Can't Ping Remote VPN Users - Page 2 - Cisco Community

12675

Views

25

Helpful

21

Replies

I apologize for the stupid question but I am so insanely rusty with ASA firewalls it's completely ridiculous! I have about 24 remote users connecting to our ASA 5510. These users pull an IP address from a DHCP scope setup on the firewall in the 172.16.16.100-172.16.16.250 range. I need to be able to ping these users machines over their VPN tunnels. I was under the impression that adding "same-security-traffic permit intra-interface" would allow this but it doesn't. Do I need an ACL for this? What would it look like? I've attached my running config. Maybe I should add that this firewalls only purpose is for these VPN users.

Thanks for the help in advance! You'll save my life!!

5 KB

21 Replies 21

Hi Andres,

I was able to connect using the client installed on a PC. I was able to ping the remote IP from my local machine. I was also able to ping the PBX server (inside server) from the remote machine.

I believe NAT-T was already enabled. It doesn't show up in the configs? I ran crypto isakmp nat-traversal 30 and that shows up in the running-config (maybe because it's not a default setting). That didn't seem to resolve the issue.

The output for "show crypto ipsec sa" is attached. Traffic doesn't look like it's getting encrypted or decrypted to one of the problem users.

Santhosha,

I'm just now learning some of the phones can connect to an inside server and some can not. They are programmed to connect to our PBX server inside of our network once they establish a VPN connection. All of them can connect to the VPN successfully but 4 of them are unable to connect to the call server once connected to the VPN. I am unaware of how to test them to see if they can connect to any other servers. I have tested to see if the owners of these phones can connect using the IPSec VPN client on their laptops, which they can, as well as ping the the call server. Is that what you are asking?

We have version 8.2 running.

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.128.0.11 255.255.0.0

ip local pool AvayaPool 172.16.16.100-172.16.16.250 mask 255.255.255.0

ciscoasa# show run nat

nat (inside) 0 access-list NO_NAT

I couldn't get "show nat details" to work but I got "show nat"

NAT policies on Interface inside:

match ip inside any management any

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside any management 172.16.16.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside any outside any

NAT exempt

translate_hits = 28572, untranslate_hits = 946731

match ip inside any outside 172.16.16.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside any inside any

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside any inside 172.16.16.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

Hi,

Thank u for the replies, quick questions:
Is the problem found with all your users at a time to ping from the internal network to your remote clients or with some of them?

Is the problem happening if you test this connecting with the vpn client installed on the pc?

Did you have this working before? If yes, have you made changes?

Could you send the show run tunnel-group 2: show run group-policy (with the one used)

Show ip

Show run nat

Show run all sysopt

That will help a lot

Regards,

Coukd you send the

Sent from Cisco Technical Support iPhone App

Andres,

The original problem was that I was unable to ping any of my remote VPN phones connected to the firewall. After I setup some routes from the internal network to this firewall I was able to start pinging from the inside network and not directly from the firewall. This is thanks to the suggestions made earlier. (Reminder, this firewall's only purpose is to connect our Avaya VPN phones to it and give them access to the VLAN that our PBX server lives on. So me having access to any other interface besides the managment was not in the orginal plans.) After making that change I am able to ping most of these phones. Once I started pinging phones I realized at least 4 of them don't respond to pings. After further investigation I have found that these phones are connecting to the VPN but traffic is NOT being passed after the connection is established. Traffic is not getting encrypted and decrypted and I of course, can not ping them. NAT-T is enabled.

The problem does not occur with the VPN client. I can ping the PBX server from the VPN client just fine.

None of these users had this working before. They are all new users.

The requested output has been attached!

Thanks so much for the help!

Dave

Hi,

We can make sure that the phones are connecting to the same groups, please verify this by using the show vpn-sessiondb remote (or ra depending on the version)

They should use the same policies as the others, if they look ok we will need to start with some TS for them by verifying differences in their locations, test them in a different one in case traffic is not allowed.....etc

Regards,

Andres,

I think the issue is related to the remote users home networks.

I had the user of one of the problem phones connect the VPN phone directly to their modem (bypassing the home router) and the user was able to connect just fine. This tells me the issue is with the router and not our ASA.

At this point I'll have to dig into the home networks more and confirm this the other 3 users.

Thanks for all the help everybody! It was awesome!!

Hi,

Im glad hearing that you were able to make that test! Do you have any other question maybe?

Review Cisco Networking products for a $25 gift card