05-16-2022 01:50 PM
Hello little bit of a newbie when it comes to Cisco ASA and setting up the VPN but I have it configured but not able to ping anything internally. Please advise if you need to see my config I will be happy to provide it.
Solved! Go to Solution.
05-19-2022 07:37 AM
Forgot to ask you what is the default gateway of your machine 172.22.45.143
Can you provide output here?
05-19-2022 07:43 AM
@MHM Cisco Worldand @SinghRaminder yes it is 172.22.45.1
05-19-2022 07:48 AM
I believe that's the issue. Correct me if I'm wrong but If I Remeber correctly your inside interface ip on Firewall is 172.22.45.13. So what is 172.22.45.1?
If it's another layer 3 device. You need to add route there like ip route 192.168.15. 0 255.255.255.0 172.22.45.13
05-19-2022 07:50 AM
@SinghRaminderand @MHM Cisco World the 172.22.45.1 is the gateway of the 172.22.45.13 device.
05-19-2022 07:59 AM - edited 05-19-2022 08:00 AM
Some thing is not good here, Your ASA that terminates the VPN has inside interface of 172.22.45.13 and your machine 172.22.45.143 has a default gateway of 172.22.45.1. So all the traffic from your machine goes to .1 device, now this .1 device needs to know where to send the traffic for 192.168.15.0/24 subnet. Add this statement on 172.22.45.1 device ip route 192.168.15.0 255.255.255.0 172.22.45.13 will fix this but you are saying 172.22.45.1 is the default gateway for 172.22.45.13 devices as well. Your routing does not look good to me now.
When the packet on the firewall comes from outside, Firewall sends it to directly connected interface inside but the packet back from the Machine goes to 172.22.45.1 but the this device does not know where to send the packet
05-19-2022 08:07 AM
@SinghRaminderand @MHM Cisco World 172.22.45.13 is the actual ASA device not the VPN IP which is 12.190.110.211
05-19-2022 08:08 AM
friend from my first comment,
do you config VPN Pool ???
ip local pool SSL-Pool x.x.x.x mask y.y.y.y <- I was not see this pool.
this mandatory for any connect you config object but not config pool.
CONFIG POOL try packet-tracer TCP.
05-19-2022 08:13 AM
@MHM Cisco World and @SinghRaminder I guess I am misunderstanding what you are asking when you say VPN pool because I have a VPN_Pool_2 which is the 192.168.15.0 255.255.255.0 network.
05-19-2022 08:31 AM
he has the VPN POOL, i tested with him, he is successfully connected to VPN with ip 192.168.15.10 and @chris.bias for your question"172.22.45.13 is the actual ASA device not the VPN IP which is 12.190.110.211" You are referring to outside IP and I am referring to Inside Ip.
Your ASA has an inside Ip of 172.22.45.13 is that correct? and your gateway on your windows machine is 172.22.45.1 ?
Now you said your 172.22.45.1 is also the gateway of 172.22.45.13 which does not make sense to me
provide us the output of show run route form ASA
and also show route 172.22.45.113 you will see it says connected, so the traffic from the ASA to 172.22.45.143 does NOT go through 172.22.45.1 but the return traffic goes via 172.22.45.1
Also provide us the output of show ip route 192.168.15.10 from the 172.22.45.1 device as well
05-19-2022 08:41 AM
@SinghRaminder and @MHM Cisco World see the output from the following:
From ASA CLI:
vpn# sh run route
route outside 0.0.0.0 0.0.0.0 12.190.110.209 1 track 1
route isp2 0.0.0.0 0.0.0.0 75.145.220.86 254
route inside 10.45.15.0 255.255.255.0 172.22.45.11 1
route inside 10.255.255.0 255.255.255.0 172.22.45.1 1
route inside 172.22.43.0 255.255.255.0 172.22.45.1 1
route inside 192.168.200.0 255.255.255.0 172.22.45.254 1
vpn# sh route 172.22.45.143
Routing entry for 172.22.45.0 255.255.255.0
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via ospf 1
Routing Descriptor Blocks:
* directly connected, via inside
Route metric is 0, traffic share count is 1
vpn# sh route 172.22.45.113
Routing entry for 172.22.45.0 255.255.255.0
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via ospf 1
Routing Descriptor Blocks:
* directly connected, via inside
Route metric is 0, traffic share count is 1
vpn#
from 172.22.45.1:
shv_core_stack#sh ip route 192.168.15.10
% Network not in table
shv_core_stack#
05-19-2022 08:53 AM - edited 05-19-2022 08:54 AM
@chris.bias
can I see
show vpn-sessiondb any connect
05-19-2022 09:11 AM
@MHM Cisco Worldand @SinghRaminder here is the output for a connected and disconnected session:
vpn# show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : cbias Index : 463
Assigned IP : 192.168.15.10 Public IP : 76.107.0.220
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 14594 Bytes Rx : 4548
Group Policy : GroupPolicy_LifeShareVPN
Tunnel Group : LifeShareVPN
Login Time : 11:09:12 CDT Thu May 19 2022
Duration : 0h:00m:17s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 00000000001cf00062866ba8
Security Grp : none
vpn# show vpn-sessiondb anyconnect
INFO: There are presently no active sessions of the type specified
vpn#
05-19-2022 09:11 AM
Please also check the output of show ip route from 172.22.45.1 device
05-19-2022 09:19 AM
@SinghRaminderand @MHM Cisco World see output below:
shv_core_stack#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 172.22.45.254 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.22.45.254
10.0.0.0/8 is variably subnetted, 82 subnets, 7 masks
C 10.10.10.0/24 is directly connected, Vlan1010
L 10.10.10.1/32 is directly connected, Vlan1010
C 10.10.11.0/24 is directly connected, Vlan1011
L 10.10.11.1/32 is directly connected, Vlan1011
C 10.10.12.0/24 is directly connected, Vlan1012
L 10.10.12.1/32 is directly connected, Vlan1012
S 10.10.21.0/24 [1/0] via 172.22.45.254
S 10.10.22.0/24 [1/0] via 172.22.45.254
S 10.10.101.0/24 [1/0] via 172.22.45.13
S 10.11.1.0/24 [1/0] via 172.22.45.173
O E2 10.11.20.0/30 [110/20] via 172.22.45.2, 7w0d, Vlan45
O E2 10.11.21.0/30 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.11.23.0/30 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.11.24.0/30 [110/2] via 172.22.45.2, 05:03:10, Vlan45
O E2 10.11.25.0/30 [110/2] via 172.22.45.2, 1w0d, Vlan45
O E2 10.11.26.0/30 [110/2] via 172.22.45.2, 6d11h, Vlan45
O E2 10.11.29.0/30 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.11.50.0/29 [110/2] via 172.22.45.2, 3w3d, Vlan45
C 10.20.2.0/24 is directly connected, Vlan2
L 10.20.2.1/32 is directly connected, Vlan2
S 10.20.8.0/24 [1/0] via 172.22.45.11
O E2 10.21.1.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
S 10.21.2.0/24 [120/0] via 172.22.45.13
O E2 10.21.3.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.21.4.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.21.8.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
S 10.22.1.0/24 [120/0] via 172.22.45.13
S 10.22.2.0/24 [120/0] via 172.22.45.13
S 10.22.3.0/24 [120/0] via 172.22.45.13
S 10.22.4.0/24 [120/0] via 172.22.45.13
S 10.22.8.0/24 [120/0] via 172.22.45.13
O E2 10.23.1.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
S 10.23.2.0/24 [120/0] via 172.22.45.13
O E2 10.23.3.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.23.4.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.23.8.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.24.1.0/24 [110/2] via 172.22.45.2, 04:59:44, Vlan45
S 10.24.2.0/24 [120/0] via 172.22.45.13
O E2 10.24.3.0/24 [110/2] via 172.22.45.2, 04:59:14, Vlan45
O E2 10.24.4.0/24 [110/2] via 172.22.45.2, 04:59:14, Vlan45
O E2 10.24.8.0/24 [110/2] via 172.22.45.2, 04:59:14, Vlan45
O E2 10.25.1.0/24 [110/2] via 172.22.45.2, 1w0d, Vlan45
S 10.25.2.0/24 [120/0] via 172.22.45.13
O E2 10.25.3.0/24 [110/2] via 172.22.45.2, 1w0d, Vlan45
O E2 10.25.4.0/24 [110/2] via 172.22.45.2, 1w0d, Vlan45
O E2 10.25.8.0/24 [110/2] via 172.22.45.2, 1w0d, Vlan45
O E2 10.26.1.0/24 [110/2] via 172.22.45.2, 6d11h, Vlan45
S 10.26.2.0/24 [120/0] via 172.22.45.13
O E2 10.26.3.0/24 [110/2] via 172.22.45.2, 6d11h, Vlan45
O E2 10.26.4.0/24 [110/2] via 172.22.45.2, 6d11h, Vlan45
O E2 10.26.8.0/24 [110/2] via 172.22.45.2, 6d11h, Vlan45
S 10.27.0.0/16 [1/0] via 172.22.45.13
S 10.28.1.0/24 [1/0] via 172.22.45.13
S 10.28.4.0/24 [1/0] via 172.22.45.13
S 10.28.8.0/24 [1/0] via 172.22.45.13
O E2 10.29.1.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.29.3.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.29.4.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.29.7.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.29.8.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
S 10.45.15.0/24 [1/0] via 172.22.45.11
O E2 10.45.64.0/24 [110/20] via 172.22.45.13, 1d23h, Vlan45
O E2 10.45.65.0/24 [110/20] via 172.22.45.13, 1d23h, Vlan45
S 10.45.240.0/24 [1/0] via 172.22.45.11
O E2 10.50.1.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
O E2 10.50.2.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
O E2 10.50.3.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
O E2 10.50.4.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
O E2 10.50.5.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
O E2 10.50.6.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
O E2 10.50.7.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
O E2 10.50.8.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
S 10.140.152.176/28 [1/0] via 172.22.45.13
S 10.146.57.64/27 [1/0] via 172.22.45.13
C 10.255.199.0/24 is directly connected, Vlan199
L 10.255.199.1/32 is directly connected, Vlan199
C 10.255.253.0/24 is directly connected, Vlan253
L 10.255.253.1/32 is directly connected, Vlan253
C 10.255.254.0/24 is directly connected, Vlan254
L 10.255.254.1/32 is directly connected, Vlan254
C 10.255.255.0/24 is directly connected, Vlan255
L 10.255.255.1/32 is directly connected, Vlan255
12.0.0.0/28 is subnetted, 4 subnets
O E2 12.253.89.176 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 12.253.93.32 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 12.253.93.64 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 12.253.93.96 [110/2] via 172.22.45.2, 7w0d, Vlan45
32.0.0.0/32 is subnetted, 1 subnets
S 32.244.139.42 [1/0] via 172.22.45.254
172.21.0.0/24 is subnetted, 6 subnets
O E2 172.21.45.0 [110/20] via 172.22.45.13, 1d23h, Vlan45
O E2 172.21.48.0 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 172.21.145.0 [110/20] via 172.22.45.13, 1d23h, Vlan45
O E2 172.21.148.0 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 172.21.245.0 [110/20] via 172.22.45.13, 1d23h, Vlan45
O E2 172.21.248.0 [110/2] via 172.22.45.2, 7w0d, Vlan45
172.22.0.0/16 is variably subnetted, 17 subnets, 2 masks
C 172.22.10.0/24 is directly connected, Vlan10
L 172.22.10.1/32 is directly connected, Vlan10
S 172.22.42.0/24 [1/0] via 172.22.45.13
C 172.22.43.0/24 is directly connected, Vlan43
L 172.22.43.1/32 is directly connected, Vlan43
O E2 172.22.44.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
C 172.22.45.0/24 is directly connected, Vlan45
L 172.22.45.1/32 is directly connected, Vlan45
O E2 172.22.46.0/24 [110/2] via 172.22.45.2, 04:59:44, Vlan45
S 172.22.47.0/24 [1/0] via 172.22.45.13
O E2 172.22.48.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 172.22.49.0/24 [110/2] via 172.22.45.2, 6d11h, Vlan45
O E2 172.22.50.0/24 [110/2] via 172.22.45.2, 1w0d, Vlan45
O E2 172.22.51.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 172.22.244.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 172.22.245.0/24 [110/20] via 172.22.45.13, 1d23h, Vlan45
O E2 172.22.246.0/24 [110/2] via 172.22.45.2, 04:59:44, Vlan45
172.23.0.0/24 is subnetted, 1 subnets
S 172.23.45.0 [1/0] via 172.22.45.13
O E2 192.168.1.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
S 192.168.49.0/24 [120/0] via 172.22.45.13
S 192.168.52.0/24 [1/0] via 172.22.45.13
shv_core_stack#sh ip route 192.168.15.10
% Network not in table
shv_core_stack#
05-19-2022 09:28 AM
So your 172.22.45.1 device sends all the traffic to 172.22.45.254 which we do not know what it is.
Your routing does not look good here at tall for the VPN subnet , see below picture for understanding, blue line is for the incoming traffic and green is for the return traffic
you also said "the 172.22.45.1 is the gateway of the 172.22.45.13 device." which is not the case from the output of the show run route on ASA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide