp

VPN Pool 192.168.250.1-50/24

Inside LAN 192.168.1.0/24

---------------------------------------------------------------

: Saved

ASA Version 8.4(4)1

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address dhcp setroute

interface GigabitEthernet0/1

nameif inside

security-level 99

ip address 192.168.1.254 255.255.255.0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 99

ip address 192.168.100.1 255.255.255.0

ftp mode passive

dns server-group DefaultDNS

domain-name dock.local

same-security-traffic permit inter-interface

object network inside-network-object

subnet 192.168.1.0 255.255.255.0

object network management-network-object

subnet 192.168.100.0 255.255.255.0

object network NETWORK_OBJ_192.168.250.0_25

subnet 192.168.250.0 255.255.255.128

object-group network AllInside-networks

network-object object inside-network-object

network-object object management-network-object

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any echo-reply

access-list split_tunnel standard permit 192.168.1.0 255.255.255.0

access-list split_tunnel standard permit 192.168.100.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpn_pool 192.168.250.1-192.168.250.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic AllInside-networks interface

nat (inside,any) source static any any destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25 no-proxy-arp route-lookup

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable 4433

http 192.168.100.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.100.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_anyconnect internal

group-policy GroupPolicy_anyconnect attributes

wins-server none

dns-server value 8.8.8.8

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelall

split-tunnel-network-list value split_tunnel

default-domain value dock.local

username test password JAasdf434ey521ZCT encrypted privilege 15

tunnel-group anyconnect type remote-access

tunnel-group anyconnect general-attributes

address-pool vpn_pool

default-group-policy GroupPolicy_anyconnect

tunnel-group anyconnect webvpn-attributes

group-alias anyconnect enable

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:24bcba3c4124ab371297d52260135924

: end :

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Marius Gunnerud — Fri, 16 Aug 2013 19:24:25 GMT

Hi,

Could you add the command management-access inside and then see if you can ping the inside interface of the ASA when connected to the VPN.

If you are able to, then it is most likely the windows firewall blocking the ICMP packets (or whichever firewall is installed on the PC).

If you are not able to ping the inside interface, try changing the NAT rule to be more specific:

no nat (inside,any) source static any any destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25

nat (inside,outside) source static inside-network-object inside-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25

nat (inside,outside) source static management-network-object management-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25

Also try running the packet-tracer. It can help in identifying where the drop is. Run it twice in a row, as the first time you run it will most certainly show a drop. The second will show the accurate trace.

packet-tracer input inside tcp 192.168.1.10 4444 192.168.250.10 80 detail

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Sander Zuijdam — Tue, 20 Aug 2013 07:32:23 GMT

Hi Marius,

Thanks for you're response.

I tried the things you suggested, but still no ping over anyconnnect vpn connection. This are the results from the packet-tracer:

ciscoasa# packet-tracer input inside tcp 192.168.1.10 4444 192.168.250.10 80 d$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x736fd4e8, priority=1, domain=permit, deny=false
        hits=10, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x736b9ef8, priority=13, domain=permit, deny=false
        hits=4, user_data=0x6f6ed580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x736fe188, priority=0, domain=inspect-ip-options, deny=true
        hits=100, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic AllInside-networks interface
Additional Information:
Dynamic translate 192.168.1.10/4444 to 62.45.21.113/4444
Forward Flow based lookup yields rule:
in id=0x733289c0, priority=6, domain=nat, deny=false
        hits=5, user_data=0x73843478, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.1.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x736f3f60, priority=0, domain=inspect-ip-options, deny=true
        hits=1359, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1781, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Marius Gunnerud — Wed, 21 Aug 2013 08:48:35 GMT

doesn't look like your NAT Exempt statement is is being matched.

Could you confirm the IP address that is assigned to the VPN client.

Could you confirm the group policy which is assigned to the VPN client ( this can be easily done using the ASDM Monitoring tab)

Also, your object group and VPN pool do not match up. Though it should not have much to say in this situation it is best to have everything uniform.

object network NETWORK_OBJ_192.168.250.0_25

subnet 192.168.250.0 255.255.255.128

ip local pool vpn_pool 192.168.250.1-192.168.250.100 mask 255.255.255.0

change the local pool to the following:

ip local pool vpn_pool 192.168.250.1-192.168.250.126 mask 255.255.255.128

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Sander Zuijdam — Wed, 21 Aug 2013 12:34:14 GMT

I changed the subnet from object network NETWORK_OBJ_192.168.250.0_25 to 255.255.255.0.

The ip-adres of the anyconnect vpn client is: 192.168.250.1 with gateway 192.168.250.2

The group policy which is assigned: GroupPolicy_anyconnect

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Marius Gunnerud — Thu, 22 Aug 2013 13:46:14 GMT

Could you post a current config please.

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Sander Zuijdam — Thu, 22 Aug 2013 14:12:20 GMT

: Saved

ASA Version 8.4(4)1

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address dhcp setroute

interface GigabitEthernet0/1

nameif inside

security-level 99

ip address 192.168.1.254 255.255.255.0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 99

ip address 192.168.100.1 255.255.255.0

ftp mode passive

dns server-group DefaultDNS

domain-name dock.local

same-security-traffic permit inter-interface

object network inside-network-object

subnet 192.168.1.0 255.255.255.0

object network management-network-object

subnet 192.168.100.0 255.255.255.0

object network NETWORK_OBJ_192.168.250.0_25

subnet 192.168.250.0 255.255.255.0

object-group network AllInside-networks

network-object object inside-network-object

network-object object management-network-object

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any echo-reply

access-list split_tunnel standard permit 192.168.1.0 255.255.255.0

access-list split_tunnel standard permit 192.168.100.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool Anyconnect-pool 192.168.250.1-192.168.250.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic AllInside-networks interface

nat (inside,outside) source static inside-network-object inside-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25

nat (inside,outside) source static management-network-object management-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.100.2 255.255.255.255 management

http 192.168.100.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.100.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_Anyconnect_VPN internal

group-policy GroupPolicy_Anyconnect_VPN attributes

wins-server none

dns-server value 8.8.8.8

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelall

split-tunnel-network-list value split_tunnel

default-domain value dock.local

username sander password f/J.5nLef/EqyPfy encrypted

username aveha password JA8X3IiqPvFFsZCT encrypted privilege 15

tunnel-group Anyconnect_VPN type remote-access

tunnel-group Anyconnect_VPN general-attributes

address-pool Anyconnect-pool

default-group-policy GroupPolicy_Anyconnect_VPN

tunnel-group Anyconnect_VPN webvpn-attributes

group-alias Anyconnect_VPN enable

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:4636fa566ffc11b0f7858b760d974dee

: end:

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Marius Gunnerud — Thu, 22 Aug 2013 14:28:53 GMT

It should be enabled by default...but you can try to add the command sysopt connection permit-vpn to ensure that the VPN traffic bypasses interface ACLs.

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Sander Zuijdam — Thu, 22 Aug 2013 14:48:31 GMT

Done that, still not able to ping management interface/inside interface.

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Marius Gunnerud — Thu, 22 Aug 2013 15:05:25 GMT

You will not be able to ping the inside interface unless you add the command management-access inside, as I mentioned in my first post.

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Sander Zuijdam — Thu, 22 Aug 2013 15:29:06 GMT

I have done that command, it's in the config i posted earlier this day.

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Marius Gunnerud — Thu, 22 Aug 2013 18:44:58 GMT

Sorry, I overlooked it.

I suggest rearranging your NAT statements so that the NAT Exempt appears above the dynamic NAT.

nat (inside,outside) source static inside-network-object inside-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25

nat (inside,outside) source static management-network-object management-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25

nat (inside,outside) source dynamic AllInside-networks interface

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Sander Zuijdam — Fri, 23 Aug 2013 09:48:16 GMT

Executed the commands you suggested, still not able to ping to management interface.

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Marius Gunnerud — Fri, 23 Aug 2013 10:06:09 GMT

did you remove the NAT statements before you issued the commands? It is easier doing this in the ASDM but will cause existing connections to be terminated, and those connections would need to be re-established.

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Sander Zuijdam — Fri, 23 Aug 2013 10:30:08 GMT

Yes, i removed all NAT statements first, then i executed the ones you suggested. NAT looks like the folllowing in ASDM:

1 inside outside 192.168.1.0/24 192.168.250.0/24 any -- Original -- -- Original -- -- Original --

1 outside inside 192.168.250.0/24 192.168.1.0/24 any -- Original -- -- Original -- -- Original --

2 inside outside 192.168.100.0/24 192.168.250.0/24 any -- Original -- -- Original -- -- Original --

2 outside inside 192.168.250.0/24 192.168.100.0/24 any -- Original -- -- Original -- -- Original --

3 inside outside AllInside-networks any any a_u$c@1b2df369 -- Original -- -- Original --

Re: ASA5520 AnyConnect SSL VPN Connected but unable to ping my i

Marius Gunnerud — Fri, 23 Aug 2013 10:52:03 GMT

I see you are not using the ASA as a CA for the anyconnect but it should still connect without the certificate, it just isn't secure.

The only other thing that looks a little out of place, but should not affect connectivity is:

split-tunnel-policy tunnelall

split-tunnel-network-list value split_tunnel

You might want to change that to:

split-tunnel-policy tunnelspecified

Other than that I would suggest removing all anyconnect configuration and starting from scratch. I like using the ASDM when setting up AnyConnect, and it doesn't take a lot of time to get it done.

The configuration looks correct, perhaps just a restart is needed.