Solved: VPN connects but cannot ping or access resources

pmattson00 · ‎08-27-2011

I am hoping this is an easy fix and it is something I am missing. I have been looking at this for several hours.

Scenario:

I have Anyconnect Essentials so I am using the SSL connection

I have changed my external IP and domain name in my configuration I am posting.

My VPN connection appears to be working fine. I actually was able to connect in 3 different locations with 3 different external IP address.

From location 1 I receive an IP address of 192.168.30.10, like it should. I can ping 192.168.1.1, but not 192.168.1.6 which is my temporary resource, the firewall is disabled on 192.168.1.6.

From location 2 I receive an IP address of 192.168.30.11, like it should. I was able to ping 192.168.30.10, could not try 192.168.1.1 because the place closed.

Any help would be appreciated, it is starting to get late so I hope I gave enough detail. I feel so close but yet so far.

ciscoasa# show run

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 22.22.22.246 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type ALLOWPING

icmp-object echo

icmp-object time-exceeded

icmp-object echo-reply

icmp-object traceroute

icmp-object source-quench

icmp-object unreachable

access-list 10 extended permit ip any any

access-list 10 extended permit icmp any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSLClientPoolNew 192.168.30.10-192.168.30.25 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 22.22.22.245 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

network-acl 10

webvpn

svc ask none default svc

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 8.8.8.8

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable inside

enable outside

anyconnect-essentials

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

default-domain value mydomain.com

address-pools value SSLClientPoolNew

webvpn

svc keep-installer installed

svc rekey time 180

svc rekey method ssl

svc modules value vpngina

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol webvpn

username test password xxxxxxxxxxxxxx encrypted privilege 15

username ljb1 password xxxxxxxxxxxxxx encrypted

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:ed683c7f1b86066d1d8c4fff6b08c592

: end

raga.fusionet · ‎08-27-2011

Patrick,

You are missing the NAT excemption. Please add the following and try again:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0

nat (inside) 0 access-list nonat

Let us know if you're still having problems after that.

Raga

View solution in original post

raga.fusionet · ‎08-27-2011

Patrick,

You are missing the NAT excemption. Please add the following and try again:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0

nat (inside) 0 access-list nonat

Let us know if you're still having problems after that.

Raga

pmattson00 · ‎08-28-2011

Raga,

Thanks that worked I guess I had been looking at it for so long I forgot about all of my access-list.

I knew I was missing something simple.

Regards,

Patrick

raga.fusionet · ‎08-28-2011

Hey Patrick,

Good to hear that it worked!

Have a good one.

Raga