Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1945
Views
0
Helpful
16
Replies

ASA 5580 remote access VPN problem

gasparmenendez
Level 6
Level 6

‎09-06-2017 08:42 AM - edited ‎02-21-2020 06:16 AM

Hi friends, I already configured a VPN connection between a PC (with public ip address) and my ASA 5580 for testing purposes. The problem is that I need to ping a subnet (192.168.199.0/24) behind the ASA from the PC connected through VPN but I can't, I've been trying a lot of things but is nearly impossible. I really need every help I can get in order to solve this issue. When I run a packet-tracer on the ASA I get:

ASA5580# packet-trace input outside icmp 192.168.239.2 8 0 192.168.199.33

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE_Prueba,OUTSIDE) source static redvpn redvpn destination static NETWORK_OBJ_192.168.239.0_25 NETWORK_OBJ_192.168.239.0_25 no-proxy-arp
Additional Information:
NAT divert to egress interface INSIDE_Prueba
Untranslate 192.168.199.33/0 to 192.168.199.33/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_access_in in interface OUTSIDE
access-list OUTSIDE_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INSIDE_Prueba
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Obviously PC connected to LAN behind ASA has ip address 192.168.199.33 and the other one with public ip address gets 192.168.239.2 when VPN comes up. Can anybody help me please???

Thanks in advance. BR.

Labels:
0 Helpful
16 Replies 16

Spooster IT Services
Level 11
Level 11
In response to gasparmenendez

‎09-12-2017 11:00 AM

From your last two posts everything looks good in between server and ASA. Try the following commands

 

no nat (INSIDE_Prueba,OUTSIDE) source static redvpn redvpn destination static NETWORK_OBJ_192.168.239.0_25 NETWORK_OBJ_192.168.239.0_25 no-proxy-arp

nat (INSIDE_Prueba,OUTSIDE) source static redvpn redvpn destination static NETWORK_OBJ_192.168.239.0_25 NETWORK_OBJ_192.168.239.0_25

Spooster IT Services Team
0 Helpful

gasparmenendez
Level 6
Level 6
In response to Spooster IT Services

‎09-12-2017 02:57 PM

tried that already without luck my friend....

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card