Couldnt ping the inside lan network using VPN Client.

Lost & Found · ‎10-19-2015

Hi,

I configured VPN Client on cisco asa and it's now connecting but I encountered some issues.

1. I can't ping the inside lan of our network (servers,host etc).

2. I can pint the inside interface of ASA 10.1.1.1.

please see the atttache file.

thanks

Rishabh Seth · ‎10-19-2015

Hi,

>> Are you able to ping the server from ASA?

command: ping <inside-interface-name> <server-IP>

>> Can you check if you have any ACL that might block the traffic.

>> Is there any NAT for this traffic? If yes then ensure you have ICMP inspection enabled

command: fixup protocol icmp

>> In case you still face the issue try to check if the traffic is actually leaving the ASA or not. Use captures to check this:

command:

cap capi interface <inside-interface-name> match icmp host <source-ip> <destination-ip>

To view:

show cap capi

To delete:

no cap capi

Share your findings.

Thanks,

R.Seth

Lost & Found · ‎10-20-2015

Hi R. Seth,

1. yes from asa ican ping all the devices.
3.allready add fixup protocol icmp but its still the same
4. Show cap capi.
69 packets captured

1: 00:24:26.227130 10.34.49.1 > 10.34.48.122: icmp: echo request
2: 00:24:31.249651 10.34.49.1 > 10.34.63.254: icmp: echo request
3: 00:24:35.817355 10.34.49.1 > 10.34.63.254: icmp: echo request
4: 00:24:36.715569 10.34.49.1 > 10.34.48.122: icmp: echo request
5: 00:24:40.782231 10.34.49.1 > 10.34.63.254: icmp: echo request
6: 00:24:41.288971 10.34.49.1 > 10.34.48.122: icmp: echo request
7: 00:24:45.775640 10.34.49.1 > 10.34.63.254: icmp: echo request
8: 00:24:50.820422 10.34.49.1 > 10.34.63.254: icmp: echo request
9: 00:24:51.314528 10.34.49.1 > 10.34.48.122: icmp: echo request

Details
ip local pool vpnpool 10.34.49.1-10.34.49.252 mask 255.255.240.0

object network NETWORK_OBJ_10.34.49.0_24
subnet 10.34.49.0 255.255.255.0

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.34.49.0_24 NETWORK_OBJ_10.34.49.0_24 no-proxy-arp route-lookup

access-list outside extended permit ip any 10.34.48.0 255.255.240.0
access-list inside_access_in extended permit object-group TCPUDP 10.0.0.0 255.0.0.0 any
access-list inside_access_in extended permit icmp 10.0.0.0 255.0.0.0

route inside 0.0.0.0 0.0.0.0 10.34.63.254 tunneled

Still doesn't work.

thanks

Rishabh Seth · ‎10-20-2015

Hi,

From the captures we can see that the traffic is leaving the ASA and there is no replies from 10.34.49.1 device.

Probably the device is not configured to reply to ping or there is some firewall on the device which is blocking it.

Also check if there is any other device that might block the traffic.

From ASA perspective you are permitting all the traffic.

Share your findings.

Thanks,

R.Seth

Lost & Found · ‎10-20-2015

Hi,

I have configure firepower and the following command.

access-list ACL_ANY extended permit ip any anyclass-map SFR
match access-list ACL_ANY
class-map inspection_default
match default-inspection-traffic

class SFR
sfr fail-close

ive tried to remove the command but its still the same

I think i already permit all address on out acl.

access-list outside extended permit ip any 10.34.48.0 255.255.240.0

Lost & Found · ‎10-20-2015

# sh run
ASA Version 9.2(2)4
!
hostname CBK-KAL-FW
domain-name test.com
enable password CPvrcBKnyVPXs2g6 encrypted
passwd SwuuYThZAkyq4HXA encrypted
names
ip local pool vpnpool 10.34.49.1-10.34.49.252 mask 255.255.240.0
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.34.63.252 255.255.240.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 122.X.X.X 255.255.255.248
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa922-4-smp-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.34.63.239
name-server 10.34.63.238
domain-name test.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network lotusnotes
host 10.34.63.221
object network cbk-wstation
subnet 0.0.0.0 0.0.0.0
object network Host-10.34.48.26
host 10.34.48.26
object network CITRIX
host 10.34.63.223
object network SOFTRAK
host 10.34.62.40
object network SAP
host 10.34.61.1
object network NETWORK_OBJ_10.34.49.0_24
subnet 10.34.49.0 255.255.255.0
object service citrix-1604
service tcp destination eq 1604
object service sap-3200
service tcp destination eq 3200
object service sap-3299
service tcp destination eq 3299
object service sap-3300
service tcp destination eq 3300
object service sap-3389
service tcp destination eq 3389
object network Host-10.34.63.240
host 10.34.63.240
object network Test-network
subnet 10.230.230.0 255.255.255.0
object network NETWORK_OBJ_10.34.48.0_20
subnet 10.34.48.0 255.255.240.0
object network 10.34.0.0
subnet 10.34.0.0 255.255.0.0
object network Host-10.34.48.150
host 10.34.48.150
object network Host-10.34.63.249
host 10.34.63.249
description CBK-FS1
object network Host-10.34.63.59
host 10.34.63.59
object network Host-10.34.48.31
host 10.34.48.31
description Glen Ernas
object network Host-10.1.1.3
host 10.1.1.3
object network Host-10.34.48.165
host 10.34.48.165
description Citrix
object network Host-10.34.63.57
host 10.34.63.57
object network Site-A-Subnet
subnet 10.34.48.0 255.255.240.0
description Site A
object network Site-B-Subnet
subnet 10.34.16.0 255.255.240.0
object network Host-10.34.61.12
host 10.34.61.12
description SAP PROD
object network Host-10.34.63.233
host 10.34.63.233
description New Server
object network Host-10.34.48.195
host 10.34.48.195
description PC-NPIE
object network Host-10.34.48.69
host 10.34.48.69
object network Host-10.34.48.41
host 10.34.48.41
description Req-by mam Zink temp
object network Host-10.34.48.118
host 10.34.48.118
description TEMPORAR
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service LN_SERVICE
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq lotusnotes
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object tcp destination eq www
object-group network Allowed_Host
description 10.34.48.69
network-object object CITRIX
network-object object Host-10.34.112.70
network-object object Host-10.34.48.126
network-object object Host-10.34.48.145
network-object object Host-10.34.48.173
network-object object Host-10.34.48.177
network-object object Host-10.34.48.180
network-object object Host-10.34.48.183
network-object object Host-10.34.48.200
network-object object Host-10.34.48.235
network-object object Host-10.34.48.236
network-object object Host-10.34.48.238
network-object object Host-10.34.48.243
network-object object Host-10.34.48.249
network-object object Host-10.34.48.250
network-object object Host-10.34.48.252
network-object object Host-10.34.48.26
network-object object Host-10.34.48.79
network-object object Host-10.34.48.92
network-object object Host-10.34.50.103
network-object object Host-10.34.50.204
network-object object Host-10.34.63.210
network-object object Host-10.34.63.211
network-object object Host-10.34.63.220
network-object object Host-10.34.63.222
network-object object Host-10.34.63.224
network-object object Host-10.34.63.225
network-object object Host-10.34.63.237
network-object object Host-10.34.63.238
network-object object Host-10.34.63.239
network-object object Host-10.34.64.10
network-object object SAP
network-object object SOFTRAK
network-object object lotusnotes
network-object object Host-10.34.63.240
network-object object Host-10.34.48.150
network-object object Host-10.34.48.115
network-object object Host-10.34.63.249
network-object object Host-10.34.48.62
network-object object Host-10.34.63.59
network-object object Host-10.34.48.251
network-object object Host-10.34.48.31
network-object object Host-10.34.48.165
network-object object Host-10.34.63.57
network-object object Host-10.34.61.12
network-object object Host-10.34.63.233
network-object object Host-10.34.48.195
network-object object Host-10.34.48.69
network-object object Host-10.34.48.41
network-object object Host-10.34.48.122
network-object object Host-10.34.48.118
object-group service CITRIX_SERVICE
service-object object citrix-1604
service-object tcp destination eq citrix-ica
service-object tcp destination eq www
object-group network DM_INLINE_NETWORK_1
network-object object CITRIX
network-object object SAP
network-object object SOFTRAK
network-object object lotusnotes
access-list outside_access_in_2 extended permit object-group LN_SERVICE any object lotusnotes
access-list outside extended permit object-group LN_SERVICE any object lotusnotes
access-list outside extended permit object-group SAP_SERVICE any object SAP
access-list outside extended permit object-group CITRIX_SERVICE any object CITRIX
access-list outside extended permit object-group Softrak_Service any object SOFTRAK
access-list outside extended deny ip any object-group DM_INLINE_NETWORK_1
access-list outside extended permit ip any 10.34.48.0 255.255.240.0
access-list inside_access_in extended permit object-group TCPUDP 10.0.0.0 255.0.0.0 any
access-list inside_access_in extended permit icmp 10.0.0.0 255.0.0.0 any
access-list inside_access_in_1 extended permit ip object lotusnotes any
access-list inside_access_in_1 extended permit ip object CITRIX any
access-list inside_access_in_1 extended permit ip object SAP any
access-list inside_access_in_1 extended permit ip object SOFTRAK any
access-list inside_access_in_1 extended permit ip object-group Allowed_Host any
access-list inside_access_in_1 extended deny ip 10.34.48.0 255.255.240.0 any
access-list ACL_ANY extended permit ip any any
access-list outside2_access_in extended permit ip any 10.34.48.0 255.255.240.0 inactive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu outside2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-7221.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.34.49.0_24 NETWORK_OBJ_10.34.49.0_24 no-proxy-arp route-lookup
nat (inside,outside) source dynamic Allowed_Host interface dns
access-group inside_access_in_1 in interface inside
access-group outside in interface outside
!
prefix-list anyconnect description VPNConnection
!
!
route-map anyconnect permit 11
!
route outside 0.0.0.0 0.0.0.0 122.X.X.X 1
route inside 0.0.0.0 0.0.0.0 10.34.63.254 tunneled
no snmp-server location
no snmp-server contact
sysopt noproxyarp inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh 10.34.48.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.0.00061-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect profiles anyconnect_client_profile disk0:/anyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy SSL-VPN internal
group-policy SSL-VPN attributes
wins-server none
dns-server none
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
default-domain value test.com
webvpn
url-list none
anyconnect ask enable default webvpn timeout 20
customization value DfltCustomization
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.34.63.239 10.34.63.238
vpn-tunnel-protocol ikev1 ssl-client
default-domain value testpower.com
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_anyconnect internal
group-policy GroupPolicy_anyconnect attributes
wins-server none
dns-server value 10.34.63.239 10.34.63.238
vpn-tunnel-protocol ikev2 ssl-client
default-domain value test.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
customization value DfltCustomization
username robert password s2AH/eaJdUkt6QnP encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group anyconnect type remote-access
tunnel-group anyconnect general-attributes
address-pool vpnpool
authentication-server-group RADIUSSERVERS LOCAL
default-group-policy GroupPolicy_anyconnect
tunnel-group anyconnect webvpn-attributes
group-alias CBK-KAL-VPN enable
group-alias anyconnect disable
tunnel-group SSL-VPN type remote-access
tunnel-group SSL-VPN general-attributes
address-pool vpnpool
authentication-server-group RADIUSSERVERS LOCAL
default-group-policy SSL-VPN
!
class-map SFR
match access-list ACL_ANY
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map policy
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class SFR
sfr fail-close
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2e5b98f4ad7e8236305e711c7b5aef88
: end