04-14-2014 06:23 PM - edited 03-11-2019 09:04 PM
Hi,
The user can login with their valid AD account. The remote laptop receives a correct IP address from the ASA IP DHCP pool (192.168.210.231-192.168.210.250). However, the remote laptop CANNOT communicate with other internal networks (i.e.: PING). The remote laptop CAN PING the VPN interface (outside) of the ASA. There is a VPN remote connection established (IKEv1) when logging into the ASA (see codes below).
Note: The ASA configuration code is attached (Most of the configuration codes were configured with ADSM). I will really appreciate if any one could please have a look at it and let me know what I am doing wrong.
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 200.190.70.66 255.255.255.248
!
object network NETWORK_OBJ_192.168.210.224_27
subnet 192.168.210.224 255.255.255.224
access-list splittunnel standard permit 172.16.0.0 255.255.0.0
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip any object NETWORK_OBJ_192.168.210.224_27
nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static NETWORK_OBJ_192.168.210.224_27 NETWORK_OBJ_192.168.210.224_27 no-proxy-arp route-lookup
route outside 192.168.210.224 255.255.255.224 200.190.70.65 1
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map ASA-VPN-SITE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map ASA-VPN-SITE interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 172.16.5.31 172.16.5.32
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value zzzzzz
username user1 password zzzzzz encrypted
username user1 attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol ikev1
tunnel-group DefaultRAGroup general-attributes
address-pool remote-vpn-pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
Thanks & Regards
Rohit.
04-15-2014 01:47 AM
Hi, is ping the only thing that is not working? if you can, post/attach the whole config here.
If it's only ping that is not working then couple things to check are:
- if you have enabled inspect icmp command
- if you have configured management-access inside command
04-15-2014 07:45 PM
Hi Rudy,
Thanks for your reply but I already have these commands in my ASA and it is still the same. I cannot ping the inside interface of ASA 5525 while connected to vpn and cannot ping from inside network to connected vpn. Any suggestion would be really appreciated.
Thanks & Regards
Rohit.
04-16-2014 12:26 AM
Hi, so is ping the only thing that is not working? are others protocol work fine? try checking the ACL, make sure that the VPN pool ip address are allowed to access the inside network. If you can, post/attach the whole config here.
04-16-2014 12:52 AM
Hi Rudy,
Thanks for you reply. I can not access internal network at all. Please see the attached code below
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 200.190.70.66 255.255.255.248
!
object network NETWORK_OBJ_192.168.210.224_27
subnet 192.168.210.224 255.255.255.224
access-list splittunnel standard permit 172.16.0.0 255.255.0.0
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip any object NETWORK_OBJ_192.168.210.224_27
nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static NETWORK_OBJ_192.168.210.224_27 NETWORK_OBJ_192.168.210.224_27 no-proxy-arp route-lookup
route outside 192.168.210.224 255.255.255.224 200.190.70.65 1
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map ASA-VPN-SITE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map ASA-VPN-SITE interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 172.16.5.31 172.16.5.32
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value zzzzzz
username user1 password zzzzzz encrypted
username user1 attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol ikev1
tunnel-group DefaultRAGroup general-attributes
address-pool remote-vpn-pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
Thanks & Regards
Rohit
04-16-2014 01:30 AM
What's your LAN network address? is it one of these, 172.16.0.0 255.255.0.0 / 192.168.1.0 255.255.255.0? If not one of those, you will need to modify your split tunnel ACL.
04-16-2014 01:38 AM
Hi Rudy,
The LAN network Address is 172.16.0.0 255.255.0.0
192.168.1.0 / 24 -- DMZ
192.168.210.224 /27 -- VPN client address
Thanks & Regards
Rohit
04-16-2014 01:47 AM
post your config.
04-16-2014 02:37 AM
Hi Rudy,
Please see the complete configuration of ASA.
ASA Version 8.6(1)2
!
hostname ciscoasa
names
!
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 200.190.70.66 255.255.255.248
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 172.16.3.254 255.255.255.0
!
interface GigabitEthernet0/2
speed 1000
duplex full
nameif dmz
security-level 50
ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 10.1.95.11 255.255.255.0
management-only
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name zzzzzz
object network obj-172.16.0.0-nonat
subnet 172.16.0.0 255.255.0.0
object network obj-192.168.1.0-nonat
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.0.0-nonat
subnet 192.168.0.0 255.255.0.0
object network obj-192.168.1.0-nonatdmz
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.201.0-nonatdmz
subnet 192.168.1.0 255.255.255.0
object network obj-172.16.0.0-nonatdmz
subnet 172.16.0.0 255.255.0.0
object network obj-192.168.1.0-dmz-vpn_private
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.210.224_27
subnet 192.168.210.224 255.255.255.224
object network internal-radius
host 172.16.5.67
object-group network inside-subnet-source
network-object 172.16.1.0 255.255.255.0
network-object 172.16.2.0 255.255.255.252
network-object 172.16.3.0 255.255.255.0
network-object 172.16.5.0 255.255.255.0
network-object 172.16.10.0 255.255.255.0
network-object 172.16.11.0 255.255.255.0
network-object 172.16.13.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 172.16.21.0 255.255.255.0
network-object 172.16.23.0 255.255.255.0
network-object 172.16.30.0 255.255.255.0
network-object 172.16.31.0 255.255.255.0
network-object 172.16.35.0 255.255.255.0
network-object 172.16.40.0 255.255.255.0
network-object 172.16.109.0 255.255.255.0
network-object 172.16.118.0 255.255.255.0
network-object 172.16.128.0 255.255.255.0
network-object 172.16.129.0 255.255.255.0
network-object 172.16.130.0 255.255.255.0
network-object 172.16.131.0 255.255.255.0
network-object 172.16.132.0 255.255.255.0
network-object 172.16.192.0 255.255.255.0
network-object 172.16.193.0 255.255.255.0
network-object 172.16.194.0 255.255.255.0
network-object 172.16.195.0 255.255.255.0
network-object 172.16.196.0 255.255.255.0
object-group network dmz-subnet-source
network-object 192.168.1.0 255.255.255.0
access-list o_inside extended permit ah any any
access-list o_inside extended permit esp any any
access-list o_inside extended permit icmp any any
access-list o_inside extended permit icmp any any echo
access-list o_inside extended permit tcp any any eq imap4
access-list o_inside extended permit udp any any eq 143
***access-list o_inside extended permit tcp/udp SPECIFIC inside network/pc device to access host in DMZ network (none related to VPN)
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any
***access-list outside extended permit tcp/udp SPECIFIC from outside network/pc device to access host in DMZ/inside network (none related to VPN)
access-list o_dmz extended permit icmp any any echo-reply
***access-list o_dmz extended permit tcp/udp SPECIFIC from dmz network/pc device to access host in inside network (none related to VPN)
access-list splittunnel standard permit 172.16.0.0 255.255.0.0
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip any object NETWORK_OBJ_192.168.210.224_27
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool remote-vpn-pool 192.168.210.231-192.168.210.250 mask 255.255.255.224
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any dmz
icmp permit any vpn_private
icmp permit any vpn_public
icmp permit any optusapn_temp
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.1.0-nonat obj-192.168.1.0-nonat no-proxy-arp
nat (inside,any) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp
nat (inside,any) source static obj-192.168.0.0-nonat obj-192.168.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp
nat (inside,any) source static obj-192.168.0.0-nonat obj-192.168.0.0-nonat destination static obj-192.168.1.0-nonat obj-192.168.1.0-nonat no-proxy-arp
nat (dmz,any) source static obj-192.168.1.0-nonatdmz obj-192.168.1.0-nonatdmz destination static obj-172.16.0.0-nonatdmz obj-172.16.0.0-nonatdmz no-proxy-arp
nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static NETWORK_OBJ_192.168.210.224_27 NETWORK_OBJ_192.168.210.224_27 no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic inside-subnet-source outside-host-global
nat (inside,dmz) after-auto source dynamic inside-subnet-source dmz-host-global
nat (dmz,outside) after-auto source dynamic dmz-subnet-source outside-host-global
access-group outside in interface outside
access-group o_inside in interface inside
access-group o_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 200.190.70.65 1
route inside 172.16.0.0 255.255.0.0 172.16.3.1 1
route inside 172.20.1.0 255.255.255.0 172.16.3.1 1
route inside 172.30.1.0 255.255.255.0 172.16.3.1 1
route inside 192.168.0.0 255.255.0.0 172.16.3.1 1
route outside 192.168.210.0 255.255.255.224 200.190.70.65 1
route outside 192.168.210.32 255.255.255.224 200.190.70.65 1
route outside 192.168.210.64 255.255.255.224 200.190.70.65 1
route outside 192.168.210.96 255.255.255.224 200.190.70.65 1
route outside 192.168.210.128 255.255.255.224 200.190.70.65 1
route outside 192.168.210.224 255.255.255.224 200.190.70.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server internal-radius protocol radius
aaa-server internal-radius (inside) host 172.16.5.67
key zzzzzz
radius-common-pw zzzzzz
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 172.16.0.0 255.255.0.0 inside
http 172.16.0.0 255.255.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map ASA-VPN-SITE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map ASA-VPN-SITE interface outside
crypto ikev2 policy 10
encryption aes-256 aes-192 aes
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.16.1.0 255.255.255.0 inside
telnet 172.16.3.0 255.255.255.0 inside
telnet 172.16.0.0 255.255.0.0 management
telnet timeout 20
ssh 172.16.0.0 255.255.0.0 inside
ssh 172.16.3.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 30
ssh version 2
console timeout 30
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.16.3.1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 172.16.5.31 172.16.5.32
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value ZZZZZZ
username user1 password zzzzzz encrypted
username user1 attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol ikev1
tunnel-group DefaultRAGroup general-attributes
address-pool remote-vpn-pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key ZZZZZZ
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect h323 h225
inspect h323 ras
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 7
subscribe-to-alert-group configuration periodic monthly 7
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a225df4d313cd95bb3662bd3d70733fe
: end
Thanks & Regards
Rohit.
04-16-2014 03:09 AM
Your NAT statements overlap with each other.
nat (inside,any) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp
nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static NETWORK_OBJ_192.168.210.224_27 NETWORK_OBJ_192.168.210.224_27 no-proxy-arp route-lookup
change any on your NAT statements to a more specific interface, in this case it should be outside and add the route-lookup on it. Then remove the bottom NAT statement as you don't need it because the top NAT statement is doing the same thing.
please post the output of show run nat, show nat, show access-list and show ipsec sa commands if above steps hasn't solved your issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide