Remote access VPN on ASA5520 Ping Issues.

richard.williams · ‎11-09-2011

Hi I hope someone might be able to help me. I have setup a remote access VPN on an ASA 5520. The VPN client connects ok, accepts my username and password and then I am in. I get an allocated IP address of 172.16.1.1 from the local pool. The problem is that I cannot then ping the inside LAN which is 192.168.1.1. I've got isakmp nat traversal set to default which is 20. I've been looking at this all day and I think I've gone crossed eyed, a fresh pair of eyes are definitley required, so any help would be gratefully received. My config is

Saved

:

ASA Version 7.0(8)

!

hostname Hospira-firewall

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 213.212.66.52 255.255.255.248

!

interface GigabitEthernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

same-security-traffic permit intra-interface

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list Split standard permit 192.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool mypool 172.16.1.1-172.16.1.253 mask 255.255.255.0

no failover

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 213.212.66.49 1

route outside 172.16.1.0 255.255.255.0 213.212.66.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy hospira internal

group-policy hospira attributes

vpn-simultaneous-logins 400

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split

webvpn

username user password 08S9WUsiSMr3RauN encrypted

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set hospira esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dmap 1 set transform-set hospira

crypto dynamic-map dmap 1 set security-association lifetime seconds 28800

crypto dynamic-map dmap 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map dmap 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dmap

crypto map mymap 2 match address NONAT

crypto map mymap 2 set security-association lifetime seconds 28800

crypto map mymap 2 set security-association lifetime kilobytes 4608000

crypto map mymap interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

isakmp nat-traversal 20

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group hospira type ipsec-ra

tunnel-group hospira general-attributes

address-pool mypool

default-group-policy hospira

tunnel-group hospira ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

!

service-policy global_policy global

Cryptochecksum:98f85c39a5cbffe66b0f6585d5083c7c

: end

Many thanks

mvsheik123 · ‎11-09-2011

Did you try by enabling

same-security-traffic permit inter-interface ?

Thx

MS

Richard Burts · ‎11-09-2011

Richard

I would suggest that you modify this line and make the sequence number for the entry for the dynamic map higher than any other sequence number in the crypto map

crypto map mymap 1 ipsec-isakmp dynamic dmap

Give it a try and let us know if it helps.

HTH

Rick

HTH

Rick

Igor Mordiuk · ‎11-09-2011

When you try to ping ASA's interface this kind of traffic belongs to control-plane. This traffic is not managed by access-list. Try the command icmp permit any inside

Mohammad Alhyari · ‎11-09-2011

Hi Richard ,

- we don't need access-list with RA connection , we have the dynamic map that acts as a template , so your crypto config :

crypto map mymap 1 ipsec-isakmp dynamic dmap

crypto map mymap 2 match address NONAT

crypto map mymap 2 set security-association lifetime seconds 28800

crypto map mymap 2 set security-association lifetime kilobytes 4608000

crypto map mymap interface outside

map with seq 1 is being binded to the dynamic map , now map 2 you are using the nonat access list as the encryption trigger for this map , so this should not be there as it encrypt traffic from the inside subnet to the pool .

please remove the second entry, then test if not working please provide a capture from the inside interface .

HTH

Mohammad.