Solved: Cannot Ping clients on sub interface through Anyconnect VPN

LogicalIT · ‎02-24-2020

Hello,

I created a subinterface called OP (on gig 4) and a vpn connection to it called Lab VPN. We can connect to it fine and get internet but cannot ping any of the clients on that network (.90.x) though we can ping on the actual internal network (.89.x). Is there something I did wrong or left out. Here is the config with ip addresses and password changes. We are also using anyconnect. Can ping from other VPN policies though

: Saved

:
: Serial Number:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by admin at 20:11:46.180 UTC Mon Feb 24 2020
!
ASA Version 9.6(4)3
!
hostname ciscoasa
enable password *** encrypted
names
no mac-address auto
ip local pool net-10vpnclient 10.0.0.1-10.0.0.10 mask 255.255.255.0
ip local pool LabDHCP 192.168.90.5-192.168.90.100 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 123.456.789.01 255.255.255.248
!
interface GigabitEthernet1/2
nameif guest
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 192.168.98.1 255.255.255.0
!
interface GigabitEthernet1/4
nameif Op
security-level 100
ip address 192.168.90.1 255.255.255.0
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup guest
dns server-group DefaultDNS
name-server 8.8.8.8
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.0.0.0_28
subnet 10.0.0.0 255.255.255.240
object network obj_192.168.98.0
subnet 192.168.98.0 255.255.255.0
object network LabNetwork
subnet 192.168.90.0 255.255.255.0
object-group network OPnetwork
network-object 192.168.90.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object icmp
protocol-object icmp6
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object icmp
protocol-object icmp6
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object icmp
protocol-object icmp6
access-list split standard permit 192.168.98.0 255.255.255.0
access-list split standard permit 192.168.90.0 255.255.255.0
access-list out_to_in extended permit icmp any any
access-list Op_access_in extended permit ip any any
access-list Op_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list splittunnellab standard permit 10.0.1.0 255.255.255.0
access-list opping extended permit object-group DM_INLINE_PROTOCOL_1 any 192.168.90.0 255.255.255.0
access-list opping extended permit object-group DM_INLINE_PROTOCOL_2 192.168.90.0 255.255.255.0 any
access-list 110 extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu guest 1500
mtu inside 1500
mtu Op 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static obj_192.168.98.0 obj_192.168.98.0 destination static NETWORK_OBJ_10.0.0.0_28 NETWORK_OBJ_10.0.0.0_28 no-proxy-arp route-lookup
nat (Op,outside) source static LabNetwork LabNetwork destination static NETWORK_OBJ_10.0.0.0_28 NETWORK_OBJ_10.0.0.0_28 unidirectional no-proxy-arp
!
object network obj_any
nat (any,outside) dynamic interface
access-group 110 in interface outside
access-group Op_access_in in interface Op
route outside 0.0.0.0 0.0.0.0 96.93.205.118 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 444
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 guest
http 192.168.98.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map Op_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Op_map interface Op
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair vpn
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable Op client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
dhcpd address 192.168.90.2-192.168.90.100 Op
dhcpd dns 192.168.98.2 8.8.8.8 interface Op
dhcpd lease 86400 interface Op
dhcpd enable Op
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 guest
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 Op
webvpn
enable outside
enable inside
enable Op
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 2
anyconnect profiles Lab_VPN_client_profile disk0:/Lab_VPN_client_profile.xml
anyconnect profiles isotecvpn_client_profile disk0:/isotecvpn_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_isotecvpn internal
group-policy GroupPolicy_isotecvpn attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain none
webvpn
anyconnect profiles value isotecvpn_client_profile type user
group-policy "GroupPolicy_Lab VPN" internal
group-policy "GroupPolicy_Lab VPN" attributes
wins-server none
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain none
webvpn
anyconnect profiles value Lab_VPN_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username *** password *** encrypted
username Lab attributes
vpn-group-policy "GroupPolicy_Lab VPN"
group-lock value Lab VPN
username labuser password qE2jXs/JkM.AUbzM encrypted
username labuser attributes
vpn-group-policy "GroupPolicy_Lab VPN"
tunnel-group isotecvpn type remote-access
tunnel-group isotecvpn general-attributes
address-pool net-10vpnclient
default-group-policy GroupPolicy_isotecvpn
tunnel-group isotecvpn webvpn-attributes
group-alias isotecvpn enable
tunnel-group "Lab VPN" type remote-access
tunnel-group "Lab VPN" general-attributes
address-pool LabDHCP
default-group-policy "GroupPolicy_Lab VPN"
tunnel-group "Lab VPN" webvpn-attributes
group-alias "Lab VPN" enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

Georg Pauwen · ‎02-25-2020

Hello,

try the NAT statement below:

nat (Op,outside) 2 source static any any destination static LabNetwork LabNetwork no-proxy-arp route-lookup

View solution in original post

Francesco Molino · ‎02-24-2020

Hi

When you say you connect to vpn, are you taking about lab vpn with ip in 192.168.90.0/24 subnet?
Are you building the vpn over the outside interface or op interface?
I believe you're missing a nat but I'll wait for you answers just to make sure.
Right now you have a nat but based on which vpn and interface it may not be the good one:
nat (Op,outside) source static LabNetwork LabNetwork destination static NETWORK_OBJ_10.0.0.0_28 NETWORK_OBJ_10.0.0.0_28 unidirectional no-proxy-arp

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

LogicalIT · ‎02-25-2020

We are going to the 90.0. There is another vpn but that is working and not having an issue. Basically users who have access to the Lab VPN are getting an IP from the 90.0 network and should have access to all the devices connected to that port/sub interface. Should I remove my current nat and add a new one and which one should I add?

Georg Pauwen · ‎02-25-2020

Hello,

try the NAT statement below:

nat (Op,outside) 2 source static any any destination static LabNetwork LabNetwork no-proxy-arp route-lookup

LogicalIT · ‎02-25-2020

should I also delete the current nat for the op vpn (lab vpn)

Francesco Molino · ‎02-25-2020

The current nat for network 10 isn't necessary.
If you want this lab pool to reach out vpn users from the other pool then the nat needs to be changed.
I understand people are getting an IP from .90 subnet. What network should they access? The .90 on the op interface only or also the inside as well? If inside also, then duplicate the nat statement given by @georg and change the op interface by inside + change the number 2 before source by 3

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

LogicalIT · ‎02-26-2020

Thanks this worked I swear that I did this before and nothing worked but you are the best!