Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1019
Views
0
Helpful
1
Replies

Cant ping LAN

Go to solution
SteveNode03
Level 1
Level 1

‎04-20-2019 12:23 AM

I am having a tough time try to ping anything inside the LAN.  I can ping the ASA but that is about it.  I have the ACL in the policy.  I am static routing back to the LAN from the ASA as you can see from the config.  What else could be preventing the SSL tunnel from being successful going back and forth between the LAN and the SSL connection?  I can successfully authenticate through the Radius, but after that it's a no go.

ASA Version 9.8(2)28
!
hostname CiscoVPN
domain-name Contoso.com

ip local pool SSL-Pool 172.16.46.1-172.16.46.51 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif Outside
security-level 0
ip address 2.2.2.2 255.255.255.0
!
interface GigabitEthernet1/2
description LAN
nameif Inside
security-level 100
ip address 10.10.99.46 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name Contoso.com
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_172.16.27.0_26
subnet 172.16.27.0 255.255.255.192
object network NETWORK_OBJ_10.10.99.0_24
subnet 10.10.99.0 255.255.255.0
object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network obj-10.10.251.0
subnet 10.10.251.0 255.255.255.0
object network NETWORK_OBJ_172.16.46.0_26
subnet 172.16.46.0 255.255.255.192
access-list Split-ACL standard permit 10.10.0.0 255.255.0.0
access-list Split-ACL standard permit 10.20.0.0 255.255.0.0
access-list Split-ACL standard permit 10.30.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7121.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_172.16.27.0_26 NETWORK_OBJ_172.16.27.0_26 no-proxy-arp route-lookup
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_172.16.46.0_26 NETWORK_OBJ_172.16.46.0_26 no-proxy-arp route-lookup
nat (Inside,any) source static NETWORK_OBJ_172.16.46.0_26 NETWORK_OBJ_172.16.46.0_26 destination static obj-10.0.0.0 obj-10.0.0.0
!
object network obj_any
nat (Inside,Outside) dynamic interface
object network NETWORK_OBJ_172.16.46.0_26
nat (Inside,Outside) dynamic interface
route Outside 0.0.0.0 0.0.0.0 2.2.2 1
route Inside 10.0.0.0 255.0.0.0 10.10.99.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server NETmgmt protocol radius
aaa-server NETmgmt (Inside) host 10.10.90.92
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint SelfSignedCert
enrollment self
subject-name CN=CiscoVPN
keypair sslcert
crl configure
crypto ca trustpool policy
crypto ca certificate chain SelfSignedCert
certificate 3bb3c752
3082030c 308201f4 a0030201 0202043b b3c75230 0d06092a 864886f7 0d01010b
05003048 311f301d 06035504 03131643 6973636f 56504e2e 61696962 65617574
792e636f 6d312530 2306092a 864886f7 0d010902 16164369 73636f56 504e2e61
69696265 61757479 2e636f6d 301e170d 31343031 30343037 32343336 5a170d32
34303130 32303732 3433365a 3048311f 301d0603 55040313 16436973 636f5650
4e2e6169 69626561 7574792e 636f6d31 25302306 092a8648 86f70d01 09021616
43697363 6f56504e 2e616969 62656175 74792e63 6f6d3082 0122300d 06092a86
4886f70d 01010105 00038201 0f003082 010a0282 010100a5 cca273f9 310dfeb4
837ef1ba 9a9d857e 885164b0 581a6cf5 cdbcafc0 9a0f5f51 d55fd8de e5ebc528
3f38f9a0 40821060 9159e321 2128895f b2090fdc 5dddabda 15e0f6fd 5f8ee65e
d4864e68 5006c4f6 3649da29 9d1a930d a7f345bd e1d263e6 ae6ad499 218e02c6
4feb5263 cb85c833 7d5603e2 3870c479 5c3f9b1a 9a495d80 96f2314b 404c7503
c0bd481b 8d909c35 b5e01f60 d1389996 5c05655d 2b8f3c57 9efb83b4 fb7a9c66
b83823e6 a5730460 ad4a3cac 7cd30a8c e11baf47 2f461151 731dd48c ee350c1e
ccd7a23d a839d309 e5f75111 c16eebe7 77b6a619 69ff2592 b0ac4fe2 e65911ca
3f8f1319 76a97171 1ba92bf6 7596223e cfa1646b fee06102 03010001 300d0609
2a864886 f70d0101 0b050003 82010100 87a76e36 6f4f853a 273c9643 34fb8ede
8d559c4b b7371e4f 542b93b3 ab43238e a42a3cc1 350a675f e39b2019 6a240e44
e520f629 553d21f0 137afce8 a3f3388c 20a1162d 4ae80b4a 0cd743ad 528a067e
3558fe02 7b69fc07 1478c6fe bce2f9c2 6bbe1f78 fd07aab0 ef9cf8cf c743ecb1
67ed03f1 4a0c05ba e6177baa 22dedc0b 33f57aff cb716d96 9302bd46 d60b2c73
0b3d6fa7 cb87833b 80fb8ac2 75770ae2 2de039f6 ebb71c02 41b668fd 2731a15e
cf92fb39 afb98224 b457f0e7 bc4ce608 eeff5688 b5967a66 a45768c1 56cb51bc
ede3ded2 475a6f7c bc6b9b3c ad78a782 75eb7d9f 8a5af5e9 a18d8ed5 ea747c72
33c786bc 21d66526 12bd01ab 03b212a1
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 Inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point SelfSignedCert Outside
ssl trust-point SelfSignedCert Inside
webvpn
enable Outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.7.01076-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macos-4.7.01076-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_CiscoASA_VPN internal
group-policy GroupPolicy_CiscoASA_VPN attributes
wins-server none
dns-server value 10.10.90.4
vpn-tunnel-protocol ssl-client
default-domain value Contoso.com
group-policy GroupPolicy_Cisco_SSL internal
group-policy GroupPolicy_Cisco_SSL attributes
wins-server none
dns-server value 10.10.90.4
vpn-tunnel-protocol ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-ACL
default-domain value Contoso.com
dynamic-access-policy-record DfltAccessPolicy
tunnel-group Cisco_SSL type remote-access
tunnel-group Cisco_SSL general-attributes
address-pool SSL-Pool
authentication-server-group NETmgmt LOCAL
default-group-policy GroupPolicy_Cisco_SSL
tunnel-group Cisco_SSL webvpn-attributes
group-alias Cisco_SSL enable
tunnel-group CiscoASA_VPN type remote-access
tunnel-group CiscoASA_VPN general-attributes
address-pool SSL-Pool
authentication-server-group NETmgmt LOCAL
default-group-policy GroupPolicy_CiscoASA_VPN
tunnel-group CiscoASA_VPN webvpn-attributes
group-alias CiscoASA_VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
SteveNode03
Level 1
Level 1

‎04-20-2019 05:04 PM - edited ‎04-20-2019 05:05 PM

Never mind.  The configuration I have in the ASA is fine.  I had to add a static route on the Core-SW to point back to the ASA for the VPN Subnet.  Duh. :-) 

 

After poking around a dynamic light bulb sprung in my mind to add the route.

 

ip route [VPN Subnet] [Mask] [CiscoASAinside Address]

View solution in original post

0 Helpful
1 Reply 1

Go to solution
SteveNode03
Level 1
Level 1

‎04-20-2019 05:04 PM - edited ‎04-20-2019 05:05 PM

Never mind.  The configuration I have in the ASA is fine.  I had to add a static route on the Core-SW to point back to the ASA for the VPN Subnet.  Duh. :-) 

 

After poking around a dynamic light bulb sprung in my mind to add the route.

 

ip route [VPN Subnet] [Mask] [CiscoASAinside Address]

0 Helpful
Customers Also Viewed These Support Documents