Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6386
Views
0
Helpful
18
Replies

I cannot ping from anyconnect client but i can ping from inside network

jacobwminja90
Level 1
Level 1

‎02-20-2017 01:56 AM - edited ‎02-21-2020 09:10 PM

My Inside network: 10.10.30.0/24

My Outside network: 10.10.90.0/24

My VPN POOL: 192.168.0.0/24

I can ping one way ie from 10.10.30.195 to 192.168.0.1 but not from 192.168.0.1 to 10.10.30.195

Here below is my configurations


: Saved
:
ASA Version 9.1(2)
!
hostname XXXX
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool SVCPOOL 192.168.0.1-192.168.0.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.10.30.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.10.90.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network INSIDE
subnet 10.10.30.0 255.255.255.0
object network OUTSIDE
subnet 10.10.90.0 255.255.255.0
object network PAT_10.10.90.1
subnet 10.10.30.0 255.255.255.0
object network PAT_OUTSIDE
subnet 10.10.30.0 255.255.255.0
object network NAT_EXMPT
range 192.168.0.1 192.168.0.254
object network ANYCONNECT_192.168.0.0
subnet 192.168.0.0 255.255.255.0
access-list SVCACL extended permit ip 10.10.30.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static INSIDE INSIDE destination static NAT_EXMPT NAT_EXMPT
!
object network PAT_OUTSIDE
nat (any,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 10.10.90.99 1
route outside 192.168.0.0 255.255.255.0 10.10.90.99 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.10.30.0 255.255.255.0 inside
http 10.10.90.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 10.10.30.0 255.255.255.0 inside
ssh 10.10.90.0 255.255.255.0 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect enable
tunnel-group-list enable
group-policy WEBVPNPOLICY internal
group-policy WEBVPNPOLICY attributes
banner value WELCOME TO CLIENTLESS VPN
vpn-tunnel-protocol ssl-clientless
group-policy SVCPOLICY internal
group-policy SVCPOLICY attributes
wins-server none
dns-server none
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SVCACL
default-domain none
address-pools value SVCPOOL
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
username admin attributes
vpn-group-policy WEBVPNPOLICY
group-lock value WEBVPNGROUP
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username cisco attributes
vpn-group-policy SVCPOLICY
group-lock value SVCGROUP
tunnel-group WEBVPNGROUP type remote-access
tunnel-group WEBVPNGROUP general-attributes
default-group-policy WEBVPNPOLICY
tunnel-group WEBVPNGROUP webvpn-attributes
group-alias WEBVPNUSERS enable
tunnel-group SVCGROUP type remote-access
tunnel-group SVCGROUP general-attributes
default-group-policy SVCPOLICY
tunnel-group SVCGROUP webvpn-attributes
group-alias SVCUSERS enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:d516f11792080d08006fd5bbf5eec2c6
: end

Labels:
0 Helpful
18 Replies 18

jacobwminja90
Level 1
Level 1
In response to Boris Uskov

‎02-20-2017 05:47 AM

Switch is configured with IP:10.10.30.9/24 and gateway ASA IP:10.10.30.1/24

0 Helpful

Boris Uskov
Level 4
Level 4
In response to jacobwminja90

‎02-20-2017 05:50 AM

Can you perform the test with packet capture, while pinging only the switch from 192.168.0.1?

0 Helpful

jacobwminja90
Level 1
Level 1
In response to Boris Uskov

‎02-20-2017 06:01 AM

Check below output

FROM SWITCH:

SR1SW1#ping 192.168.0.1       
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/9/17 ms

FROM ASA:

SR2FW3# capture CAPN interface inside match ip host 192.168.0.1 host 10.10.30.9
SR2FW3#
SR2FW3# show capture CAPN

2 packets captured

   1: 06:55:44.624570       192.168.0.1 > 10.10.30.9: icmp: echo request
   2: 06:55:49.625898       192.168.0.1 > 10.10.30.9: icmp: echo request
2 packets shown
SR2FW3#

0 Helpful

Boris Uskov
Level 4
Level 4
In response to jacobwminja90

‎02-20-2017 10:00 AM

Very strange. As you can see, there are no answers from Switch on ASA's interface.

Can you ping switch from ASA?

Can you check ARP-table of the switch? Does the switch have the correct ARP-record for ASA?

Is the switch Layer3 or Layer2? Can the switch perform routing? Are there any ACL configured on the switch?

Is the switch directly connected to ASA?

Also, please, post the output of from ASA:

show runn all sysopt

I'm interested in:

sysopt connection permit-vpn

One more idea. Try to change ip address pool for Anyconnect clients. For, example, try to use the completely different subnet - 172.16.x.x. If there are some conflicts inside the LAN, this may throw some light to our case.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents