ASA Config Issues - Page 2

bpierce1046 · ‎09-28-2023

I am having issues with my ASA not transferring traffic from VPN subnet to internal subnet. VPN is 10.1.1.0/24 subnet and internal is 172.16.10.0/24 subnet.

: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(2)61
!
hostname ciscoasa
enable password xxx xxx
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8d4178d35b9e92dae51bd1cbacee04e4
: end

bpierce1046 · ‎09-28-2023

that worked but it still doesn't work from the client.

Also, for the internal web-server at 172.16.10.10. Since it cant get to the dns server could that be why the packet is being dropped. That i need to do:

nat (inside,outside) source static 10.1.1.5 172.16.10.10 dns
!
policy-map global_policy
  class inspection_default 
    inspect dns

MHM Cisco World · ‎09-28-2023

Do you have any internal dns server ?

bpierce1046 · ‎09-28-2023

I dont have an internal DNS.

MHM Cisco World · ‎09-29-2023

Can you access http server with IP not name ?

bpierce1046 · ‎09-29-2023

no, cannot access it.

MHM Cisco World · ‎09-29-2023

What is ip you use to access http server?

bpierce1046 · ‎09-29-2023

the ip for the webserver is 172.16.10.10.

MHM Cisco World · ‎09-29-2023

Use

Http://172.16.10.10

MHM Cisco World · ‎09-28-2023

I found the pool config

ip local pool anyconnect-subnet 10.1.1.5-10.1.1.250 mask 255.255.255.0

And your share I see the anyconnect get IP from pool that good

Other things I see is dyanimc policy

dynamic-access-policy-record DfltAccessPolicy !!!

This why you use it ?

Marius Gunnerud · ‎09-29-2023

Is this a lab / home network or a production network? Is the issue that all traffic passing from AnyConnect through the ASA not passing? or is it specific traffic?

I suggest breaking this up into two parts. First troubleshoot the issue with access to the internal server, and then troubleshoot access to the internet via tunnel all.

First off for testing with ping we need to enable inspect icmp in policy-map

policy-map global_policy
class inspection_default
inspect icmp

First verify the server reachability by pinging 172.16.10.10 from the ASA CLI.

setup a capture on the inside interface:
cap capin interface INSIDE-1 match ip 10.1.1.0 255.255.255.0 host 172.16.10.10

Now connect to the VPN. First check the Route Details in the AnyConnect client and make sure that secured routes is 0.0.0.0/0

Send some ping packets and then issue the command "show cap capin" and check if you are seeing traffic leaving the inside interface.
If you are seeing traffic leave the interface but get nothing in return, then there is an issue between the ASA and the 172.16.10.10 server.

If you do not have an internal DNS server that can resolve the URL or FQDN to an IP then you will need to access that server via IP.

Post the results from the tests here please.

--
Please remember to select a correct answer and rate helpful posts

bpierce1046 · ‎09-29-2023

This is a lab network without an internet connection.

The following is requested output.

ciscoasa(config-pmap-c)# ping 172.16.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa(config-pmap-c)# cap capin interface INSIDE-1 match ip 10.1.1.0 255.25$
ciscoasa(config-pmap-c)# show cap capin

190 packets captured

1: 16:15:05.339505 10.1.1.5 > 172.16.10.10: icmp: echo request
2: 16:15:06.365169 10.1.1.5 > 172.16.10.10: icmp: echo request
3: 16:15:07.377437 10.1.1.5 > 172.16.10.10: icmp: echo request
4: 16:15:08.391001 10.1.1.5 > 172.16.10.10: icmp: echo request
5: 16:15:09.404779 10.1.1.5 > 172.16.10.10: icmp: echo request
6: 16:15:10.418771 10.1.1.5 > 172.16.10.10: icmp: echo request
7: 16:15:11.431938 10.1.1.5 > 172.16.10.10: icmp: echo request
8: 16:15:12.446052 10.1.1.5 > 172.16.10.10: icmp: echo request
9: 16:15:13.459540 10.1.1.5 > 172.16.10.10: icmp: echo request
10: 16:15:14.473409 10.1.1.5 > 172.16.10.10: icmp: echo request
11: 16:15:15.487172 10.1.1.5 > 172.16.10.10: icmp: echo request
12: 16:15:16.500889 10.1.1.5 > 172.16.10.10: icmp: echo request
13: 16:15:17.514438 10.1.1.5 > 172.16.10.10: icmp: echo request
14: 16:15:18.527911 10.1.1.5 > 172.16.10.10: icmp: echo request
15: 16:15:19.541475 10.1.1.5 > 172.16.10.10: icmp: echo request
16: 16:15:20.555253 10.1.1.5 > 172.16.10.10: icmp: echo request
17: 16:15:21.568726 10.1.1.5 > 172.16.10.10: icmp: echo request
18: 16:15:22.582886 10.1.1.5 > 172.16.10.10: icmp: echo request
19: 16:15:23.596023 10.1.1.5 > 172.16.10.10: icmp: echo request
20: 16:15:24.610075 10.1.1.5 > 172.16.10.10: icmp: echo request
21: 16:15:25.623624 10.1.1.5 > 172.16.10.10: icmp: echo request
22: 16:15:26.637097 10.1.1.5 > 172.16.10.10: icmp: echo request
23: 16:15:27.651104 10.1.1.5 > 172.16.10.10: icmp: echo request
24: 16:15:28.664684 10.1.1.5 > 172.16.10.10: icmp: echo request
25: 16:15:29.678416 10.1.1.5 > 172.16.10.10: icmp: echo request
26: 16:15:30.691339 10.1.1.5 > 172.16.10.10: icmp: echo request
27: 16:15:31.704995 10.1.1.5 > 172.16.10.10: icmp: echo request
28: 16:15:32.719201 10.1.1.5 > 172.16.10.10: icmp: echo request
29: 16:15:33.732811 10.1.1.5 > 172.16.10.10: icmp: echo request
30: 16:15:34.746497 10.1.1.5 > 172.16.10.10: icmp: echo request
31: 16:15:35.760153 10.1.1.5 > 172.16.10.10: icmp: echo request
32: 16:15:36.773748 10.1.1.5 > 172.16.10.10: icmp: echo request
33: 16:15:37.787389 10.1.1.5 > 172.16.10.10: icmp: echo request
34: 16:15:38.800831 10.1.1.5 > 172.16.10.10: icmp: echo request
35: 16:15:39.814548 10.1.1.5 > 172.16.10.10: icmp: echo request
36: 16:15:40.828341 10.1.1.5 > 172.16.10.10: icmp: echo request
37: 16:15:41.842195 10.1.1.5 > 172.16.10.10: icmp: echo request
38: 16:15:42.855866 10.1.1.5 > 172.16.10.10: icmp: echo request
39: 16:15:43.869721 10.1.1.5 > 172.16.10.10: icmp: echo request
40: 16:15:44.883041 10.1.1.5 > 172.16.10.10: icmp: echo request
41: 16:15:45.896941 10.1.1.5 > 172.16.10.10: icmp: echo request
42: 16:15:46.910643 10.1.1.5 > 172.16.10.10: icmp: echo request
43: 16:15:47.923856 10.1.1.5 > 172.16.10.10: icmp: echo request
44: 16:15:48.937771 10.1.1.5 > 172.16.10.10: icmp: echo request
45: 16:15:49.951336 10.1.1.5 > 172.16.10.10: icmp: echo request
46: 16:15:50.965053 10.1.1.5 > 172.16.10.10: icmp: echo request
47: 16:15:51.978876 10.1.1.5 > 172.16.10.10: icmp: echo request
48: 16:15:52.992578 10.1.1.5 > 172.16.10.10: icmp: echo request
49: 16:15:54.006332 10.1.1.5 > 172.16.10.10: icmp: echo request
50: 16:15:55.019865 10.1.1.5 > 172.16.10.10: icmp: echo request
51: 16:15:56.034238 10.1.1.5 > 172.16.10.10: icmp: echo request
52: 16:15:57.047208 10.1.1.5 > 172.16.10.10: icmp: echo request
53: 16:15:58.061306 10.1.1.5 > 172.16.10.10: icmp: echo request
54: 16:15:59.074520 10.1.1.5 > 172.16.10.10: icmp: echo request
55: 16:16:00.088084 10.1.1.5 > 172.16.10.10: icmp: echo request
56: 16:16:01.102396 10.1.1.5 > 172.16.10.10: icmp: echo request
57: 16:16:02.115548 10.1.1.5 > 172.16.10.10: icmp: echo request
58: 16:16:03.129250 10.1.1.5 > 172.16.10.10: icmp: echo request
59: 16:16:04.142921 10.1.1.5 > 172.16.10.10: icmp: echo request
60: 16:16:05.156180 10.1.1.5 > 172.16.10.10: icmp: echo request
61: 16:16:06.170645 10.1.1.5 > 172.16.10.10: icmp: echo request
62: 16:16:07.183904 10.1.1.5 > 172.16.10.10: icmp: echo request
63: 16:16:08.197819 10.1.1.5 > 172.16.10.10: icmp: echo request
64: 16:16:09.211430 10.1.1.5 > 172.16.10.10: icmp: echo request
65: 16:16:10.224735 10.1.1.5 > 172.16.10.10: icmp: echo request
66: 16:16:11.238513 10.1.1.5 > 172.16.10.10: icmp: echo request
67: 16:16:12.252809 10.1.1.5 > 172.16.10.10: icmp: echo request
68: 16:16:13.265946 10.1.1.5 > 172.16.10.10: icmp: echo request
69: 16:16:14.279633 10.1.1.5 > 172.16.10.10: icmp: echo request
70: 16:16:15.293228 10.1.1.5 > 172.16.10.10: icmp: echo request
71: 16:16:16.306868 10.1.1.5 > 172.16.10.10: icmp: echo request
72: 16:16:17.320860 10.1.1.5 > 172.16.10.10: icmp: echo request
73: 16:16:18.334043 10.1.1.5 > 172.16.10.10: icmp: echo request
74: 16:16:19.348218 10.1.1.5 > 172.16.10.10: icmp: echo request
75: 16:16:20.361843 10.1.1.5 > 172.16.10.10: icmp: echo request
76: 16:16:21.375194 10.1.1.5 > 172.16.10.10: icmp: echo request
77: 16:16:22.389216 10.1.1.5 > 172.16.10.10: icmp: echo request
78: 16:16:23.402612 10.1.1.5 > 172.16.10.10: icmp: echo request
79: 16:16:24.416741 10.1.1.5 > 172.16.10.10: icmp: echo request
80: 16:16:25.430077 10.1.1.5 > 172.16.10.10: icmp: echo request
81: 16:16:26.443870 10.1.1.5 > 172.16.10.10: icmp: echo request
82: 16:16:27.457434 10.1.1.5 > 172.16.10.10: icmp: echo request
83: 16:16:28.470404 10.1.1.5 > 172.16.10.10: icmp: echo request
84: 16:16:29.484517 10.1.1.5 > 172.16.10.10: icmp: echo request
85: 16:16:30.498341 10.1.1.5 > 172.16.10.10: icmp: echo request
86: 16:16:31.511753 10.1.1.5 > 172.16.10.10: icmp: echo request
87: 16:16:32.525744 10.1.1.5 > 172.16.10.10: icmp: echo request
88: 16:16:33.539187 10.1.1.5 > 172.16.10.10: icmp: echo request
89: 16:16:34.552873 10.1.1.5 > 172.16.10.10: icmp: echo request
90: 16:16:35.567170 10.1.1.5 > 172.16.10.10: icmp: echo request
91: 16:16:36.580154 10.1.1.5 > 172.16.10.10: icmp: echo request
92: 16:16:37.593597 10.1.1.5 > 172.16.10.10: icmp: echo request
93: 16:16:38.607436 10.1.1.5 > 172.16.10.10: icmp: echo request
94: 16:16:39.621122 10.1.1.5 > 172.16.10.10: icmp: echo request
95: 16:16:40.634732 10.1.1.5 > 172.16.10.10: icmp: echo request
96: 16:16:41.648556 10.1.1.5 > 172.16.10.10: icmp: echo request
97: 16:16:42.662227 10.1.1.5 > 172.16.10.10: icmp: echo request
98: 16:16:43.675914 10.1.1.5 > 172.16.10.10: icmp: echo request
99: 16:16:44.689524 10.1.1.5 > 172.16.10.10: icmp: echo request
100: 16:16:45.703668 10.1.1.5 > 172.16.10.10: icmp: echo request
101: 16:16:46.717217 10.1.1.5 > 172.16.10.10: icmp: echo request
102: 16:16:47.730293 10.1.1.5 > 172.16.10.10: icmp: echo request
103: 16:16:48.744315 10.1.1.5 > 172.16.10.10: icmp: echo request
104: 16:16:49.757300 10.1.1.5 > 172.16.10.10: icmp: echo request
105: 16:16:50.771505 10.1.1.5 > 172.16.10.10: icmp: echo request
106: 16:16:51.785008 10.1.1.5 > 172.16.10.10: icmp: echo request
107: 16:16:52.798802 10.1.1.5 > 172.16.10.10: icmp: echo request
108: 16:16:53.812229 10.1.1.5 > 172.16.10.10: icmp: echo request
109: 16:16:54.825656 10.1.1.5 > 172.16.10.10: icmp: echo request
110: 16:16:55.839708 10.1.1.5 > 172.16.10.10: icmp: echo request
111: 16:16:56.853456 10.1.1.5 > 172.16.10.10: icmp: echo request
112: 16:16:57.867402 10.1.1.5 > 172.16.10.10: icmp: echo request
113: 16:16:58.880813 10.1.1.5 > 172.16.10.10: icmp: echo request
114: 16:16:59.894530 10.1.1.5 > 172.16.10.10: icmp: echo request
115: 16:17:00.908095 10.1.1.5 > 172.16.10.10: icmp: echo request
116: 16:17:01.921186 10.1.1.5 > 172.16.10.10: icmp: echo request
117: 16:17:02.935559 10.1.1.5 > 172.16.10.10: icmp: echo request
118: 16:17:03.949001 10.1.1.5 > 172.16.10.10: icmp: echo request
119: 16:17:04.963298 10.1.1.5 > 172.16.10.10: icmp: echo request
120: 16:17:05.976161 10.1.1.5 > 172.16.10.10: icmp: echo request
121: 16:17:06.990244 10.1.1.5 > 172.16.10.10: icmp: echo request
122: 16:17:08.003692 10.1.1.5 > 172.16.10.10: icmp: echo request
123: 16:17:09.017195 10.1.1.5 > 172.16.10.10: icmp: echo request
124: 16:17:10.031553 10.1.1.5 > 172.16.10.10: icmp: echo request
125: 16:17:11.044660 10.1.1.5 > 172.16.10.10: icmp: echo request
126: 16:17:12.058605 10.1.1.5 > 172.16.10.10: icmp: echo request
127: 16:17:13.072536 10.1.1.5 > 172.16.10.10: icmp: echo request
128: 16:17:14.085536 10.1.1.5 > 172.16.10.10: icmp: echo request
129: 16:17:15.099726 10.1.1.5 > 172.16.10.10: icmp: echo request
130: 16:17:16.112970 10.1.1.5 > 172.16.10.10: icmp: echo request
131: 16:17:17.126763 10.1.1.5 > 172.16.10.10: icmp: echo request
132: 16:17:18.140007 10.1.1.5 > 172.16.10.10: icmp: echo request
133: 16:17:19.153968 10.1.1.5 > 172.16.10.10: icmp: echo request
134: 16:17:20.167654 10.1.1.5 > 172.16.10.10: icmp: echo request
135: 16:17:21.181738 10.1.1.5 > 172.16.10.10: icmp: echo request
136: 16:17:22.195073 10.1.1.5 > 172.16.10.10: icmp: echo request
137: 16:17:23.209065 10.1.1.5 > 172.16.10.10: icmp: echo request
138: 16:17:24.222110 10.1.1.5 > 172.16.10.10: icmp: echo request
139: 16:17:25.235949 10.1.1.5 > 172.16.10.10: icmp: echo request
140: 16:17:26.249941 10.1.1.5 > 172.16.10.10: icmp: echo request
141: 16:17:27.263490 10.1.1.5 > 172.16.10.10: icmp: echo request
142: 16:17:28.277237 10.1.1.5 > 172.16.10.10: icmp: echo request
143: 16:17:29.290909 10.1.1.5 > 172.16.10.10: icmp: echo request
144: 16:17:30.304946 10.1.1.5 > 172.16.10.10: icmp: echo request
145: 16:17:31.318114 10.1.1.5 > 172.16.10.10: icmp: echo request
146: 16:17:32.331876 10.1.1.5 > 172.16.10.10: icmp: echo request
147: 16:17:33.345364 10.1.1.5 > 172.16.10.10: icmp: echo request
148: 16:17:34.359051 10.1.1.5 > 172.16.10.10: icmp: echo request
149: 16:17:35.373195 10.1.1.5 > 172.16.10.10: icmp: echo request
150: 16:17:36.385981 10.1.1.5 > 172.16.10.10: icmp: echo request
151: 16:17:37.400049 10.1.1.5 > 172.16.10.10: icmp: echo request
152: 16:17:38.413415 10.1.1.5 > 172.16.10.10: icmp: echo request
153: 16:17:39.427071 10.1.1.5 > 172.16.10.10: icmp: echo request
154: 16:17:40.441185 10.1.1.5 > 172.16.10.10: icmp: echo request
155: 16:17:41.454779 10.1.1.5 > 172.16.10.10: icmp: echo request
156: 16:17:42.468298 10.1.1.5 > 172.16.10.10: icmp: echo request
157: 16:17:43.482137 10.1.1.5 > 172.16.10.10: icmp: echo request
158: 16:17:44.495946 10.1.1.5 > 172.16.10.10: icmp: echo request
159: 16:17:45.509601 10.1.1.5 > 172.16.10.10: icmp: echo request
160: 16:17:46.522922 10.1.1.5 > 172.16.10.10: icmp: echo request
161: 16:17:47.536639 10.1.1.5 > 172.16.10.10: icmp: echo request
162: 16:17:48.550478 10.1.1.5 > 172.16.10.10: icmp: echo request
163: 16:17:49.563950 10.1.1.5 > 172.16.10.10: icmp: echo request
164: 16:17:50.578262 10.1.1.5 > 172.16.10.10: icmp: echo request
165: 16:17:51.591415 10.1.1.5 > 172.16.10.10: icmp: echo request
166: 16:17:52.604994 10.1.1.5 > 172.16.10.10: icmp: echo request
167: 16:17:53.618772 10.1.1.5 > 172.16.10.10: icmp: echo request
168: 16:17:54.632840 10.1.1.5 > 172.16.10.10: icmp: echo request
169: 16:17:55.646008 10.1.1.5 > 172.16.10.10: icmp: echo request
170: 16:17:56.659725 10.1.1.5 > 172.16.10.10: icmp: echo request
171: 16:17:57.673396 10.1.1.5 > 172.16.10.10: icmp: echo request
172: 16:17:58.687159 10.1.1.5 > 172.16.10.10: icmp: echo request
173: 16:17:59.701105 10.1.1.5 > 172.16.10.10: icmp: echo request
174: 16:18:00.714608 10.1.1.5 > 172.16.10.10: icmp: echo request
175: 16:18:01.728081 10.1.1.5 > 172.16.10.10: icmp: echo request
176: 16:18:02.741843 10.1.1.5 > 172.16.10.10: icmp: echo request
177: 16:18:03.755942 10.1.1.5 > 172.16.10.10: icmp: echo request
178: 16:18:04.769277 10.1.1.5 > 172.16.10.10: icmp: echo request
179: 16:18:05.782689 10.1.1.5 > 172.16.10.10: icmp: echo request
180: 16:18:06.796864 10.1.1.5 > 172.16.10.10: icmp: echo request
181: 16:18:07.810215 10.1.1.5 > 172.16.10.10: icmp: echo request
182: 16:18:08.823413 10.1.1.5 > 172.16.10.10: icmp: echo request
183: 16:18:09.836916 10.1.1.5 > 172.16.10.10: icmp: echo request
184: 16:18:10.850786 10.1.1.5 > 172.16.10.10: icmp: echo request
185: 16:18:11.864579 10.1.1.5 > 172.16.10.10: icmp: echo request
186: 16:18:12.878296 10.1.1.5 > 172.16.10.10: icmp: echo request
187: 16:18:13.891921 10.1.1.5 > 172.16.10.10: icmp: echo request
188: 16:18:14.905684 10.1.1.5 > 172.16.10.10: icmp: echo request
189: 16:18:15.919782 10.1.1.5 > 172.16.10.10: icmp: echo request
190: 16:18:16.932996 10.1.1.5 > 172.16.10.10: icmp: echo request

Marius Gunnerud · ‎09-29-2023

did you add the inspect icmp command to the global policy-map?

Based on the capture output, the issue looks to be between the ASA and the server.

Have you verified the default gateway on the server? is the server using the ASA as the default gateway or is it using another device as default gateway? If it is using another switch or router as a default gateway is routing to the 10.1.1.0/24 network correctly configured on that device?

--
Please remember to select a correct answer and rate helpful posts

bpierce1046 · ‎09-29-2023

Yes, i added the global policy-map.

The server is directly connected to the asa. No device between them. I am able to ping both 172.16.10.1 and 172.16.10.10. I am not able to ping the vpn client though:

ciscoasa(config)# ping 10.1.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa(config)# ping 172.16.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa(config)# ping 172.16.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Marius Gunnerud · ‎09-29-2023

if you want to ping the ASA client you would using the inside-1 interface you would need to add "management-access inside-1" and then ping inside-1 10.1.1.5.

is 172.16.10.10 a windows machine? is the windows firewall disabled or at the very least ping is allowed in the windows firewall?

--
Please remember to select a correct answer and rate helpful posts