Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1887
Views
0
Helpful
7
Replies

Hosts can ping ASA interfaces but not each other

Go to solution
abdou.bekk1
Level 1
Level 1

‎06-09-2016 11:41 AM - edited ‎03-12-2019 12:52 AM

Hi,

I'm facing a problem never faced before with our ASA5505. After putting it as a firewall everything worked pretty well. I have an Outside interface, an Inside one and a third which is a VoIP interface.

The only thing I stuck on is that my inside's hosts can't ping or see hosts that are on the VOIP interface and even hosts on the same interface. I checked NAT, ACLs and even when I do a Packet Trace with the ASA in ASDM there is no problem on ping, or protocols but in reality I can't ping any machine from Voip network to Inside and vice versa and machines on the same interface between them.

Here is a simplified schema 

[[{"type":"media","fid":"1307231","view_mode":"default","link_text":null,"attributes":{"alt":"Network schema","title":"Network schema","height":"408","width":"856","class":"image-style-none media-element file-default"}}]]


I'm joining my run-conf here, if it can help :

: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by enable_company at 15:30:49.331 CEDT Thu Jun 2 2016
!
ASA Version 9.2(4)
!
hostname VEFW001-0
domain-name company.local
enable password Egk0d0h6qjOElLit encrypted
names
ip local pool VPN-Admins 192.168.65-192.168.67 mask 255.255.255.240
ip local pool VPN-Users 192.168.68-192.168.70 mask 255.255.255.240
ip local pool VPN-Managers 192.168.71-192.168.78 mask 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 130
!
interface Ethernet0/5
switchport access vlan 999
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.245 255.255.255.128
!
interface Vlan2
nameif outside
security-level 0
ip address 212.2xx.x.x 255.255.255.240
!
interface Vlan130
nameif voip
security-level 100
ip address 192.168.13.6 255.255.255.128
!
interface Vlan999
description LAN Failover Interface
!
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.252
domain-name company.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VESR003
host 192.168.253
object service CTRL_995
service tcp source eq 995 destination eq 995
object network VEVOIP001_HOTLINE
host 192.168.13.5
object service VPN_1194_UDP
service udp source eq 1194 destination eq 1194
object network Video_ company
host 192.168.242
object service Video
service tcp destination eq 16847
object network Brother_HL3040-CN
host 192.168.36
object service 9100_impression
service tcp source eq 9100 destination eq 9100
object network VESR002
host 192.168.252
object network Poste_Ross_(VEPO004)
host 192.168.96
object service TSE
service tcp source eq 3389 destination eq 3389
object service 444
service tcp source eq 444 destination eq https
object network VENAS001
host 192.168.248
object network VEVM001_VOODOO
host 192.168.210
object network VEVM002_FR
host 192.168.211
object network VEVM005_LACOSTE
host 192.168.212
object network VEVM004_Uniqlo
host 192.168.216
object network VEVM006_ZAPA
host 192.168.217
object network VEVM008_GANT
host 192.168.218
object network NETWORK_ADM_VPN
range 192.168.65 192.168.67
description VPN Admins IP Rang
object network VEVM_MOA
host 192.168.125
object network VM_GHOST
host 192.168.250
object network NETWORK_COLL_VPN
range 192.168.68 192.168.70
object network NETWORK_MNG_VPN
range 192.168.71 192.168.78
object network VEVM007
host 192.168.251
object network VENAS002
host 192.168.249
object network Internet
subnet 0.0.0.0 0.0.0.0
object service SIP
service udp destination eq sip
object network VESR003NAT
subnet 212.234.15.0 255.255.255.240
object network Outside
host 212.234.15.1
object network NETWORK_OBJ_192.168.68_30
subnet 192.168.68 255.255.255.252
object-group network DM_INLINE_NETWORK_63
network-object 192.168.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq https
service-object udp destination eq ntp
service-object udp destination eq www
service-object tcp destination eq 31615
object-group service DM_INLINE_SERVICE_3
service-object udp destination eq 5004
service-object tcp-udp destination eq sip
object-group network DM_INLINE_NETWORK_1
network-object object Poste_Ross_(VEPO004)
network-object object VEVOIP001_HOTLINE
network-object object VESR003
network-object object VESR002
network-object object Video_ company
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object tcp destination eq 3389
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_5
service-object tcp destination eq sip
service-object udp destination eq 3478
service-object udp destination eq 3479
service-object udp destination eq 5004
service-object udp destination eq sip
service-object icmp
service-object tcp destination eq 9001
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination range 10000 20000
service-object udp destination eq 6970
object-group network DM_INLINE_NETWORK_2
network-object object VESR002
network-object object VEVM001_VOODOO
network-object object VEVM002_FR
network-object object VEVM004_Uniqlo
network-object object VEVM005_LACOSTE
network-object object VEVM006_ZAPA
network-object object VEVM008_GANT
network-object object VEVM_MOA
network-object object VM_GHOST
object-group service DM_INLINE_SERVICE_7
service-object tcp destination eq sip
service-object udp destination eq sip
object-group network DM_INLINE_NETWORK_10
network-object 192.168.13.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_4
network-object object VESR002
network-object object VEVM001_VOODOO
network-object object VEVM002_FR
network-object object VEVM004_Uniqlo
network-object object VEVM005_LACOSTE
network-object object VEVM006_ZAPA
network-object object VEVM008_GANT
network-object object VEVM_MOA
network-object object VM_GHOST
object-group service DM_INLINE_TCP_2 tcp
port-object eq 444
port-object eq https
object-group network DM_INLINE_NETWORK_25
network-object object Brother_HL3040-CN
network-object object Poste_Ross_(VEPO004)
network-object 192.168.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_6
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
network-object object NETWORK_ADM_VPN
object-group network DM_INLINE_NETWORK_5
network-object 192.168.13.0 255.255.255.128
network-object 212.234.15.0 255.255.255.240
network-object 192.168.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group service DM_INLINE_SERVICE_8
service-object icmp
service-object tcp destination eq 9001
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq sip
service-object udp destination range 10000 20000
service-object udp destination eq 3478
service-object udp destination eq 3479
service-object udp destination eq 5004
service-object udp destination eq 6970
service-object udp destination eq sip
object-group service DM_INLINE_SERVICE_11
service-object icmp
service-object tcp destination eq 3389
object-group network DM_INLINE_NETWORK_7
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
network-object object NETWORK_ADM_VPN
object-group network DM_INLINE_NETWORK_8
network-object object VENAS001
network-object object VENAS002
object-group service DM_INLINE_SERVICE_10
service-object tcp destination eq 445
service-object udp destination range netbios-ns 139
service-object icmp
service-object tcp destination eq netbios-ssn
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq 5000
service-object tcp destination eq 5001
service-object tcp-udp destination eq domain
object-group network DM_INLINE_NETWORK_9
network-object 192.168.13.0 255.255.255.128
network-object object Internet
network-object 192.168.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object icmp
object-group network DM_INLINE_NETWORK_11
network-object 192.168.13.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_13
network-object 192.168.13.0 255.255.255.128
network-object 192.168.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_53
network-object 192.168.13.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group service DM_INLINE_SERVICE_12
service-object icmp
service-object tcp-udp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_13
service-object icmp
service-object tcp-udp destination eq domain
service-object tcp destination eq 445
service-object tcp destination eq www
service-object tcp destination eq https
object-group network DM_INLINE_NETWORK_12
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
network-object object NETWORK_ADM_VPN
object-group network DM_INLINE_NETWORK_21
network-object object Brother_HL3040-CN
network-object object Poste_Ross_(VEPO004)
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
network-object 192.168.0 255.255.255.128
network-object object NETWORK_ADM_VPN
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_14
network-object 192.168.13.0 255.255.255.128
network-object 192.168.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group service DM_INLINE_SERVICE_14
service-object tcp destination eq 5900
service-object tcp destination eq ftp
service-object udp destination eq 5800
object-group service DM_INLINE_UDP_1 udp
port-object eq 1194
port-object eq 1701
port-object eq 4500
port-object eq isakmp
object-group network DM_INLINE_NETWORK_16
network-object 212.234.15.0 255.255.255.240
network-object object Internet
object-group network DM_INLINE_NETWORK_17
network-object 212.234.15.0 255.255.255.240
network-object object Internet
object-group network DM_INLINE_NETWORK_18
network-object 212.234.15.0 255.255.255.240
network-object object Internet
object-group network DM_INLINE_NETWORK_19
network-object 212.234.15.0 255.255.255.240
network-object object Internet
object-group network DM_INLINE_NETWORK_20
network-object 212.234.15.0 255.255.255.240
network-object object Internet
object-group network DM_INLINE_NETWORK_22
network-object object Brother_HL3040-CN
network-object object Poste_Ross_(VEPO004)
network-object 192.168.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_23
network-object object Brother_HL3040-CN
network-object object Poste_Ross_(VEPO004)
network-object 192.168.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_24
network-object object Brother_HL3040-CN
network-object object Poste_Ross_(VEPO004)
network-object 192.168.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_26
network-object object Brother_HL3040-CN
network-object object Poste_Ross_(VEPO004)
network-object 192.168.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_27
network-object object Brother_HL3040-CN
network-object object Poste_Ross_(VEPO004)
network-object 192.168.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group service DM_INLINE_SERVICE_16
service-object tcp destination eq pcanywhere-data
service-object udp destination eq pcanywhere-status
object-group service DM_INLINE_SERVICE_17
service-object object TSE
service-object tcp destination eq 9100
service-object tcp destination eq ssh
service-object tcp destination eq telnet
object-group network DM_INLINE_NETWORK_29
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
network-object object NETWORK_ADM_VPN
object-group network DM_INLINE_NETWORK_31
network-object 212.234.15.0 255.255.255.240
network-object object Internet
object-group network DM_INLINE_NETWORK_47
network-object 192.168.13.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_48
network-object 192.168.13.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_55
network-object 192.168.13.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_56
network-object 192.168.13.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_57
network-object 212.234.15.0 255.255.255.240
network-object object Internet
object-group network DM_INLINE_NETWORK_58
network-object 212.234.15.0 255.255.255.240
network-object object Internet
object-group network DM_INLINE_NETWORK_59
network-object 212.234.15.0 255.255.255.240
network-object object Internet
object-group service DM_INLINE_SERVICE_6
service-object tcp destination eq sip
service-object udp destination eq sip
service-object icmp
object-group service DM_INLINE_SERVICE_9
service-object icmp
service-object tcp destination eq ssh
object-group network DM_INLINE_NETWORK_38
network-object 212.234.15.0 255.255.255.240
network-object 0.0.0.0 0.0.0.0
network-object 192.168.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_43
network-object 192.168.13.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group network DM_INLINE_NETWORK_61
network-object 212.234.15.0 255.255.255.240
network-object object Internet
network-object 192.168.13.0 255.255.255.128
network-object 192.168.128 255.255.255.128
object-group service DM_INLINE_SERVICE_15
service-object icmp
service-object tcp destination eq netbios-ssn
object-group network DM_INLINE_NETWORK_30
network-object object NETWORK_ADM_VPN
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
object-group network DM_INLINE_NETWORK_62
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
network-object object NETWORK_ADM_VPN
object-group network DM_INLINE_NETWORK_64
network-object object NETWORK_ADM_VPN
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
object-group network DM_INLINE_NETWORK_65
network-object object NETWORK_ADM_VPN
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
object-group network DM_INLINE_NETWORK_66
network-object object NETWORK_ADM_VPN
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
object-group network DM_INLINE_NETWORK_67
network-object object NETWORK_ADM_VPN
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
object-group network DM_INLINE_NETWORK_68
network-object object NETWORK_ADM_VPN
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
object-group network DM_INLINE_NETWORK_69
network-object object NETWORK_ADM_VPN
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
object-group network DM_INLINE_NETWORK_70
network-object object NETWORK_ADM_VPN
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
object-group network DM_INLINE_NETWORK_71
network-object object NETWORK_ADM_VPN
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
object-group network DM_INLINE_NETWORK_72
network-object object NETWORK_ADM_VPN
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
object-group network DM_INLINE_NETWORK_36
network-object object NETWORK_ADM_VPN
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
object-group network DM_INLINE_NETWORK_60
network-object object NETWORK_ADM_VPN
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
object-group network DM_INLINE_NETWORK_73
network-object object NETWORK_ADM_VPN
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
object-group network DM_INLINE_NETWORK_74
network-object object NETWORK_ADM_VPN
network-object object NETWORK_COLL_VPN
network-object object NETWORK_MNG_VPN
object-group network DM_INLINE_NETWORK_75
network-object 192.168.128 255.255.255.128
network-object object Internet
access-list company_192.168.0_IN extended permit ip object VESR003 192.168.13.0 255.255.255.128
access-list company_192.168.0_IN extended permit object-group DM_INLINE_SERVICE_2 192.168.128 255.255.255.128 object Internet
access-list company_192.168.0_IN extended permit tcp object VESR003 object Internet eq 587
access-list company_192.168.0_IN extended permit udp 192.168.128 255.255.255.128 object Internet object-group DM_INLINE_UDP_1
access-list company_192.168.0_IN extended permit object-group DM_INLINE_SERVICE_16 192.168.128 255.255.255.128 object Internet
access-list company_192.168.0_IN extended permit object-group DM_INLINE_SERVICE_17 192.168.128 255.255.255.128 object Internet
access-list company_192.168.0_IN extended permit object-group DM_INLINE_SERVICE_14 192.168.128 255.255.255.128 object Internet
access-list company_192.168.0_IN extended permit ip 192.168.128 255.255.255.128 192.168.13.0 255.255.255.128
access-list company_192.168.0_IN extended permit ip 192.168.128 255.255.255.128 192.168.128 255.255.255.128
access-list company_192.168.0_IN remark Monitoring ACL
access-list company_192.168.0_IN remark Monitoring ACL
access-list company_192.168.0_IN remark Monitoring ACL
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN object-group DM_INLINE_NETWORK_48 eq 1701
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN object-group DM_INLINE_NETWORK_47 eq 123
access-list VPN_ADMINS_RULES extended permit icmp object NETWORK_ADM_VPN object-group DM_INLINE_NETWORK_10
access-list VPN_ADMINS_RULES extended permit object-group TCPUDP object NETWORK_ADM_VPN object-group DM_INLINE_NETWORK_53 eq domain
access-list VPN_ADMINS_RULES extended permit object-group DM_INLINE_SERVICE_3 object NETWORK_ADM_VPN object-group DM_INLINE_NETWORK_11
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN object-group DM_INLINE_NETWORK_56 eq ssh
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN object-group DM_INLINE_NETWORK_55 eq telnet
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN object-group DM_INLINE_NETWORK_59 eq ftp
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN object-group DM_INLINE_NETWORK_31 eq www
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN object-group DM_INLINE_NETWORK_57 eq https
access-list VPN_ADMINS_RULES extended permit icmp object NETWORK_ADM_VPN object-group DM_INLINE_NETWORK_58
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq 3389
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq 445
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq 444
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq 500
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq 587
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq 5800
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq 5001
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq 5000
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq 8080
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq 5900
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq https
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq www
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq netbios-ssn
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq ftp
access-list VPN_ADMINS_RULES extended permit udp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 range 3478 3479
access-list VPN_ADMINS_RULES extended permit udp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 range netbios-ns 139
access-list VPN_ADMINS_RULES extended permit tcp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq pop3
access-list VPN_ADMINS_RULES extended permit udp object NETWORK_ADM_VPN 192.168.128 255.255.255.128 eq 1194
access-list voip_access_in extended permit ip 192.168.13.0 255.255.255.128 object Internet
access-list voip_access_in extended permit ip 192.168.13.0 255.255.255.128 192.168.13.0 255.255.255.128
access-list voip_access_in extended permit ip 192.168.13.0 255.255.255.128 object VESR003
access-list voip_access_in extended permit ip object VEVOIP001_HOTLINE object Internet
access-list VPN_COLLABORATORS_Rules extended permit object-group DM_INLINE_SERVICE_6 object NETWORK_COLL_VPN object VEVOIP001_HOTLINE
access-list VPN_COLLABORATORS_Rules extended permit object-group DM_INLINE_SERVICE_11 object NETWORK_COLL_VPN object-group DM_INLINE_NETWORK_4
access-list VPN_COLLABORATORS_Rules extended permit object-group DM_INLINE_SERVICE_10 object NETWORK_COLL_VPN object-group DM_INLINE_NETWORK_8
access-list VPN_COLLABORATORS_Rules extended permit object-group DM_INLINE_SERVICE_12 object NETWORK_COLL_VPN object Internet
access-list VPN_NOMATCH_RULE extended deny ip any any
access-list VPN_MANAGERS_Rules extended permit object-group DM_INLINE_SERVICE_15 object NETWORK_MNG_VPN object-group DM_INLINE_NETWORK_43
access-list VPN_MANAGERS_Rules extended permit object-group DM_INLINE_SERVICE_7 object NETWORK_MNG_VPN object VEVOIP001_HOTLINE
access-list VPN_MANAGERS_Rules extended permit object-group DM_INLINE_SERVICE_4 object NETWORK_MNG_VPN object-group DM_INLINE_NETWORK_2
access-list VPN_MANAGERS_Rules extended permit object-group DM_INLINE_SERVICE_9 object NETWORK_MNG_VPN object VEVM007
access-list VPN_MANAGERS_Rules extended permit object-group DM_INLINE_SERVICE_13 object NETWORK_MNG_VPN object Internet
access-list VPN_MANAGERS_Rules extended permit tcp object NETWORK_COLL_VPN object VESR003 eq ssh
access-list ORANGE_212.234.15.0_IN extended permit tcp any object Video_ company eq 16847
access-list ORANGE_212.234.15.0_IN extended permit tcp any object VESR003 object-group DM_INLINE_TCP_2
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging console notifications
logging monitor informational
logging buffered debugging
logging trap informational
logging history debugging
logging asdm informational
logging facility 21
logging debug-trace
logging class webvpn trap informational
no logging message 106023
no logging message 111010
logging message 106101 level informational
mtu inside 1500
mtu outside 1500
mtu voip 1500
failover
failover lan unit primary
failover lan interface failover Vlan999
failover key ve09je05$
failover mac address Vlan1 e25e.18e3.2912 e25e.18e3.2913
failover mac address Vlan130 803b.c02f.291e 803b.c02f.291f
failover interface ip failover 192.168.12.1 255.255.255.128 standby 192.168.12.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-752.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,voip) source static any any description NAT & Routing of traffic between VOIP <-> Inside
nat (outside,voip) source static any any destination static VEVOIP001_HOTLINE VEVOIP001_HOTLINE service VPN_1194_UDP VPN_1194_UDP unidirectional inactive description 1194 to 1194 UDP
nat (outside,inside) source static any any destination static Poste_Ross_(VEPO004) Poste_Ross_(VEPO004) service TSE TSE unidirectional inactive
nat (outside,inside) source static any any destination static VESR002 VESR002 service CTRL_995 CTRL_995 unidirectional inactive
nat (outside,voip) source static DM_INLINE_NETWORK_30 interface destination static VEVOIP001_HOTLINE VEVOIP001_HOTLINE service SIP SIP unidirectional description NAT VPN Traffic for Telephony
nat (outside,voip) source static DM_INLINE_NETWORK_73 interface unidirectional description Hairpin VPN Traffic for 192.168.13
nat (outside,inside) source static DM_INLINE_NETWORK_30 interface unidirectional description Hairpin VPN Traffic for 192.168.15
nat (outside,inside) source static DM_INLINE_NETWORK_60 DM_INLINE_NETWORK_60 unidirectional description Internet for VPN Traffic
nat (outside,inside) source static any any destination static interface VESR003 service 444 444 unidirectional
nat (outside,inside) source static any any destination static interface Video_ company service Video Video unidirectional
nat (any,outside) source dynamic any interface description Internet
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.68_30 NETWORK_OBJ_192.168.68_30 no-proxy-arp route-lookup
access-group company_192.168.0_IN in interface inside
access-group ORANGE_212.234.15.0_IN in interface outside
access-group voip_access_in in interface voip
route outside 0.0.0.0 0.0.0.0 212.234.15.14 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map CISCOMAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPN_ADMINS,CN=Users,DC= company,DC=local VPN_ADMINS
map-value memberOf CN=VPN_MANAGERS,CN=Users,DC=company,DC=local VPN_MANAGERS
map-value memberOf CN=VPN_USERS,CN=Users,DC= company,DC=local VPN_USERS
dynamic-access-policy-record DfltAccessPolicy
description "No matching rules"
user-message "You don't match any company' security rules"
network-acl VPN_NOMATCH_RULE
action terminate
webvpn
url-list none
dynamic-access-policy-record VPN_COLLABORATORS_ANDROID
description "Dynamic Access Policy for Collaborators MOBILE"
user-message "**** WELCOME TO COLLABORATORS VPN NETWORK ****"
network-acl VPN_COLLABORATORS_Rules
dynamic-access-policy-record VPN_ADMINS_ANDROID
description "Dynamic Access Policy for Admins MOBILE"
user-message "**** WELCOME TO ADMINS VPN NETWORK ****"
network-acl VPN_ADMINS_RULES
priority 10
dynamic-access-policy-record VPN_MANAGERS_ANDROID
description "Dynamic Access Policy for Managers DESKTOP"
user-message "**** WELCOME TO MANAGERS VPN NETWORK ****"
network-acl VPN_MANAGERS_Rules
priority 10
dynamic-access-policy-record VPN_MANAGERS
description "Dynamic Access Policy for Managers MOBILE"
network-acl VPN_MANAGERS_Rules
dynamic-access-policy-record VPN_COLLABORATORS
description "Dynamic Access Policy for Collaborators DESKTOP"
user-message "**** WELCOME TO COLLABORATORS VPN NETWORK ****"
network-acl VPN_COLLABORATORS_Rules
priority 10
dynamic-access-policy-record VPN_ADMINS_IOS
dynamic-access-policy-record VPN_COLLABORATORS_IOS
dynamic-access-policy-record VPN_MANAGERS_IOS
dynamic-access-policy-record VPN_ADMINS_DESKTOP
description "Dynamic Access Policy for Admins DESKTOP"
user-message "**** WELCOME TO ADMINS VPN NETWORK ****"
network-acl VPN_ADMINS_RULES
priority 10
webvpn
url-list none
svc ask none default svc
aaa-server AD_LDAP protocol ldap
aaa-server AD_LDAP (inside) host 192.168.252
server-port 389
ldap-base-dn OU=Utilisateurs company,DC= company,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ve09je05$
ldap-login-dn CN=Cisco VPN/Firewall,OU=Utilisateurs company,DC= company,DC=local
server-type auto-detect
ldap-attribute-map CISCOMAP
aaa-server AD_RADIUS protocol radius
aaa-server AD_RADIUS (inside) host 192.168.252
key ve09je05$
no user-identity enable
user-identity default-domain LOCAL
user-identity ad-agent event-timestamp-check
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.128 255.255.255.128 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=VESR001
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=VEFW001-0
keypair ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
subject-name CN=VEFW001-0,OU=IT,O= company,C=FR
keypair ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment self
subject-name CN=VEFW001-0,OU=IT,O= company,C=FR,L=TOULOUSE
serial-number
ip-address 192.168.254
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint1
crypto ca certificate chain ASDM_TrustPoint3
crypto ikev2 remote-access trustpoint ASDM_TrustPoint3
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.128 255.255.255.128 inside
telnet timeout 60
no ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 1

dhcpd auto_config outside vpnclient-wins-override
!
dhcprelay server 192.168.252 inside
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 145.238.203.10 source outside prefer
ntp server 145.238.203.14 source outside prefer
ssl server-version tlsv1-only
ssl encryption dhe-aes256-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint1
ssl trust-point ASDM_TrustPoint1 voip vpnlb-ip
ssl trust-point ASDM_TrustPoint1 voip
ssl trust-point ASDM_TrustPoint1 inside
ssl trust-point ASDM_TrustPoint3 outside
webvpn
port 1563
enable inside
enable outside
dtls port 1563
no anyconnect-essentials
csd image disk0:/csd_3.6.4021-k9.pkg
csd enable
anyconnect image disk0:/anyconnect-win-4.2.04018-k9.pkg 1
anyconnect enable
tunnel-group-list enable
keepout "Service not available."
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy VPN_ADMINS internal
group-policy VPN_ADMINS attributes
wins-server none
dns-server value 192.168.252
vpn-tunnel-protocol ssl-client ssl-clientless
group-lock value VPN_ADMINS
default-domain value company.local
client-bypass-protocol disable
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect keep-installer installed
anyconnect ssl compression none
anyconnect dtls compression lzs
anyconnect ask none default anyconnect
anyconnect ssl df-bit-ignore disable
group-policy VPN_USERS internal
group-policy VPN_USERS attributes
wins-server none
dns-server value 192.168.252
vpn-tunnel-protocol ssl-client ssl-clientless
password-storage disable
group-lock value VPN_USERS
default-domain value company.local
client-bypass-protocol disable
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect keep-installer installed
anyconnect ssl compression none
anyconnect dtls compression lzs
anyconnect ask none default anyconnect
anyconnect ssl df-bit-ignore disable
group-policy VPN_MANAGERS internal
group-policy VPN_MANAGERS attributes
wins-server none
dns-server value 192.168.252
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value company.local
username enable password amY2xFi6mHQzuSvI encrypted privilege 15
tunnel-group VPN_ADMINS type remote-access
tunnel-group VPN_ADMINS general-attributes
address-pool VPN-Admins
authentication-server-group AD_RADIUS
authentication-server-group (inside) AD_LDAP
authorization-server-group AD_LDAP
authorization-server-group (inside) AD_LDAP
default-group-policy VPN_ADMINS
tunnel-group VPN_ADMINS webvpn-attributes
group-url https://url_to_vpn/a05 enable
without-csd
tunnel-group VPN_USERS type remote-access
tunnel-group VPN_USERS general-attributes
address-pool VPN-Users
authentication-server-group AD_RADIUS
authentication-server-group (inside) AD_LDAP
authorization-server-group AD_LDAP
authorization-server-group (inside) AD_LDAP
default-group-policy VPN_USERS
tunnel-group VPN_USERS webvpn-attributes
group-url https://url_to_vpn/EM0 enable
without-csd
tunnel-group VPN_USERS ipsec-attributes
ikev1 trust-point VEFW001-0
tunnel-group VPN_USERS ppp-attributes
authentication ms-chap-v2
tunnel-group VPN_MANAGERS type remote-access
tunnel-group VPN_MANAGERS general-attributes
address-pool VPN-Managers
authentication-server-group AD_RADIUS
default-group-policy VPN_MANAGERS
tunnel-group VPN_MANAGERS webvpn-attributes
group-url https://url_to_vpn/Am8 enable
without-csd
tunnel-group-map default-group VPN_USERS
!
class-map type regex match-any DomainLogList
match regex matchall
class-map type inspect http match-all LogDomainsClass
match request header host regex class DomainLogList
class-map type inspect http match-all asdm_medium_security_methods
match not request method post
match not request method get
match not request method head
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all asdm_high_security_methods
match not request method get
match not request method head
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
class LogDomainsClass
log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp strict
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
: end



Thank you very much

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to abdou.bekk1

‎06-10-2016 01:22 PM

Are you using a Cisco switch?  If so, can you show the configuration of the ports that the two workstations are plugged into please.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎06-09-2016 01:08 PM

If you can't see hosts that are on the same interface then it is not likely to be anything to do with the ASA.

Double check the IP configuration being given to the hosts, in particular, the subnet mask.

0 Helpful

Go to solution
abdou.bekk1
Level 1
Level 1
In response to Philip D'Ath

‎06-09-2016 02:14 PM

Hi Philip,

Thanks for your reply.

It was the first thing i checked, then I made IPs as static on hosts to be sure and it didn't work. 

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to abdou.bekk1

‎06-09-2016 02:31 PM

To confirm - you have two hosts in the same subnet that can not ping each other?  Any local firewalls on them?

0 Helpful

Go to solution
abdou.bekk1
Level 1
Level 1
In response to Philip D'Ath

‎06-10-2016 01:16 AM

Yes hosts in the same subnet can't ping each other and far from that when they arent' in the same subnet they also can't ping each other. 

There is the default Windows firewall activated, and when I allowed all connections the ping was UP but it's not a solution because before I deactivate Windows Firewall I was able to ping ASA's interface. I don't understand what's happening here.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to abdou.bekk1

‎06-10-2016 01:22 PM

Are you using a Cisco switch?  If so, can you show the configuration of the ports that the two workstations are plugged into please.

0 Helpful

Go to solution
abdou.bekk1
Level 1
Level 1
In response to Philip D'Ath

‎06-18-2016 05:39 PM

Hi Philip,

It was plugged on the wrong switch port indeed. I trusted a manager on some port and their VLAN affectations but he was wrong so that was the problem.

Thank you very much.

0 Helpful

Go to solution
Tim Schneider
Level 1
Level 1
In response to abdou.bekk1

‎06-14-2016 02:33 AM

So Vlan1 is used for IP-address on Eth0/1.

Based on your configuration its like this:

interface Vlan1
nameif inside
security-level 100
ip address 192.168.245 255.255.255.128

How are you able to ping the ASA on this subnet from a inside host without routing in-between? Is the switch a L3 device?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card