03-17-2020 04:33 PM - edited 03-17-2020 06:18 PM
Hi All,
I am a beginner with Cisco configuration and I am currently using ASDM to configure our ASA 5515-X.
I am having an issue where I want users to vpn login from outside into the ASA VPN and then see the internal network (192.168.0.0/24).
I can login with VPN but cannot see any machines on 192.168.0.0/24 network
Can you guys help ?
See attached for config.
03-18-2020 12:17 AM
I don't see any NAT configuration at all. How are your inside hosts even able to reach anything outside without it?
03-18-2020 12:39 AM
Hi,
@Marvin Rhoads Users are NOT allowed to browse the Internet these days, it's not safe with the CODVID-19 :)
If that is the full ASA config, the VPN session is established successfully, but still you can't reach the 192.168.0.0/24 subnet from VPN:
- is there another layer 3 device behind your ASA; cause if so, that layer 3 device needs to have a route towards the ASA for your VPN pool range:192.168.150.0/24
- if there is no other layer3 device behind the ASA, is the ASA the default gateway for your users?
- to confirm you have reachability through VPN, configure "management-access inside, and from the connected VPN tunnel, try to ping the inside IP of the ASA, 192.168.0.9, it should work
Regards,
Cristian Matei.
03-18-2020 12:02 PM
Cristian,
We do not have a layer 3 switch behind the ASA. However, I applied 'management-access inside' and I was able to ping 192.168.0.9. What does that mean ? Do I have to do a permit ?
03-18-2020 12:35 PM
Hi,
If the users have the default gateway as the ASA, you should be able to ping them, as long as no firewall is running on the end host; as for pinging the ASA inside interface of 192.168.0.9 through a VPN tunnel, by ASA's architecture you need to allow that via "management-access" feature. For management purposes on the ASA, you can only reach it via the closest interface to you, management traffic can't traverse the ASA, and this is for security reasons; for VPN purposes, they made an exception with this feature, cause you're coming with the VPN tunnel from the outside interface, the one closest to you, and you want to manage it on the inside interface (via ping in your case).
Regards,
Cristian Matei.
03-19-2020 01:26 PM
You might want to try adding the following command:
policy-map global_policy
class inspection_default
inspect icmp
03-19-2020 01:35 PM
Hi,
@Marius Gunnerud MPF ICMP inspection is for data-plane/transit ICMP traffic, not for to/from the box traffic.
Regards,
Cristian Matei.
03-19-2020 03:08 PM
@Cristian Matei I know, technically the traffic is passing through the box even though the VPN is terminating on the box. Everything else looks fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide