05-09-2014 07:02 AM
I added also the screenshots of the Packet Tracer
and here is the Configuration:
Can anyone please help me how to get the traffic to the other hosts?
But is there any other solution for this issue without one of this workarounds?
show running-config
: Saved
:
ASA Version 8.4(2)
!
hostname asa
domain-name test.lab
enable password XejxZFfyt2wxqfff encrypted
passwd XejxZFfyt2wxqfff encrypted
names
dns-guard
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.230 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.10
domain-name planet-express.internal
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPN-Address-Pool
description VPN-Address-Pool
object network inside-network
subnet 192.168.1.0 255.255.255.0
description inside-network
object network VPN-Pool
subnet 10.10.10.0 255.255.255.0
object network AnyConnect-VPN-Pool
object network LAN
subnet 192.168.1.0 255.255.255.0
object network asa
host 192.168.1.230
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN-Address-Pool 10.10.10.10-10.10.10.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
nat (any,inside) source dynamic VPN-Pool interface inactive
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server planet-express protocol nt
aaa-server planet-express (inside) host farnsworth.planet-express.internal
nt-auth-domain-controller 192.168.1.10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 444
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=test
keypair key-2048
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 2ee76b53
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 60
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable inside
anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.05160-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-64-3.1.05160-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-3.1.05160-k9.pkg 4
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 192.168.1.10
vpn-tunnel-protocol ikev2 ssl-client
default-domain value test.lab
webvpn
anyconnect profiles value AnyConnect_client_profile type user
group-policy Portal-Group-Policy internal
group-policy Portal-Group-Policy attributes
wins-server none
dns-server value 192.168.1.10
vpn-tunnel-protocol ssl-clientless
default-domain value test.lab
webvpn
url-list value Administrator
username admin password Cisco encrypted privilege 15
tunnel-group Portal type remote-access
tunnel-group Portal general-attributes
address-pool VPN-Address-Pool
default-group-policy Portal-Group-Policy
tunnel-group Portal webvpn-attributes
group-alias Portal enable
group-alias portal disable
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN-Address-Pool
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect http
inspect icmp
inspect icmp error
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:
: end
05-13-2014 08:50 AM
Hi,
when you try ping '192.168.1.10' or '192.168.1.40' from remote client(10.10.10.14), ASA will forward those icmp packets directly to the destination after decryption. So it is impossible to observe them on firewall. so those icmp packets should reach their destination.
ICMP reply will direct to the default GW(192.168.1.254) as the 2 servers have no route entry to 10.10.10.14, default GW found the next-hop to '10.10.10.14' is 192.168.1.240, it will discard those icmp packets and send ICMP redirect message( type 5 ) to the 2 servers, which means ASA is closer to the 10.10.10.14, however the 2 servers ignore this redirect message. so you can not ping the 2 servers.
Solution: enable the 2 servers accept ICMP redirect message.
Regards,
David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide