topic Re: Can't ping the internal network in Network Security

Can't ping the internal network

tbrinkma — Mon, 11 Mar 2019 12:00:21 GMT

I'm trying to ping and connect to my internal network thru a VPN connection.

The VPN connection is being made and got an IP adres on the client computer.

When I try to ping something in the internal network it does not work.

This are my ACL rules:

access-list 100 extended permit ip 10.0.0.0 255.0.0.0 128.2.0.0 255.255.0.0

access-list 100 extended permit ip 192.168.10.0 255.255.255.0 128.2.0.0 255.255.0.0

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 128.2.0.0 255.255.0.0

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0

access-list splittunnel standard permit 10.0.0.0 255.0.0.0

access-list splittunnel standard permit 128.2.0.0 255.255.0.0

access-list inside_access_in extended permit ip any 10.0.0.0 255.0.0.0

access-list outside_access_in extended permit ip any 10.0.0.0 255.0.0.0

route inside 10.0.0.0 255.0.0.0 10.1.1.2 1

route outside 0.0.0.0 0.0.0.0 [external IP] 1

Can anyone tell me why it isnt working properly?

Re: Can't ping the internal network

acomiskey — Thu, 07 Feb 2008 15:11:46 GMT

Post a config or check config for "isakmp nat-traversal" or "crypto iskamp nat-traversal".

Re: Can't ping the internal network

s-andersson — Thu, 07 Feb 2008 15:34:03 GMT

Checklist.

1. sysopt connection permit-vpn

2. nat 0 for the inside hosts against the vpn-pool

Regards,

Stefan

Re: Can't ping the internal network

tbrinkma — Thu, 07 Feb 2008 16:26:38 GMT

I've got the lines sysopt connection permit-vpn and isakmp nat-traversal in my config.

what do you mean by:

2. nat 0 for the inside hosts against the vpn-pool ?

Re: Can't ping the internal network

acomiskey — Thu, 07 Feb 2008 16:27:56 GMT

He means this and it looks like you've already got it...

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 128.2.0.0 255.255.0.0

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list nonat

Re: Can't ping the internal network

tbrinkma — Thu, 07 Feb 2008 16:28:07 GMT

also got this lines:

nat (inside) 0 access-list nonat

nat (inside) 1 10.0.0.0 255.0.0.0

Re: Can't ping the internal network

acomiskey — Thu, 07 Feb 2008 16:29:10 GMT

Can you post the config? What is the client pool?

Re: Can't ping the internal network

tbrinkma — Fri, 08 Feb 2008 08:58:52 GMT

hostname pixfirewall

domain-name default.domain.invalid

enable password * encrypted

names

interface Ethernet0

nameif outside

security-level 0

ip address [External IP]

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.1.7 255.255.0.0

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit intra-interface

access-list 100 extended permit ip 10.0.0.0 255.0.0.0 128.2.0.0 255.255.0.0

access-list 100 extended permit ip 192.168.10.0 255.255.255.0 128.2.0.0 255.255.0.0

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 128.2.0.0 255.255.0.0

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0

access-list splittunnel standard permit 10.0.0.0 255.0.0.0

access-list splittunnel standard permit 128.2.0.0 255.255.0.0

access-list inside_access_in extended permit ip any 10.0.0.0 255.0.0.0

access-list outside_access_in extended permit ip any 10.0.0.0 255.0.0.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 192.168.10.1-192.168.10.254

no failover

monitor-interface inside

monitor-interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list nonat

nat (inside) 1 10.0.0.0 255.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route inside 10.0.0.0 255.0.0.0 10.1.1.2 1

route outside 0.0.0.0 0.0.0.0 [EXTERNAL IP] 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server RADIUS protocol radius

aaa-server RADIUS host 10.1.8.40

key [RADIUS KEY]

radius-common-pw [RADIUS KEY]

aaa-server myradius protocol radius

aaa-server myradius host 10.1.8.40

timeout 5

key [RADIUS KEY]

group-policy clientgroup internal

group-policy clientgroup attributes

vpn-idle-timeout 20

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

http server enable

http *.*.*.* 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map argenta 20 set transform-set myset

crypto map mymap 10 match address 100

crypto map mymap 10 set peer [Client VPN IP]

crypto map mymap 10 set transform-set myset

crypto map mymap 20 ipsec-isakmp dynamic [Client Name]

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group [Client VPN IP] type ipsec-l2l

tunnel-group [Client VPN IP] ipsec-attributes

pre-shared-key *

tunnel-group dailin type ipsec-ra

tunnel-group dailin general-attributes

address-pool vpnpool

authentication-server-group RADIUS

default-group-policy clientgroup

tunnel-group dailin ipsec-attributes

pre-shared-key *

telnet *.*.*.* 255.255.255.0 inside

telnet *.*.*.* 255.255.0.0 inside

telnet timeout 240

ssh timeout 5

console timeout 0

no dhcpd address 10.1.1.8-10.1.2.7 inside

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

[LIST TRUNCATED]

service-policy global_policy global

prompt hostname context

Cryptochecksum:*

Re: Can't ping the internal network

Alan Huseyin Kayahan — Sat, 09 Feb 2008 15:39:00 GMT

Hi Tristan

First of all, you should correct your split tunnel ACLs

no access-list splittunnel standard permit 10.0.0.0 255.0.0.0

no access-list splittunnel standard permit 128.2.0.0 255.255.0.0

access-list splittunnel standard permit 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0

access-list splittunnel standard permit 128.2.0.0 255.255.0.0 192.168.10.0 255.255.255.0

Where is the 128.2.0.0 located? There is no route to that network that you can never reach this subnet

Make sure the following route exists in router with IP 10.1.1.2

ip route 192.168.10.0 255.255.255.0 10.1.1.7

For testing conenctivity, use telnet with desired port instead ping. You should allow icmp for getting ping to work and issue some commands like following

management-access inside

policy-map global_policy

class inspection_default

inspect icmp

Regards