Solved: ssl vpn connected successfully but I can't ping inside hosts and vice versa

soaliou123 · ‎03-03-2014

I am configuring SSL vpn and I can connect and get an ip address from my vpn pool. However I can not ping the inside interface from the remote PC and vice versa. I can' t even ping the remote PC from the ASA firewall. This is a ASA 5505 version 9.0.3

ciscoasa# ping 192.168.200.13 (Local ip address)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.200.13, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa# ping 172.18.2.10 ( VPN ip address)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.18.2.10, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ciscoasa# packet-tracer input inside icmp 172.18.2.10 8 0 192.168.200.13 (no problem, everything is allowed)

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

ciscoasa# packet-tracer input inside icmp 192.168.200.13 8 0 172.18.2.10 (no problem , everything is allowed)

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Am I missing something in my config? Please advice, thanks

Here is my config.

ASA Version 9.0(3)

!

hostname ciscoasa

domain-name cisco.com

enable password 8Ry2YjIyt7RRXU24 encrypted

names

ip local pool RA_VPN_Pool 172.18.2.10-172.18.2.200 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.200.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone EST -5

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name cisco.com

same-security-traffic permit intra-interface

object network LOCAL_NET

subnet 192.168.200.0 255.255.255.0

description my local network

object network NETWORK_OBJ_172.18.2.0_24

subnet 172.18.2.0 255.255.255.0

description VPN subnet

access-list splitacl standard permit 172.18.2.0 255.255.255.0

access-list NoNAT extended permit ip 192.168.200.0 255.255.255.0 172.18.2.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-712-102.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static any any destination static NETWORK_OBJ_172.18.2.0_24 NETWORK_OBJ_172.18.2.0_24 no-proxy-arp route-lookup

!

object network LOCAL_NET

nat (inside,outside) dynamic interface

object network NETWORK_OBJ_172.18.2.0_24

nat (outside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic LOCAL_NET interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.200.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 8.8.8.8

dhcpd auto_config outside

!

dhcpd address 192.168.200.10-192.168.200.41 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp authenticate

ntp server 128.9.176.30

ntp server 216.218.254.202

webvpn

enable inside

enable outside

anyconnect image disk0:/anyconnect-win-3.1.04063-k9.pkg 1

anyconnect profiles RA_VPN_Profille disk0:/RAVPN_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy RA_VPN internal

group-policy RA_VPN attributes

banner value VPN ACCESS FOR REMOTE USERS

dns-server value 4.2.2.2 8.8.8.8

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splitacl

default-domain value cisco.com

webvpn

url-list none

anyconnect keep-installer installed

anyconnect ssl rekey time 30

anyconnect ssl rekey method ssl

anyconnect profiles value RA_VPN_Profille type user

anyconnect ask none default anyconnect

username admin password UVFxq5NPrwI3zghU encrypted privilege 15

username cisco password ffIRPGpDSOJh9YLq encrypted privilege 15

tunnel-group RA_VPN type remote-access

tunnel-group RA_VPN general-attributes

address-pool RA_VPN_Pool

default-group-policy RA_VPN

tunnel-group RA_VPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group RA_VPN_OUT type remote-access

tunnel-group RA_VPN_OUT general-attributes

address-pool RA_VPN_Pool

default-group-policy RA_VPN

tunnel-group RA_VPN_OUT webvpn-attributes

group-alias sslgroup_users enable

!

class-map inspect_default

match default-inspection-traffic

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:532324ff4b43c586ce13016aa19ec002

: end

Julio Carvajal · ‎03-04-2014

Hello Man,

access-list splitacl standard permit 172.18.2.0 255.255.255.0

That's wrong

Change it to

access-list splitacl standard permit 192.168.200.0 255.255.255.0

Then let me know how it goes

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

jj27 · ‎03-04-2014

I'm going to go out on a limb here and guess you have Windows Firewall enabled which is blocking ICMP from the network to your PC.

View solution in original post

Julio Carvajal · ‎03-04-2014

Hello,

Glad to know it's almost working (Half-Way)

In this case I would ask you to check:

Disable Windows Firewall or any powerful Anti-Virus that could be stopping this and on the client and if it does not work then also do the following

cap capin interface inside match icmp host x.x.x.x (VPN client) x.x.x.x (Inside IP)

cap asp type asp-drop all circular-buffer

Try to ping and provide

show cap capin

show cap asp | include VPN_CLIENT_IP

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎03-04-2014

If everything is working now, Please mark question as answered and rate the posts,

Then we can help

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎03-04-2014

Hello Man,

access-list splitacl standard permit 172.18.2.0 255.255.255.0

That's wrong

Change it to

access-list splitacl standard permit 192.168.200.0 255.255.255.0

Then let me know how it goes

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

soaliou123 · ‎03-04-2014

Now I can ping (local network) 192.168.200.X from VPN PC ( VPN network) 172.18.2.X, but not the other way around.

Any suggestions? Thanks

jj27 · ‎03-04-2014

I'm going to go out on a limb here and guess you have Windows Firewall enabled which is blocking ICMP from the network to your PC.

Julio Carvajal · ‎03-04-2014

Hello,

Glad to know it's almost working (Half-Way)

In this case I would ask you to check:

Disable Windows Firewall or any powerful Anti-Virus that could be stopping this and on the client and if it does not work then also do the following

cap capin interface inside match icmp host x.x.x.x (VPN client) x.x.x.x (Inside IP)

cap asp type asp-drop all circular-buffer

Try to ping and provide

show cap capin

show cap asp | include VPN_CLIENT_IP

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

soaliou123 · ‎03-04-2014

Everything is works fine, But I can connect vpn and try to RDP to inside host (192.168.200.X) it fails.

Error says:" This computer can't connect to the remote computer"

Any idea. Thanks

Julio Carvajal · ‎03-04-2014

If everything is working now, Please mark question as answered and rate the posts,

Then we can help

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎03-04-2014

Hello,

Awesome, thanks for the rating

Can you do

cap capin interface inside match tcp host x.x.x.x (VPN client) x.x.x.x (Inside IP) eq 3389

cap asp type asp-drop all circular-buffer

Try to connect and share

show cap capin

show cap asp | include VPN_CLIENT_IP

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

soaliou123 · ‎03-04-2014

Nothing came up

Julio Carvajal · ‎03-04-2014

Nothing at all???? on both captures?

Does not make sense, can you share updated configuration....

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

soaliou123 · ‎03-05-2014

this is what I got

ciscoasa# show cap capin

12 packets captured

1: 18:51:15.213550 802.1Q vlan#1 P0 172.18.2.10.7208 > 192.168.200.10.3389: S 230826238:230826238(0) win 64512

2: 18:51:15.213917 802.1Q vlan#1 P0 192.168.200.10.3389 > 172.18.2.10.7208: R 0:0(0) ack 230826239 win 0

3: 18:51:18.163535 802.1Q vlan#1 P0 172.18.2.10.7208 > 192.168.200.10.3389: S 3681248740:3681248740(0) win 64512

4: 18:51:18.163886 802.1Q vlan#1 P0 192.168.200.10.3389 > 172.18.2.10.7208: R 0:0(0) ack 3681248741 win 0

5: 18:52:39.778005 802.1Q vlan#1 P0 172.18.2.10.9641 > 192.168.200.10.3389: S 1026845418:1026845418(0) win 64512

6: 18:52:39.778386 802.1Q vlan#1 P0 192.168.200.10.3389 > 172.18.2.10.9641: R 0:0(0) ack 1026845419 win 0

7: 18:52:42.796284 802.1Q vlan#1 P0 172.18.2.10.9641 > 192.168.200.10.3389: S 1342445616:1342445616(0) win 64512

8: 18:52:42.796543 802.1Q vlan#1 P0 192.168.200.10.3389 > 172.18.2.10.9641: R 0:0(0) ack 1342445617 win 0

9: 18:53:03.589233 802.1Q vlan#1 P0 172.18.2.10.10424 > 192.168.200.10.3389: S 669986592:669986592(0) win 64512

10: 18:53:03.589584 802.1Q vlan#1 P0 192.168.200.10.3389 > 172.18.2.10.10424: R 0:0(0) ack 669986593 win 0

11: 18:53:04.509983 802.1Q vlan#1 P0 172.18.2.10.10424 > 192.168.200.10.3389: S 307456710:307456710(0) win 64512

12: 18:53:04.510349 802.1Q vlan#1 P0 192.168.200.10.3389 > 172.18.2.10.10424: R 0:0(0) ack 307456711 win 0

12 packets shown

ciscoasa# show cap asp | include 172.18.2.10 (nothing came up)

ciscoasa#

I also added these commands but no success

access-list OUTSIDE remark Allow RDP

access-list OUTSIDE permit tcp any host 24.99.39.170 eq 3389

access-group OUTSIDE in interface outside

Julio Carvajal · ‎03-05-2014

Awesome...........

So

ciscoasa# show cap asp | include 172.18.2.10 (nothing came up) Means: ASA is not dropping any packets.

For the cap capin:

2: 18:51:15.213917 802.1Q vlan#1 P0 192.168.200.10.3389 > 172.18.2.10.7208: R 0:0(0) ack 230826239 win 0

All of the even lines have something in common: and that is the RESET packet.

This let us know the server is not allowing the connection.

Make sure your Antivirus/Firewall allows that connection and more important.MAKE sure you have configured ur PC to allow RDP connections for this:

Go to system/Properties/Remote Access Config/ and then allow RDP.

ASA is not the problem man

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

soaliou123 · ‎03-05-2014

I disabled all firewalls in this PC.

Julio Carvajal · ‎03-05-2014

Then you have not enabled the RDP service,

Follow the steps I provided and then get back to me

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

soaliou123 · ‎03-05-2014

RDP is enabled. That was the first I did before I try to connect to it