Cisco ASA issue

aperez@vectorchoice.com · ‎09-06-2018

So I created another vpn to encapsulate all traffic, I need to be able to replace the VPN CLient Wan ip with my corporate IP. Also when the vpn client is connected i can lookup dns but not ping the address.

aperez@vectorchoice.com · ‎09-06-2018

Result of the command: "show run" : Saved : ASA Version 9.0(2) ! hostname DYMASYSFW01 domain-name Dymasys.local enable password ClgZ1WxMoTMAnFTp encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd ClgZ1WxMoTMAnFTp encrypted names name 192.168.27.1 SBS_Server name 10.50.6.0 datacenter-network ip local pool VPN_Users 10.10.1.10-10.10.1.40 mask 255.255.255.0 ip local pool VPNPUBMASK 10.11.1.10-10.11.1.40 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.27.10 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 64.190.171.150 255.255.255.224 ! boot system disk0:/asa902-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 192.168.27.5 domain-name Dymasys.local object network SBS_Server host 192.168.27.1 object network datacenter-network subnet 10.50.6.0 255.255.255.0 object network obj-192.168.27.0 subnet 192.168.27.0 255.255.255.0 object network obj-64.190.171.154 host 64.190.171.154 object network obj_any-01 subnet 0.0.0.0 0.0.0.0 object network NETWORK_OBJ_192.168.27.0_24 subnet 192.168.27.0 255.255.255.0 object network NETWORK_OBJ_10.10.1.0 subnet 10.10.1.0 255.255.255.0 object network Shark host 192.168.27.5 description Shark Server object network VPNRange range 10.10.1.10 10.10.1.40 description VPNips object network NETWORK_OBJ_10.10.1.0_26 subnet 10.10.1.0 255.255.255.192 object network NETWORK_OBJ_10.11.1.0_26 subnet 10.11.1.0 255.255.255.192 object network VPNSeccondRange range 10.11.1.10 10.11.1.40 object network NETWORK_OBJ_10.11.1.0 subnet 10.11.1.0 255.255.255.0 object-group network obj_any object-group service SBS description SBS Ports for Exchange service-object tcp-udp source eq 3389 destination eq 3389 service-object tcp-udp destination eq www service-object tcp destination eq https service-object tcp destination eq pop3 service-object tcp destination eq smtp object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service GMAIL service-object tcp source eq 993 object-group network DM_INLINE_NETWORK_1 network-object 192.168.27.0 255.255.255.0 network-object object datacenter-network object-group network DM_INLINE_NETWORK_2 network-object object NETWORK_OBJ_192.168.27.0_24 network-object object datacenter-network object-group network DM_INLINE_NETWORK_3 network-object 192.168.27.0 255.255.255.0 network-object object datacenter-network access-list inside_access_in extended permit ip any4 any4 access-list inside_access_in extended permit ip object datacenter-network interface inside access-list inside_access_in extended permit ip object VPNSeccondRange any access-list Dymasys_Users_splitTunnelAcl standard permit 192.168.27.0 255.255.255.0 access-list inside_nat0_outbound extended deny ip object datacenter-network 192.168.27.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.27.0 255.255.255.0 any4 access-list DYMASYS_USERS_splitTunnelAcl standard permit 192.168.27.0 255.255.255.0 access-list dynamic_vpn_users_splitTunnelAcl standard permit 192.168.27.0 255.255.255.0 access-list dynamic_vpn_users_splitTunnelAcl_1 standard permit 192.168.27.0 255.255.255.0 access-list outside_cryptomap extended permit ip 192.168.27.0 255.255.255.0 object datacenter-network access-list outside_access_in remark Implicit rule access-list outside_access_in extended permit icmp any4 any4 echo-reply access-list DMSIPKVPN_splitTunnelAcl standard permit 192.168.27.0 255.255.255.0 access-list DMSIPKVPN_splitTunnelAcl standard permit 10.50.6.0 255.255.255.0 access-list DMSIPKVPN_splitTunnelAcl_1 standard permit 192.168.27.0 255.255.255.0 access-list DMSIPKVPN_splitTunnelAcl_1 standard permit 10.50.6.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-752-153.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static NETWORK_OBJ_192.168.27.0_24 NETWORK_OBJ_192.168.27.0_24 destination static datacenter-network datacenter-network no-proxy-arp route-lookup nat (inside,outside) source static SBS_Server obj-64.190.171.154 nat (inside,outside) source dynamic obj-192.168.27.0 interface nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.10.1.0 NETWORK_OBJ_10.10.1.0 no-proxy-arp route-lookup nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.1.0 NETWORK_OBJ_10.10.1.0 no-proxy-arp route-lookup nat (inside,outside) source static NETWORK_OBJ_10.10.1.0 NETWORK_OBJ_10.10.1.0 destination static NETWORK_OBJ_192.168.27.0_24 NETWORK_OBJ_192.168.27.0_24 no-proxy-arp route-lookup nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static NETWORK_OBJ_10.10.1.0 NETWORK_OBJ_10.10.1.0 no-proxy-arp route-lookup nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.1.0_26 NETWORK_OBJ_10.10.1.0_26 no-proxy-arp route-lookup nat (inside,outside) source static NETWORK_OBJ_10.10.1.0 NETWORK_OBJ_10.10.1.0 no-proxy-arp route-lookup nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static NETWORK_OBJ_10.11.1.0_26 NETWORK_OBJ_10.11.1.0_26 no-proxy-arp route-lookup nat (any,any) source static VPNSeccondRange VPNSeccondRange destination static NETWORK_OBJ_192.168.27.0_24 NETWORK_OBJ_192.168.27.0_24 ! object network SBS_Server nat (inside,outside) static 64.190.171.154 object network obj_any-01 nat (inside,outside) dynamic interface object network NETWORK_OBJ_10.11.1.0 nat (any,outside) static interface access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 64.190.171.129 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server SHARK protocol radius aaa-server SHARK (inside) host 192.168.27.5 key ***** user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.27.0 255.255.255.0 inside http 75.77.227.82 255.255.255.255 outside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 209.198.197.212 crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=DYMASYSFW01 proxy-ldc-issuer crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 certificate af857a5b 3082025c 308201c5 a0030201 020204af 857a5b30 0d06092a 864886f7 0d010105 05003040 31143012 06035504 03130b44 594d4153 59534657 30313128 30260609 2a864886 f70d0109 02161944 594d4153 59534657 30312e44 796d6173 79732e6c 6f63616c 301e170d 31383038 32323032 33363239 5a170d32 38303831 39303233 3632395a 30403114 30120603 55040313 0b44594d 41535953 46573031 31283026 06092a86 4886f70d 01090216 1944594d 41535953 46573031 2e44796d 61737973 2e6c6f63 616c3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b0 b10207d7 ade74d0c 941b2ddb dab36e78 4bd87f2e 5c89811a d99bca1c 34bca0c6 ef6e9ef4 d604bba4 41011aa5 c61f573f 0c2d31d6 d3d88f05 8c400d9b 9254d512 298da797 7484336d b0849dbd ab6b6cc4 22a9c9af 6a0808ad f899f75e 6cead952 84d1f81c 08899749 d31eb142 f4611c21 7354db0f 37b0f331 d3efade4 ff2c5102 03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 8014de92 97162cd6 1e2311b4 963b1edc dcc43669 0ae1301d 0603551d 0e041604 14de9297 162cd61e 2311b496 3b1edcdc c436690a e1300d06 092a8648 86f70d01 01050500 03818100 ad990339 2744e8a0 3065722e 7d6154ac 017f1016 acfbe60b b9e2bc97 557159d0 e4752f65 6e06852a 94ca1a64 77d2ae39 eb847dab 6e2982a3 5e1fa3e9 25729b1e 0d668b9a 2b838a7c f2f9a730 494025cd dc3716d5 4b2a326b 6230932d 0ef1f56a 1e3c83a7 c9097c1e 2c79782e e6bed9f1 0fea502b 38058ad6 e4d30966 8aa2441f quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside client-services port 443 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 192.168.27.0 255.255.255.0 inside ssh 75.77.227.82 255.255.255.255 outside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl trust-point ASDM_TrustPoint0 outside webvpn enable outside anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT" anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 regex "Intel Mac OS X" anyconnect profiles DMSAnyConnect_client_profile disk0:/DMSAnyConnect_client_profile.xml anyconnect profiles DMS_client_profile disk0:/DMS_client_profile.xml anyconnect enable tunnel-group-list enable group-policy test internal group-policy test attributes dns-server value 192.168.27.5 vpn-tunnel-protocol ikev1 password-storage disable default-domain value Dymasys.local split-tunnel-all-dns enable nem enable webvpn anyconnect firewall-rule client-interface public value inside_nat0_outbound anyconnect firewall-rule client-interface private value inside_access_in group-policy GroupPolicy_209.198.197.212 internal group-policy GroupPolicy_209.198.197.212 attributes vpn-tunnel-protocol ikev1 group-policy DMSIPKVPN internal group-policy DMSIPKVPN attributes dns-server value 192.168.27.5 vpn-tunnel-protocol ikev1 ikev2 password-storage disable split-tunnel-policy tunnelspecified split-tunnel-network-list value DMSIPKVPN_splitTunnelAcl default-domain value Dymasys.local group-policy Dymasys_Users internal group-policy Dymasys_Users attributes dns-server value 192.168.27.1 vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value Dymasys_Users_splitTunnelAcl default-domain value printstream.local username vsadmin password .i4/9rBX/rQ/Gdr6 encrypted privilege 15 tunnel-group DMSIPKVPN type remote-access tunnel-group DMSIPKVPN general-attributes address-pool VPN_Users authentication-server-group SHARK default-group-policy DMSIPKVPN tunnel-group DMSIPKVPN ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 209.198.197.212 type ipsec-l2l tunnel-group 209.198.197.212 general-attributes default-group-policy GroupPolicy_209.198.197.212 tunnel-group 209.198.197.212 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group test type remote-access tunnel-group test general-attributes address-pool VPNPUBMASK authentication-server-group SHARK default-group-policy test tunnel-group test ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:b4a150b5025dbb5bd0825d486a0d9be3 : end

Dennis Mink · ‎09-06-2018

Can you share your config and mention what IP addresses have the issue? and where you are pinging from?

Please remember to rate useful posts, by clicking on the stars below.

aperez@vectorchoice.com · ‎09-06-2018

DNS resolves from the Cisco VPN CLient connected machine, But it does not ping via internet. I can ping google.com the name resolves then it does not ping.

aperez@vectorchoice.com · ‎09-06-2018

I posted the Config under my original post.

@Dennis Mink wrote:

Can you share your config and mention what IP addresses have the issue? and where you are pinging from?

10.11.1.0/24 to the Gateway. 0.0.0.0 or server 192.168.27.5