cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2836
Views
0
Helpful
15
Replies

ASA5520 AnyConnect SSL VPN Connected but unable to ping my inside LAN

Sander Zuijdam
Level 1
Level 1

Hi there, please forgive if I have missed any forum protocols as this is my first post.

I am trying to configure Anyconnect SSL VPN. I am able to connect to the VPN on a laptop, witch is able to download the anyconnect client from the ASA. I am unable to ping any of my IP's that are on the inside of my ASA. Before posting here I have spent many hours on forums and watching videos on anyconnect SSL VPN creation and I am following it to the T but still no ping. Any help would be very much appreciated.

Inside              192.168.1.254/24

Outside           dhcp

VPN Pool        192.168.250.1-50/24

Inside LAN     192.168.1.0/24

---------------------------------------------------------------

: Saved

:

ASA Version 8.4(4)1

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address dhcp setroute

!

interface GigabitEthernet0/1

nameif inside

security-level 99

ip address 192.168.1.254 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 99

ip address 192.168.100.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name dock.local

same-security-traffic permit inter-interface

object network inside-network-object

subnet 192.168.1.0 255.255.255.0

object network management-network-object

subnet 192.168.100.0 255.255.255.0

object network NETWORK_OBJ_192.168.250.0_25

subnet 192.168.250.0 255.255.255.128

object-group network AllInside-networks

network-object object inside-network-object

network-object object management-network-object

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any echo-reply

access-list split_tunnel standard permit 192.168.1.0 255.255.255.0

access-list split_tunnel standard permit 192.168.100.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpn_pool 192.168.250.1-192.168.250.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic AllInside-networks interface

nat (inside,any) source static any any destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25 no-proxy-arp route-lookup

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable 4433

http 192.168.100.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.100.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_anyconnect internal

group-policy GroupPolicy_anyconnect attributes

wins-server none

dns-server value 8.8.8.8

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelall

split-tunnel-network-list value split_tunnel

default-domain value dock.local

username test password JAasdf434ey521ZCT encrypted privilege 15

tunnel-group anyconnect type remote-access

tunnel-group anyconnect general-attributes

address-pool vpn_pool

default-group-policy GroupPolicy_anyconnect

tunnel-group anyconnect webvpn-attributes

group-alias anyconnect enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:24bcba3c4124ab371297d52260135924

: end :

15 Replies 15

Hi,

Could you add the command management-access inside and then see if you can ping the inside interface of the ASA when connected to the VPN.

If you are able to, then it is most likely the windows firewall blocking the ICMP packets (or whichever firewall is installed on the PC).

If you are not able to ping the inside interface, try changing the NAT rule to be more specific:

no nat (inside,any) source static any any destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25

nat (inside,outside) source static inside-network-object inside-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25

nat (inside,outside) source static management-network-object management-network-object destination static NETWORK_OBJ_192.168.250.0_25  NETWORK_OBJ_192.168.250.0_25

Also try running the packet-tracer.  It can help in identifying where the drop is.  Run it twice in a row, as the first time you run it will most certainly show a drop.  The second will show the accurate trace.

packet-tracer input inside tcp 192.168.1.10 4444 192.168.250.10 80 detail

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

Thanks for you're response.

I tried the things you suggested, but still no ping over anyconnnect vpn connection. This are the results from the packet-tracer:

ciscoasa# packet-tracer input inside tcp 192.168.1.10 4444 192.168.250.10 80 d$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x736fd4e8, priority=1, domain=permit, deny=false
        hits=10, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x736b9ef8, priority=13, domain=permit, deny=false
        hits=4, user_data=0x6f6ed580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x736fe188, priority=0, domain=inspect-ip-options, deny=true
        hits=100, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic AllInside-networks interface
Additional Information:
Dynamic translate 192.168.1.10/4444 to 62.45.21.113/4444
Forward Flow based lookup yields rule:
in  id=0x733289c0, priority=6, domain=nat, deny=false
        hits=5, user_data=0x73843478, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.1.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0x736f3f60, priority=0, domain=inspect-ip-options, deny=true
        hits=1359, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1781, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

doesn't look like your NAT Exempt statement is is being matched.

Could you confirm the IP address that is assigned to the VPN client.

Could you confirm the group policy which is assigned to the VPN client ( this can be easily done using the ASDM Monitoring tab)

Also, your object group and VPN pool do not match up. Though it should not have much to say in this situation it is best to have everything uniform.

object network NETWORK_OBJ_192.168.250.0_25

subnet 192.168.250.0 255.255.255.128

ip local pool vpn_pool 192.168.250.1-192.168.250.100 mask 255.255.255.0

change the local pool to the following:

ip local pool vpn_pool 192.168.250.1-192.168.250.126 mask 255.255.255.128

--
Please remember to select a correct answer and rate helpful posts

I changed the subnet from object network NETWORK_OBJ_192.168.250.0_25 to 255.255.255.0.

The ip-adres of the anyconnect vpn client is: 192.168.250.1 with gateway 192.168.250.2

The group policy which is assigned: GroupPolicy_anyconnect

Could you post a current config please.

--
Please remember to select a correct answer and rate helpful posts

: Saved

:

ASA Version 8.4(4)1

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address dhcp setroute

!

interface GigabitEthernet0/1

nameif inside

security-level 99

ip address 192.168.1.254 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 99

ip address 192.168.100.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name dock.local

same-security-traffic permit inter-interface

object network inside-network-object

subnet 192.168.1.0 255.255.255.0

object network management-network-object

subnet 192.168.100.0 255.255.255.0

object network NETWORK_OBJ_192.168.250.0_25

subnet 192.168.250.0 255.255.255.0

object-group network AllInside-networks

network-object object inside-network-object

network-object object management-network-object

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any echo-reply

access-list split_tunnel standard permit 192.168.1.0 255.255.255.0

access-list split_tunnel standard permit 192.168.100.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool Anyconnect-pool 192.168.250.1-192.168.250.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic AllInside-networks interface

nat (inside,outside) source static inside-network-object inside-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25

nat (inside,outside) source static management-network-object management-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.100.2 255.255.255.255 management

http 192.168.100.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.100.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_Anyconnect_VPN internal

group-policy GroupPolicy_Anyconnect_VPN attributes

wins-server none

dns-server value 8.8.8.8

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelall

split-tunnel-network-list value split_tunnel

default-domain value dock.local

username sander password f/J.5nLef/EqyPfy encrypted

username aveha password JA8X3IiqPvFFsZCT encrypted privilege 15

tunnel-group Anyconnect_VPN type remote-access

tunnel-group Anyconnect_VPN general-attributes

address-pool Anyconnect-pool

default-group-policy GroupPolicy_Anyconnect_VPN

tunnel-group Anyconnect_VPN webvpn-attributes

group-alias Anyconnect_VPN enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:4636fa566ffc11b0f7858b760d974dee

: end:

It should be enabled by default...but you can try to add the command sysopt connection permit-vpn to ensure that the VPN traffic bypasses interface ACLs.

--
Please remember to select a correct answer and rate helpful posts

Done that, still not able to ping management interface/inside interface.

You will not be able to ping the inside interface unless you add the command management-access inside, as I mentioned in my first post.

--
Please remember to select a correct answer and rate helpful posts

I have done that command, it's in the config i posted earlier this day.

Sorry, I overlooked it.

I suggest rearranging your NAT statements so that the NAT Exempt appears above the dynamic NAT.

nat  (inside,outside) source static  inside-network-object  inside-network-object destination static  NETWORK_OBJ_192.168.250.0_25  NETWORK_OBJ_192.168.250.0_25

nat  (inside,outside) source static  management-network-object  management-network-object destination static   NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25

nat (inside,outside) source dynamic AllInside-networks interface

--
Please remember to select a correct answer and rate helpful posts

Executed the commands you suggested, still not able to ping to management interface.

did you remove the NAT statements before you issued the commands?  It is easier doing this in the ASDM but will cause existing connections to be terminated, and those connections would need to be re-established.

--
Please remember to select a correct answer and rate helpful posts

Yes, i removed all NAT statements first, then i executed the ones you suggested. NAT looks like the folllowing in ASDM:

1 inside outside 192.168.1.0/24 192.168.250.0/24 any -- Original -- -- Original -- -- Original -- 

1 outside inside 192.168.250.0/24 192.168.1.0/24 any -- Original -- -- Original -- -- Original -- 

2 inside outside 192.168.100.0/24 192.168.250.0/24 any -- Original -- -- Original -- -- Original -- 

2 outside inside 192.168.250.0/24 192.168.100.0/24 any -- Original -- -- Original -- -- Original -- 

3 inside outside AllInside-networks any any a_u$c@1b2df369 -- Original -- -- Original --

Review Cisco Networking for a $25 gift card