topic Re: Vpn clients on VPN tunnel ip_address range cannot ping each in Network Security

Vpn clients on VPN tunnel ip_address range cannot ping each other

oanetadmin — Fri, 21 Feb 2020 11:11:41 GMT

Sylogs show that Cisco 5520 tears down all ICMP connections coming from one to another internal VPN tunnel host.

VPN tunnel addresses are assigned through Address pool

172.16.8.0/24

For example, once VPN connection established host 172.16.8.1 cannot ping any other host on 172.16.8.0 network

Is this a misconfiguration issue? What kind of Security setting should be configured to allow this flow?

Please help. thanks in advance

important:

ASA is connected on public interface to Internet FW and on private interface to Intranet FW.

Default routes on ASA are configured as follows:

"route private 0.0.0.0 0.0.0.0 172.16.7.65 tunneled

route public 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1"

This means that all tunneled traffic should go through Intranet FW, which is true for all trafic from the VPN tunnel (172.16.8.x) to LAN but not for the traffic back to the tunnel (172.16.8.x). The latter will go out of the public interface and finish on the Internet FW, where the VPN tunnel address is spoofed.

Can someone explain why the tunnel address is going out through public interface? Thnx

Re: Vpn clients on VPN tunnel ip_address range cannot ping each

Richard Burts — Tue, 06 Jan 2009 18:36:47 GMT

Perhaps it will clarify your confusion if you think from the perspective of the ASA: if it has a packet that it should send to the remote VPN peer, which interface should it use to send it? public or private?

The most common reason why devices in the 172.16.8.0 subnet can not ping each other is a basic assumption in the ASA and PIX that by default it will not forward a packet out the same interface on which it was received. So if one remote client in 172.16.8.0 attempts to ping another remote client in that subnet, the request is received and the path to the destination is back out that interface. The way to get around this restriction is to configure:

same-security-traffic permit intra-interface

Give this a try and let us know if it solves the problem.

HTH

Rick

Re: Vpn clients on VPN tunnel ip_address range cannot ping each

oanetadmin — Wed, 07 Jan 2009 08:11:49 GMT

Rick, I appreciate your prompt reply.

If the security level of the private interface is at 100 and that of the public one at 0 by default, you mean that I should set the security level of the public one to 100 and enable the network traffic between the interfaces with the same security level, don't you?

I will give it a try. thanks again

Melita

Re: Vpn clients on VPN tunnel ip_address range cannot ping each

Richard Burts — Wed, 07 Jan 2009 18:30:20 GMT

Melita

NO I did not suggest that you change the security level of the public interface. Leave the security level of the public interface at 0.

If you want to allow traffic between two interfaces with the same security level you would specify to allow inter interface traffic. What you need to do is to allow traffic to out the same interface that it entered on, which is intra interface traffic.

HTH

Rick

Re: Vpn clients on VPN tunnel ip_address range cannot ping each

oanetadmin — Thu, 08 Jan 2009 14:04:52 GMT

Rick,

Done. after applying

"same-security-traffic permit intra-interface"

pings (icmp) are working between hosts on the VPN tunnel (172.16.8.0).

Could you please suggest, what is an "access list" command that would allow for example, any ip traffic between the hosts on the tunnel.

Many thanks in advance.

BR, Melita

Re: Vpn clients on VPN tunnel ip_address range cannot ping each

oanetadmin — Thu, 08 Jan 2009 15:08:41 GMT

Rick,

Done. after applying

"same-security-traffic permit intra-interface"

pings (icmp) are working between hosts on the VPN tunnel (172.16.8.0).

1. Somehow it works for icmp packet but not for the rest of the ip traffic. Could you please suggest, what is an "access list" command that would allow for example, any ip traffic between the hosts on the tunnel.

2. I also have a few static routes mapped to the management interface on ASA that point to several devices on the corporate LAN ; those devices cannot be reached by the hosts on the VPN tunnel, because ASA sends to them packets incoming from the tunnel through the management interface instead of the private one (which is the default route for the tunneled traffic) and the packets are then spoofed on the external FW because expected from the ASA private interface. I hoped that the "..permit intra-interface" would have solve the issue but no...Is there a way to overcome this ?

Many thanks in advance.

BR, Melita

Re: Vpn clients on VPN tunnel ip_address range cannot ping each

Richard Burts — Thu, 08 Jan 2009 18:00:29 GMT

Melita

I am glad that the intra-interface command fixed the initial problem. Without knowing a bit more about how the ASA is set up it is difficult to give really good advice about how to set up the access list, but it probably would be something like permit ip 172.16.8.0 255.255.255.0 any

I am not clear why you have static routes for certain devices pointed through the management interface. But if you do I am not sure how you would route traffic from the VPN tunnels differently. If you need to keep the static routes pointed to the management interface then perhaps it might be possible to set up some address translation so that they look like they originate from the ASA when they get to the firewall?

HTH

Rick

Re: Vpn clients on VPN tunnel ip_address range cannot ping each

oanetadmin — Thu, 08 Jan 2009 21:38:05 GMT

Rick, I appreciate greatly all your help.

Best Regards

Melita