Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1107
Views
0
Helpful
6
Replies

VPN Client is Connected but Unable to Ping Internal Network

noorzulfadli.mustafa
Level 1
Level 1

‎03-18-2013 09:52 PM - edited ‎03-11-2019 06:16 PM

Dear Experts,

I have created a VPN connection for ASA 5512-X by using the wizards and nothing seems to be wrong on the wizards's config.

I am able to connect to the network by using the VPN but unable to ping internal network.

Below is my config for your reference:

Result of the command: "sh run"

: Saved

:

ASA Version 8.6(1)2

!

hostname FAA-ASA-1

enable password crzcsirI44h2BHoz encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 211.25.191.2 255.255.255.224

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.16.2.5 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif mgmt

security-level 0

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone MYT 8

dns server-group DefaultDNS

name-server 203.121.16.85

name-server 203.121.16.120

object network FAA-PubIP

range 211.25.191.3 211.25.191.31

description FAA Pub IP Pool

object network FAA-Net

subnet 172.16.0.0 255.255.0.0

object network obj_211.25.191.3

host 211.25.191.3

object network NETWORK_OBJ_172.16.48.0_24

subnet 172.16.48.0 255.255.255.0

object network IP_Management

subnet 172.16.2.0 255.255.255.0

object network Private

subnet 172.16.11.0 255.255.255.0

object network Private_Wifi

subnet 172.16.14.0 255.255.255.0

object network Public

subnet 172.16.120.0 255.255.254.0

object network Server

subnet 172.16.0.128 255.255.255.128

object network obj_211.25.191.4

host 211.25.191.4

object network obj_211.25.191.5

host 211.25.191.5

object network obj_211.25.191.6

host 211.25.191.6

object network obj_211.25.191.7

host 211.25.191.7

object network FAA-PrivateITvLAN

subnet 172.16.16.0 255.255.255.248

description FAA IT VLAN Only

object network obj_211.25.191.10

host 211.25.191.10

object network VPN

subnet 172.16.48.0 255.255.255.0

object network CoreSwitch

host 172.16.2.1

object-group network FAA_PubIP

network-object object FAA-PubIP

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended deny ip any any

access-list FAA_Split_Tunnelling_ACL standard permit any

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

logging from-address kahlil@faa.org.my

mtu outside 1500

mtu inside 1500

mtu mgmt 1500

ip local pool vpn-pool 172.16.48.11-172.16.48.240 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any FAA-PubIP inactive

nat (outside,inside) source dynamic any FAA-PubIP inactive

nat (inside,outside) source static Server obj_211.25.191.3

nat (inside,outside) source static Private_Wifi obj_211.25.191.5

nat (inside,outside) source static Private obj_211.25.191.4

nat (inside,outside) source static Private_Wifi obj_211.25.191.6

nat (inside,outside) source static Public obj_211.25.191.7

nat (inside,outside) source static FAA-PrivateITvLAN obj_211.25.191.10

nat (inside,outside) source static FAA-Net obj_211.25.191.3 inactive

nat (inside,any) source static any any destination static VPN VPN

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 211.25.191.1 1

route inside 172.16.0.0 255.255.0.0 172.16.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 mgmt

http 0.0.0.0 0.0.0.0 inside

http 202.162.24.10 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=FAA-ASA-1

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 60e03f51

    30820238 308201a1 a0030201 02020460 e03f5130 0d06092a 864886f7 0d010105

    0500302e 31123010 06035504 03130946 41412d41 53412d31 31183016 06092a86

    4886f70d 01090216 09464141 2d415341 2d31301e 170d3133 30333133 30333132

    34385a17 0d323330 33313130 33313234 385a302e 31123010 06035504 03130946

    41412d41 53412d31 31183016 06092a86 4886f70d 01090216 09464141 2d415341

    2d313081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c9

    cbae9ff3 b3cc0b5e a76a411f 982b34a5 63062e23 6ddf2ef0 d4011d18 7e84082f

    f15fb6f8 568afe00 5452fc77 0d22803e 3843d1af 878d244a 91f0d1ea d41fbc55

    c6fed62b c481377e 3dce53a0 0c77f873 c6c4e76f 8867064c 950226c0 eb08df7e

    5a60b738 03967015 87435303 e2277291 9536d8d0 d45cda8d b7b2c23b 8f425502

    03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f

    0101ff04 04030201 86301f06 03551d23 04183016 80149a5c 09ceab0a 88a82cf9

    c291ad35 4384506d 7db5301d 0603551d 0e041604 149a5c09 ceab0a88 a82cf9c2

    91ad3543 84506d7d b5300d06 092a8648 86f70d01 01050500 03818100 5c49077a

    a716220a c8f31861 57befa9c 3f63897e 372b80df 143861e6 a67c89f1 0031e41e

    3add5559 fca8540b 3d1cf136 724a3b0f 20533cda e41bc588 5407b3e0 5f7ed639

    ac7491ba d42a0729 06741c38 d6a83547 276366c9 e16be281 16689f5e 7bed3d47

    b28c6522 f294422a 69fbfd53 1bd030e4 564be3c3 4b3aa993 7a45f1a9

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 mgmt

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 mgmt

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect profiles FAA-AnyConnect_client_profile disk0:/FAA-AnyConnect_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_FAA-AnyConnect internal

group-policy GroupPolicy_FAA-AnyConnect attributes

wins-server none

dns-server value 203.121.16.85 203.121.16.120

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

default-domain none

webvpn

  anyconnect profiles value FAA-AnyConnect_client_profile type user

group-policy FAAVPN internal

group-policy FAAVPN attributes

dns-server value 203.121.16.85 8.8.8.8

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value FAA_Split_Tunnelling_ACL

username yong password 5lDHv1QBqVr1DU7m encrypted privilege 15

username agsyam password Vz/ocluCtc1UndgH encrypted privilege 15

username vads password zqWp7lnL1f7zIDTf encrypted privilege 15

username kahlil password BREaPysFcjSqRAhf encrypted privilege 15

tunnel-group FAAVPN type remote-access

tunnel-group FAAVPN general-attributes

address-pool vpn-pool

default-group-policy FAAVPN

tunnel-group FAAVPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group FAA-AnyConnect type remote-access

tunnel-group FAA-AnyConnect general-attributes

address-pool vpn-pool

default-group-policy GroupPolicy_FAA-AnyConnect

tunnel-group FAA-AnyConnect webvpn-attributes

group-alias FAA-AnyConnect enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly 9

  subscribe-to-alert-group configuration periodic monthly 9

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:aaa1d49992d2e5d24713863a882e09e2

: end

Thank you in advance for your help.

Regards,

Zul

Labels:
0 Helpful
6 Replies 6

jocamare
Level 4
Level 4

‎03-18-2013 10:08 PM

When connecting using Anyconnect, can you provide the output of the "show vpn-sessionsdb svc" command?

0 Helpful

noorzulfadli.mustafa
Level 1
Level 1
In response to jocamare

‎03-19-2013 07:52 PM

Dear jocamare,

I am not using anyconnect for now. I am using vpn client instead.

Below is the output when enter show vpn-sessiondb ra-ikev1-ipsec:

Session Type: IKEv1 IPsec

Username     : vads                   Index        : 68

Assigned IP  : 172.16.48.11           Public IP    : 202.162.24.10

Protocol     : IKEv1 IPsecOverNatT

License      : Other VPN

Encryption   : AES256 AES128          Hashing      : SHA1

Bytes Tx     : 500                    Bytes Rx     : 0

Group Policy : FAAVPN                 Tunnel Group : FAAVPN

Login Time   : 10:47:58 MYT Wed Mar 20 2013

Duration     : 0h:02m:49s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

Do you think anything wrong with the result?


Regards,

Zul

0 Helpful

jocamare
Level 4
Level 4
In response to noorzulfadli.mustafa

‎03-19-2013 08:10 PM

Nothing wrong with the result/output.

Try this:

"packet-tracer in outside icmp 172.16.48.11 8 0 172.16.2.123"

0 Helpful

alessandro.s
Level 1
Level 1

‎03-19-2013 01:24 PM

Hi,

try to change the line "nat (inside,any) source static any any destination static VPN VPN"
into "nat (inside,OUTSIDE) source static any any destination static VPN VPN"

Hope this helps.

regards

Sent from Cisco Technical Support iPad App

0 Helpful

noorzulfadli.mustafa
Level 1
Level 1
In response to alessandro.s

‎03-19-2013 07:54 PM

Thank you Alessandro,

I have tried as what you suggessted but to no avail.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to noorzulfadli.mustafa

‎03-19-2013 10:08 PM

Hello Noor,

Please go ahead and try the following suggestion:

object network NETWORK_OBJ_172.16.48.0_24

subnet 172.16.48.0 255.255.255.0

object network IP_Management

subnet 172.16.2.0 255.255.255.0

nat (inside,outside) 1 source static IP_management IP_management destination static NETWORK_OBJ_172.16.48.0_24 NETWORK_OBJ_172.16.48.0_24

All in a single line of course,

Then let me know

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card