Solved: ASA 5505 9.1 unable to ping inside network IPSec VPN

andrew-doyle · ‎11-03-2013

To give some background this asa was reloaded and upgranded from 8.2 to 9.1. I'm able to connect into the vpn but unable to reach anything on the inside, including the asa. I sadly haven't had a lot of experience with 8.3+, but I thought I had the nat properly done. Nothing else is currently configured for the asa as it's just a test asa currently, so I might of just missed something odvious.

ASA Version 9.1(3)

!

hostname testasa

enable password Ry5/Pmodu2QL1Xe3 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

names

ip local pool VPNPool 192.168.3.1-192.168.3.200 mask 255.255.255.0

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

switchport access vlan 2

!

interface Ethernet0/5

switchport access vlan 2

!

interface Ethernet0/6

switchport access vlan 2

!

interface Ethernet0/7

switchport access vlan 2

!

interface Vlan1

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan2

nameif inside

security-level 100

ip address 192.168.2.252 255.255.255.0

!

ftp mode passive

object network NETWORK_OBJ_192.168.2.0_24

subnet 192.168.2.0 255.255.255.0

object network NETWORK_OBJ_192.168.3.0_24

subnet 192.168.3.0 255.255.255.0

object network obj-inside

subnet 192.168.2.0 255.255.255.0

object network obj-vpn

subnet 192.168.3.0 255.255.255.0

access-list VPNGroup_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static obj-inside obj-inside destination static obj-vpn obj-vpn

!

nat (inside,outside) after-auto source dynamic any interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcp-client client-id interface outside

dhcpd address 192.168.2.50-192.168.2.100 inside

dhcpd dns 208.67.222.222 198.153.192.40 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

group-policy VPNGroup internal

group-policy VPNGroup attributes

dns-server value 208.67.222.222 198.153.192.40

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPNGroup_splitTunnelAcl

split-tunnel-all-dns disable

msie-proxy method no-proxy

vlan none

nac-settings none

username test password I9znLlryc6yq.BN4 encrypted privilege 15

tunnel-group VPNGroup type remote-access

tunnel-group VPNGroup general-attributes

address-pool VPNPool

default-group-policy VPNGroup

tunnel-group VPNGroup ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

Jouni Forss · ‎11-04-2013

Hi,

To be honest I can't see anything in the configuration that should be a problem.

Your NAT configurations seems to be correct.

You have the global setting "sysopt connection permit-vpn" which doesnt show up in this form in the CLI configuration. This configuration essentially means that the ASA would allow traffic coming from a VPN connection to bypass the interface ACL of the interface where the VPN Connection terminates (outside)

Your Split Tunnel ACL is also correct.

Could you perhaps log in with the VPN Client and run a continuous ICMP to some LAN host and provide us a output of the following command after a the ICMP has run a few seconds

show crypto ipsec sa

This should show the VPN counters.

You could also try adding

management-access inside

This should enabled you to ICMP the "inside" IP address of the ASA and also manage the ASA through the VPN Connection using the "inside" IP address provided you have allowed it. Though for this you might need to change the "nat" configuration to this

nat (inside,outside) source static obj-inside obj-inside destination static obj-vpn obj-vpn route-lookup

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎11-04-2013

Hi,

To be honest I can't see anything in the configuration that should be a problem.

Your NAT configurations seems to be correct.

You have the global setting "sysopt connection permit-vpn" which doesnt show up in this form in the CLI configuration. This configuration essentially means that the ASA would allow traffic coming from a VPN connection to bypass the interface ACL of the interface where the VPN Connection terminates (outside)

Your Split Tunnel ACL is also correct.

Could you perhaps log in with the VPN Client and run a continuous ICMP to some LAN host and provide us a output of the following command after a the ICMP has run a few seconds

show crypto ipsec sa

This should show the VPN counters.

You could also try adding

management-access inside

This should enabled you to ICMP the "inside" IP address of the ASA and also manage the ASA through the VPN Connection using the "inside" IP address provided you have allowed it. Though for this you might need to change the "nat" configuration to this

nat (inside,outside) source static obj-inside obj-inside destination static obj-vpn obj-vpn route-lookup

Hope this helps

- Jouni

Jouni Forss · ‎11-04-2013

Also,

As there is no real reason visible why the ASA/VPN wouldnt pass ICMP traffic and fact that you are running the lastest software to my understanding I wouldnt rule out the possibility of a bug.

You could then consider trying out softwares like

9.1(2)
9.0(x) latest
8.4(x) latest

Just thinking as you mention that the ASA is used for test purposes.

- Jouni

andrew-doyle · ‎11-04-2013

After applying the nat rule that you suggested I was able to ping and access the inside network without issue. Though I'm happy I wasn't that far off on how it should of been set up.

Thank you.