Solved: ASA 5505 VPN Ping Problems

GrahamB_SEMC · ‎09-09-2013

Hello everyone,

First off, I apologize if this is something that I can google. My knowledge of network administration is all self-taught so if there is a guide to follow that I've missed please point me in the right direction, its often hard to Google terms for troubleshooting when your jargon isn't up to snuff.

The chief issue is that when pinging internal devices while connected to the results are very inconsistent.

Pinging 192.168.15.102 with 32 bytes of data:

Reply from 192.168.15.102: bytes=32 time=112ms TTL=128

Request timed out.

We've set up a IPSec VPN connection to a remote Cisco ASA 5505. There are no issues connecting, connection seems constant, packets good etc. At this point I can only assume I have configuration issues but I've been looking at this for so long, and coupled with my inexperience configuring these settings I have no clue where to start. My initial thoughts are that the LAN devices I am pinging are not sending their response back or the ASA doesn't know how to route packets back?

Here's a dump of the configuration:

Result of the command: "show config"

: Saved

: Written by enable_15 at 12:40:06.114 CDT Mon Sep 9 2013

!

ASA Version 8.2(5)

!

hostname VPN_Test

enable password D37rIydCZ/bnf1uj encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.15.0 internal-network

ddns update method DDNS_Update

ddns both

interval maximum 0 4 0 0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

description VLAN to inside hosts

nameif inside

security-level 100

ddns update hostname 0.0.0.0

ddns update DDNS_Update

dhcp client update dns server both

ip address 192.168.15.1 255.255.255.0

!

interface Vlan2

description External VLAN to internet

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.248

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

name-server 216.221.96.37

name-server 8.8.8.8

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended deny icmp interface outside interface inside

access-list outside_access_in extended permit ip 192.168.15.192 255.255.255.192 any

access-list Remote_splitTunnelAcl standard permit internal-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip internal-network 255.255.255.0 192.168.15.192 255.255.255.192

access-list inside_access_in remark Block Internet Traffic

access-list inside_access_in extended permit ip 192.168.15.192 255.255.255.192 any

access-list inside_access_in remark Block Internet Traffic

access-list inside_access_in extended permit ip interface inside interface inside

access-list inside_access_in extended permit ip any 192.168.15.192 255.255.255.192

access-list inside_access_in remark Block Internet Traffic

access-list inside_nat0_outbound_1 extended permit ip 192.168.15.192 255.255.255.192 any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_IP_Pool 192.168.15.200-192.168.15.250 mask 255.255.255.0

ipv6 access-list inside_access_ipv6_in permit ip interface inside interface inside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any echo-reply outside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound_1 outside

nat (inside) 1 192.168.15.192 255.255.255.192

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group inside_access_ipv6_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http internal-network 255.255.255.0 inside

http yy.yy.yy.yy 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection timewait

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.15.200-192.168.15.250 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.168.15.101 source inside

ntp server 192.168.15.100 source inside prefer

webvpn

group-policy Remote internal

group-policy Remote attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Remote_splitTunnelAcl

username StockUser password t6a0Nv8HUfWtUdKz encrypted privilege 0

username StockUser attributes

vpn-group-policy Remote

tunnel-group Remote type remote-access

tunnel-group Remote general-attributes

address-pool VPN_IP_Pool

default-group-policy Remote

tunnel-group Remote ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:f4271785b86e45dd3a17bab8f60cd2f3

Jeet Kumar · ‎09-09-2013

Hi Graham,

My first question is do you have a site to site VPN or Remote access client VPN.

After checking your configuration i see that you do not have any Site to SIte VPN configuration so i am assuming that you ara facing issue with the VPN client.

And if i understood correctly you are able to connect the VPN client but you not able to access the internal resources properly.

I would recommend you to tey and make teh following changes.

Remove the following configuration first:

nat (inside) 0 access-list inside_nat0_outbound_1 outside

nat (inside) 1 192.168.15.192 255.255.255.192

You do not need the 1st one and i do not understand the reason of the second one

Second one is your pool IP subnet (192.168.15.200-192.168.15.250) and i am not sure why you have added this NAT.

If possible change your Pool subnet all together because we do not recommend to use th POOL ip which is simlar to your local LAN.

Try the above changes and let me know in case if you have any issue.

Thanks

Jeet Kumar

View solution in original post

Jeet Kumar · ‎09-09-2013

Hi Graham,

My first question is do you have a site to site VPN or Remote access client VPN.

After checking your configuration i see that you do not have any Site to SIte VPN configuration so i am assuming that you ara facing issue with the VPN client.

And if i understood correctly you are able to connect the VPN client but you not able to access the internal resources properly.

I would recommend you to tey and make teh following changes.

Remove the following configuration first:

nat (inside) 0 access-list inside_nat0_outbound_1 outside

nat (inside) 1 192.168.15.192 255.255.255.192

You do not need the 1st one and i do not understand the reason of the second one

Second one is your pool IP subnet (192.168.15.200-192.168.15.250) and i am not sure why you have added this NAT.

If possible change your Pool subnet all together because we do not recommend to use th POOL ip which is simlar to your local LAN.

Try the above changes and let me know in case if you have any issue.

Thanks

Jeet Kumar

GrahamB_SEMC · ‎09-09-2013

Hi Jeet, thanks for the reply

I looked into the nat rules you mentioned and had to play around with them but got some positive results. This is what I have remaining on my configuration:

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

Everything seems well. However, if you don't mind can you answer these questions just to help my overall understanding of the ASA and NAT excemption overall?

By default the ASA has no network address translations.

By adding a dynamic rule to translate any inside packets destined for the outside interface I told the ASA to rewrite the IP address to use the outside interface's address?

This leads to requiring a excemption such that packets destined for my VPN pool were being incorrectly translated?

I'm doing my best to get my mind wrapped around the Cisco ASDM interface but there are a ton of options to take in. At times its overwhelming to understand these things so if you have any personal resource recommendations I'd be happy to hear them.

Thanks again!