Re: Cisco VPN clients can't ping the inside interface of my ASA, neither ASA the users.

George-Sl · ‎10-11-2019

Hello,

Cisco VPN clients can't ping the inside interface of my ASA, neither ASA Can't ping the directly connected Users like 192.168.10.1.(ofc they are connected from the outside interface)

S*       0.0.0.0 0.0.0.0 [1/0] via 135.110.223.2, OUTSIDE
C        10.100.10.0 255.255.255.252 is directly connected, INSIDE
L        10.100.10.2 255.255.255.255 is directly connected, INSIDE
C        x.Valid.IP.0 255.255.255.128 is directly connected, OUTSIDE
L        x.Valid.IP.55 255.255.255.255 is directly connected, OUTSIDE
S        175.2.100.0 255.255.255.0 [1/0] via 10.200.200.1, INSIDE
S        175.3.100.0 255.255.255.0 [1/0] via 10.200.200.1, INSIDE
V        192.168.10.1 255.255.255.255 connected by VPN, OUTSIDE

I even Added the interfaces of the inside interface of the ASA on the SPLIT_TUNNEL access list

ASA Version 9.8(2)
!
hostname ciscoasa
enable password 
names
ip local pool VPN_POOL 192.168.10.1-192.168.10.254

!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 10.100.10.2 255.255.255.252
!
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address Vaild-IP-Address.55 255.255.255.128
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 shutdown
 nameif MANAGEMENT
 security-level 100
 no ip address
!
ftp mode passive
object network VPN_POOL
 subnet 192.168.10.0 255.255.255.0
object network LAN
 subnet 175.0.0.0 255.0.0.0
access-list SPLIT_TUNNEL standard permit 175.0.0.0 255.0.0.0
access-list SPLIT_TUNNEL standard permit 10.100.10.0 255.255.255.0
access-list INET-LIMIT extended permit ip 175.2.100.0 255.255.255.0 any
access-list INET-LIMIT extended permit ip 175.3.100.0 255.255.255.0 any
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu MANAGEMENT 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (INSIDE,OUTSIDE) source static LAN LAN destination static VPN_POOL VPN_POOL
access-group INET-LIMIT in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 Valid-ip-address.2 1
route INSIDE 175.2.100.0 255.255.255.0 10.200.200.1 1
route INSIDE 175.3.100.0 255.255.255.0 10.200.200.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 OUTSIDE
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map MY_DYNA_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto map MY_CRYPTO_MAP 10 ipsec-isakmp dynamic MY_DYNA_MAP
crypto map MY_CRYPTO_MAP interface OUTSIDE
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy VPN_POLICY internal
group-policy VPN_POLICY attributes
 dns-server value 8.8.8.8
 vpn-idle-timeout 15
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL
dynamic-access-policy-record DfltAccessPolicy
username xyz password $sha512$5000$PN90W8eJKWVmKmy275F2nA==$KhA/
tunnel-group MY_TUNNEL type remote-access
tunnel-group MY_TUNNEL general-attributes
 address-pool VPN_POOL
 default-group-policy VPN_POLICY
tunnel-group MY_TUNNEL ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5e73c797094e4873aa56e71bf6a570d5
: end

Oleg Volkov · ‎10-12-2019

Try to add "management-access inside"

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog