5510 vpn, i changed public ip address and now connection issues

cfine · ‎07-12-2012

i'm running a 5510 asa and the vpn has been working great for a while. We recently change our network provider so i had to change the public ip, and dns on the firewall... now i can still connect via the vpn and browse accross my mpls to other sites, but cant really access anything on the native lan that the firewall resides on?

cfine · ‎07-13-2012

09:36:26

106001

10.0.0.83

3389

10.0.40.101

1266

Inbound TCP connection denied from 10.0.0.83/3389 to 10.0.40.101/1266 flags PSH ACK on interface asa5510

thats what i get when i try rdp to a system on the same lan as the firewall.

also the only thing i can ping on the lan is the firewall and the default gateway. everything else give me one ping then dies.

mvsheik123 · ‎07-13-2012

Hi Chris,

You mentioned that browsing across MPLS is fine, does that include RDP sessions as well? Just want to make sure.

Thx

MS

cfine · ‎07-13-2012

yeah rdp and everything else works to the mpls site, just not to the local site the vpn is at. seems very odd the vpn users can route to the other networks just not the network its ip is on.

the firewall/vpn can communcate with everything on our network.

mvsheik123 · ‎07-13-2012

Very odd. As 'ping' is does as well, start with a simple test by enabling 'debug icmp trace' on inside interface and see if the 'reply' packets reaching ASA or not. Not sure but ASA may be dropping the pkts.Also check 'asp drop' counters as well (guess that gives some info).

Thx

MS

Javier Portuguez · ‎07-13-2012

Dear Chris,

Lets follow this action plan to find your issue:

1- packet-tracer from the inside network to the VPN network.

2- packet-tracer from the outside (VPN network) to an internal machine, for this test you may need to allow the traffic on the outside access-group (the "sysopt connection permit-vpn" already takes care of this traffic, but for the purpose of the packet-tracer the access-group must allow it).

3- Packet-capture on the inside interface:

capture capin interface inside match ip vpn_net netmask internal_net netmask

4- Logs at debbuging level.

The first two will let us know how the FW is treating this traffic the third one will isolate a possible routing issue.

Please keep me posted.

Thanks in advance.

cfine · ‎07-13-2012

guess i'm not sure how to work the packet tracer. i do a trace from my firewall to the gateway and the internal implicit rule any to any ip deny, is blocking it. even though their is a any to any less secure networks ip permit above it.

and if i do a ping from the firewall to the gateway it works.

Javier Portuguez · ‎07-14-2012

Hi Chris,

Please provide:

LAN IP network

VPN pool network / remote network

LAN interface nameif

I will show you how to run the packet-tracer.

Thanks.

cfine · ‎07-16-2012

well i might of gotten it fixed... i checked out the wiring and noticed someone hooked up a lan line into our pre firewall switch (very bad). so once i fixed that the local access started to work.... but remote sites didnt. gave up over the weekend and tried it again today and everything is working now. very strange.

Javier Portuguez · ‎07-16-2012

Dear Chris,

I am glad to hear such good news.

I hope you have a nice day.

Please rate any post you find helpful