Re: Cannot ping remote site address pool from inside interface

jniravel · ‎09-20-2022

I have got below interface:

Machine01 (10.0.2.221)<-------> Inisde(10.0.2.0/24)<-------> ASA<-------> Outside(10.0.1.0/24) <------->(pool-192.168.100.0/24) Client (192.168.100.22)

I have got below route table for inside interface in AWS:

I am able to ping from VPN client to inside interface but not the other way around. Tried all sort of configuration but not able to fix this issue. The packet trace is ASDM show green but still the ping does not work. Appreciate any help!

More screenshots:
Access rules:

NAT Rule:

Rob Ingram · ‎09-20-2022

@jniravel the VPN client pool is on the outside interface.

Remove this nat rule:

nat (INSIDE,INSIDE) source static any any destination static Client-Range Client-Range unidirectional

Create a new NAT exemption rule as follows:

nat (INSIDE,OUTSIDE) source static SCCM_NW SCCM_NW destination static Client-Range Client-Range

SCCM_NW - represents your internal network
Client-Range - represents your VPN pool network.

jniravel · ‎09-20-2022

@Rob Ingram : Appreciate your quick response. I have updated the config but still not able to ping:

object network SCCM_NW
subnet 10.0.2.0 255.255.255.0
object network Client-Range
range 192.168.100.0 192.168.100.255
object network internal_int
host 10.0.2.56
object network internal-network
subnet 10.0.2.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp destination eq www
service-object tcp destination eq telnet
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object tcp
service-object tcp destination eq ssh
service-object tcp destination eq telnet
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp
service-object tcp
service-object tcp destination eq www
service-object tcp destination eq ssh
service-object tcp destination eq telnet
object-group network Client-Pool
network-object object Client-Range
object-group service DM_INLINE_SERVICE_3

arp rate-limit 16384
nat (OUTSIDE,INSIDE) source dynamic any interface
nat (INSIDE,OUTSIDE) source static internal-network internal-network destination static Client-Range Client-Range
route OUTSIDE 0.0.0.0 0.0.0.0 10.0.1.1 1
route INSIDE 192.168.100.0 255.255.255.0 10.0.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30

Rob Ingram · ‎09-20-2022

@jniravel the traffic could be hitting the other nat rule. Remove the other nat rule and replace

No nat (OUTSIDE,INSIDE) source dynamic any interface

Object network internal-network

Nat (inside,outside) dynamic interface

This should place this rule below the NAT exemption rule.

jniravel · ‎09-20-2022

I added the config. I am not able to connect to any of the machines in the internal interface now. Did I miss anything?

no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any INSIDE
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (INSIDE,OUTSIDE) source static internal-network internal-network destination static Client-Range Client-Range
!
object network internal-network
nat (INSIDE,OUTSIDE) dynamic interface
route OUTSIDE 0.0.0.0 0.0.0.0 10.0.1.1 1
timeout xlate 3:00:00

Rob Ingram · ‎09-20-2022

@jniravel previously you had this static route - route INSIDE 192.168.100.0 255.255.255.0 10.0.2.1 1, this incorrect, remove it.

If that doesn't work, run packet tracer from the cli to simulate the traffic flow and provide the output for review.

jniravel · ‎09-20-2022

@Rob Ingram : Apologies for the delay. Currently the env is been used for testing, I will update as soon as I can and post here.

jniravel · ‎09-20-2022

@Rob Ingram : Removed the route but still the same issue. I am not even able to connect any machines from remote client.

Packet trace seems successful:
Inside interface

Outside:

Attached Logs for below packet trace:

packet-tracer input inside tcp 10.2.25.3 1025 209.165.202.158 80 detailed
packet-tracer input outside tcp 10.0.2.221 80 192.168.100.22 80 detailed
packet-tracer input inside tcp 10.0.2.221 80 192.168.100.22 80 detailed

Rob Ingram · ‎09-21-2022

@jniravel the syntax of this packet-tracer output "packet-tracer input inside tcp 10.0.2.221 80 192.168.100.22 80 detail" looks correct, the result is allow. Therefore the ASA configuration seems ok, traffic is matching the new NAT exemption rule. I suggest checking the local firewall on the devices you are pinging to ensure they can respond to the ping. Disable the local firewall for testing.

The other packet tracer tests you run, the syntax was incorrect - so you can ignore those results.

jniravel · ‎09-21-2022

@Rob Ingram

Firewall is already disabled in the both the machines ( my local pc & server in internal.)

I can connect from local pc to internal server if I use the initial NAT rule mentioned in the ticket description.

Am I missing any route or ACL rule?

Do you think I am missing any config from AWS network?

In the AWS I have added internet gateway in the outside subnet because I was not able to access Internet in any of the machines inside interface. Reference: https://aws.amazon.com/premiumsupport/knowledge-center/nat-gateway-vpc-private-subnet/

Also I have crested split tunneling in Cisco. Not sure if that something to look at.

Appreciate your help!

jniravel · ‎09-21-2022

@Rob Ingram : Do you think its an AWS issue or at cisco ASA config?

MHM Cisco World · ‎09-23-2022

please share the last ASA config,
I am for this mission.
also If you can draw topology.