Re: Cisco ASA 5515-X VPN internal issues

dlo00011 · ‎03-17-2020

Hi All,

I am a beginner with Cisco configuration and I am currently using ASDM to configure our ASA 5515-X.

I am having an issue where I want users to vpn login from outside into the ASA VPN and then see the internal network (192.168.0.0/24).

I can login with VPN but cannot see any machines on 192.168.0.0/24 network

Can you guys help ?

See attached for config.

Marvin Rhoads · ‎03-18-2020

I don't see any NAT configuration at all. How are your inside hosts even able to reach anything outside without it?

Cristian Matei · ‎03-18-2020

Hi,

@Marvin Rhoads Users are NOT allowed to browse the Internet these days, it's not safe with the CODVID-19 :)

If that is the full ASA config, the VPN session is established successfully, but still you can't reach the 192.168.0.0/24 subnet from VPN:

- is there another layer 3 device behind your ASA; cause if so, that layer 3 device needs to have a route towards the ASA for your VPN pool range:192.168.150.0/24

- if there is no other layer3 device behind the ASA, is the ASA the default gateway for your users?

- to confirm you have reachability through VPN, configure "management-access inside, and from the connected VPN tunnel, try to ping the inside IP of the ASA, 192.168.0.9, it should work

Regards,

Cristian Matei.

dlo00011 · ‎03-18-2020

Cristian,

We do not have a layer 3 switch behind the ASA. However, I applied 'management-access inside' and I was able to ping 192.168.0.9. What does that mean ? Do I have to do a permit ?

Cristian Matei · ‎03-18-2020

Hi,

If the users have the default gateway as the ASA, you should be able to ping them, as long as no firewall is running on the end host; as for pinging the ASA inside interface of 192.168.0.9 through a VPN tunnel, by ASA's architecture you need to allow that via "management-access" feature. For management purposes on the ASA, you can only reach it via the closest interface to you, management traffic can't traverse the ASA, and this is for security reasons; for VPN purposes, they made an exception with this feature, cause you're coming with the VPN tunnel from the outside interface, the one closest to you, and you want to manage it on the inside interface (via ping in your case).

Regards,

Cristian Matei.

Marius Gunnerud · ‎03-19-2020

You might want to try adding the following command:

policy-map global_policy

class inspection_default

inspect icmp

--
Please remember to select a correct answer and rate helpful posts

Cristian Matei · ‎03-19-2020

Hi,

@Marius Gunnerud MPF ICMP inspection is for data-plane/transit ICMP traffic, not for to/from the box traffic.

Regards,

Cristian Matei.

Marius Gunnerud · ‎03-19-2020

@Cristian Matei I know, technically the traffic is passing through the box even though the VPN is terminating on the box. Everything else looks fine.

--
Please remember to select a correct answer and rate helpful posts