03-18-2013 09:52 PM - edited 03-11-2019 06:16 PM
Dear Experts,
I have created a VPN connection for ASA 5512-X by using the wizards and nothing seems to be wrong on the wizards's config.
I am able to connect to the network by using the VPN but unable to ping internal network.
Below is my config for your reference:
Result of the command: "sh run"
: Saved
:
ASA Version 8.6(1)2
!
hostname FAA-ASA-1
enable password crzcsirI44h2BHoz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 211.25.191.2 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.2.5 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif mgmt
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone MYT 8
dns server-group DefaultDNS
name-server 203.121.16.85
name-server 203.121.16.120
object network FAA-PubIP
range 211.25.191.3 211.25.191.31
description FAA Pub IP Pool
object network FAA-Net
subnet 172.16.0.0 255.255.0.0
object network obj_211.25.191.3
host 211.25.191.3
object network NETWORK_OBJ_172.16.48.0_24
subnet 172.16.48.0 255.255.255.0
object network IP_Management
subnet 172.16.2.0 255.255.255.0
object network Private
subnet 172.16.11.0 255.255.255.0
object network Private_Wifi
subnet 172.16.14.0 255.255.255.0
object network Public
subnet 172.16.120.0 255.255.254.0
object network Server
subnet 172.16.0.128 255.255.255.128
object network obj_211.25.191.4
host 211.25.191.4
object network obj_211.25.191.5
host 211.25.191.5
object network obj_211.25.191.6
host 211.25.191.6
object network obj_211.25.191.7
host 211.25.191.7
object network FAA-PrivateITvLAN
subnet 172.16.16.0 255.255.255.248
description FAA IT VLAN Only
object network obj_211.25.191.10
host 211.25.191.10
object network VPN
subnet 172.16.48.0 255.255.255.0
object network CoreSwitch
host 172.16.2.1
object-group network FAA_PubIP
network-object object FAA-PubIP
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list FAA_Split_Tunnelling_ACL standard permit any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
logging from-address kahlil@faa.org.my
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
ip local pool vpn-pool 172.16.48.11-172.16.48.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any FAA-PubIP inactive
nat (outside,inside) source dynamic any FAA-PubIP inactive
nat (inside,outside) source static Server obj_211.25.191.3
nat (inside,outside) source static Private_Wifi obj_211.25.191.5
nat (inside,outside) source static Private obj_211.25.191.4
nat (inside,outside) source static Private_Wifi obj_211.25.191.6
nat (inside,outside) source static Public obj_211.25.191.7
nat (inside,outside) source static FAA-PrivateITvLAN obj_211.25.191.10
nat (inside,outside) source static FAA-Net obj_211.25.191.3 inactive
nat (inside,any) source static any any destination static VPN VPN
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 211.25.191.1 1
route inside 172.16.0.0 255.255.0.0 172.16.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 mgmt
http 0.0.0.0 0.0.0.0 inside
http 202.162.24.10 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=FAA-ASA-1
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 60e03f51
30820238 308201a1 a0030201 02020460 e03f5130 0d06092a 864886f7 0d010105
0500302e 31123010 06035504 03130946 41412d41 53412d31 31183016 06092a86
4886f70d 01090216 09464141 2d415341 2d31301e 170d3133 30333133 30333132
34385a17 0d323330 33313130 33313234 385a302e 31123010 06035504 03130946
41412d41 53412d31 31183016 06092a86 4886f70d 01090216 09464141 2d415341
2d313081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c9
cbae9ff3 b3cc0b5e a76a411f 982b34a5 63062e23 6ddf2ef0 d4011d18 7e84082f
f15fb6f8 568afe00 5452fc77 0d22803e 3843d1af 878d244a 91f0d1ea d41fbc55
c6fed62b c481377e 3dce53a0 0c77f873 c6c4e76f 8867064c 950226c0 eb08df7e
5a60b738 03967015 87435303 e2277291 9536d8d0 d45cda8d b7b2c23b 8f425502
03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
0101ff04 04030201 86301f06 03551d23 04183016 80149a5c 09ceab0a 88a82cf9
c291ad35 4384506d 7db5301d 0603551d 0e041604 149a5c09 ceab0a88 a82cf9c2
91ad3543 84506d7d b5300d06 092a8648 86f70d01 01050500 03818100 5c49077a
a716220a c8f31861 57befa9c 3f63897e 372b80df 143861e6 a67c89f1 0031e41e
3add5559 fca8540b 3d1cf136 724a3b0f 20533cda e41bc588 5407b3e0 5f7ed639
ac7491ba d42a0729 06741c38 d6a83547 276366c9 e16be281 16689f5e 7bed3d47
b28c6522 f294422a 69fbfd53 1bd030e4 564be3c3 4b3aa993 7a45f1a9
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 mgmt
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 mgmt
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles FAA-AnyConnect_client_profile disk0:/FAA-AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_FAA-AnyConnect internal
group-policy GroupPolicy_FAA-AnyConnect attributes
wins-server none
dns-server value 203.121.16.85 203.121.16.120
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain none
webvpn
anyconnect profiles value FAA-AnyConnect_client_profile type user
group-policy FAAVPN internal
group-policy FAAVPN attributes
dns-server value 203.121.16.85 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value FAA_Split_Tunnelling_ACL
username yong password 5lDHv1QBqVr1DU7m encrypted privilege 15
username agsyam password Vz/ocluCtc1UndgH encrypted privilege 15
username vads password zqWp7lnL1f7zIDTf encrypted privilege 15
username kahlil password BREaPysFcjSqRAhf encrypted privilege 15
tunnel-group FAAVPN type remote-access
tunnel-group FAAVPN general-attributes
address-pool vpn-pool
default-group-policy FAAVPN
tunnel-group FAAVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group FAA-AnyConnect type remote-access
tunnel-group FAA-AnyConnect general-attributes
address-pool vpn-pool
default-group-policy GroupPolicy_FAA-AnyConnect
tunnel-group FAA-AnyConnect webvpn-attributes
group-alias FAA-AnyConnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 9
subscribe-to-alert-group configuration periodic monthly 9
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:aaa1d49992d2e5d24713863a882e09e2
: end
Thank you in advance for your help.
Regards,
Zul
03-18-2013 10:08 PM
When connecting using Anyconnect, can you provide the output of the "show vpn-sessionsdb svc" command?
03-19-2013 07:52 PM
Dear jocamare,
I am not using anyconnect for now. I am using vpn client instead.
Below is the output when enter show vpn-sessiondb ra-ikev1-ipsec:
Session Type: IKEv1 IPsec
Username : vads Index : 68
Assigned IP : 172.16.48.11 Public IP : 202.162.24.10
Protocol : IKEv1 IPsecOverNatT
License : Other VPN
Encryption : AES256 AES128 Hashing : SHA1
Bytes Tx : 500 Bytes Rx : 0
Group Policy : FAAVPN Tunnel Group : FAAVPN
Login Time : 10:47:58 MYT Wed Mar 20 2013
Duration : 0h:02m:49s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
Do you think anything wrong with the result?
Regards,
Zul
03-19-2013 08:10 PM
Nothing wrong with the result/output.
Try this:
"packet-tracer in outside icmp 172.16.48.11 8 0 172.16.2.123"
03-19-2013 01:24 PM
Hi,
try to change the line "nat (inside,any) source static any any destination static VPN VPN"
into "nat (inside,OUTSIDE) source static any any destination static VPN VPN"
Hope this helps.
regards
Sent from Cisco Technical Support iPad App
03-19-2013 07:54 PM
Thank you Alessandro,
I have tried as what you suggessted but to no avail.
03-19-2013 10:08 PM
Hello Noor,
Please go ahead and try the following suggestion:
object network NETWORK_OBJ_172.16.48.0_24
subnet 172.16.48.0 255.255.255.0
object network IP_Management
subnet 172.16.2.0 255.255.255.0
nat (inside,outside) 1 source static IP_management IP_management destination static NETWORK_OBJ_172.16.48.0_24 NETWORK_OBJ_172.16.48.0_24
All in a single line of course,
Then let me know
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide