Solved: Re: ASA VPN Cannot ping across split Tunnel - Page 3

chris.bias · ‎05-16-2022

Hello little bit of a newbie when it comes to Cisco ASA and setting up the VPN but I have it configured but not able to ping anything internally. Please advise if you need to see my config I will be happy to provide it.

SinghRaminder · ‎05-19-2022

Forgot to ask you what is the default gateway of your machine 172.22.45.143

Can you provide output here?

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

chris.bias · ‎05-19-2022

@MHM Cisco Worldand @SinghRaminder yes it is 172.22.45.1

SinghRaminder · ‎05-19-2022

I believe that's the issue. Correct me if I'm wrong but If I Remeber correctly your inside interface ip on Firewall is 172.22.45.13. So what is 172.22.45.1?

If it's another layer 3 device. You need to add route there like ip route 192.168.15. 0 255.255.255.0 172.22.45.13

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

chris.bias · ‎05-19-2022

@SinghRaminderand @MHM Cisco World the 172.22.45.1 is the gateway of the 172.22.45.13 device.

SinghRaminder · ‎05-19-2022

Some thing is not good here, Your ASA that terminates the VPN has inside interface of 172.22.45.13 and your machine 172.22.45.143 has a default gateway of 172.22.45.1. So all the traffic from your machine goes to .1 device, now this .1 device needs to know where to send the traffic for 192.168.15.0/24 subnet. Add this statement on 172.22.45.1 device ip route 192.168.15.0 255.255.255.0 172.22.45.13 will fix this but you are saying 172.22.45.1 is the default gateway for 172.22.45.13 devices as well. Your routing does not look good to me now.

When the packet on the firewall comes from outside, Firewall sends it to directly connected interface inside but the packet back from the Machine goes to 172.22.45.1 but the this device does not know where to send the packet

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

chris.bias · ‎05-19-2022

@SinghRaminderand @MHM Cisco World 172.22.45.13 is the actual ASA device not the VPN IP which is 12.190.110.211

MHM Cisco World · ‎05-19-2022

friend from my first comment,
do you config VPN Pool ???

ip local pool SSL-Pool x.x.x.x mask y.y.y.y <- I was not see this pool.

this mandatory for any connect you config object but not config pool.

CONFIG POOL try packet-tracer TCP.

chris.bias · ‎05-19-2022

@MHM Cisco World and @SinghRaminder I guess I am misunderstanding what you are asking when you say VPN pool because I have a VPN_Pool_2 which is the 192.168.15.0 255.255.255.0 network.

SinghRaminder · ‎05-19-2022

@chris.bias @MHM Cisco World

he has the VPN POOL, i tested with him, he is successfully connected to VPN with ip 192.168.15.10 and @chris.bias for your question"172.22.45.13 is the actual ASA device not the VPN IP which is 12.190.110.211" You are referring to outside IP and I am referring to Inside Ip.

Your ASA has an inside Ip of 172.22.45.13 is that correct? and your gateway on your windows machine is 172.22.45.1 ?

Now you said your 172.22.45.1 is also the gateway of 172.22.45.13 which does not make sense to me

provide us the output of show run route form ASA

and also show route 172.22.45.113 you will see it says connected, so the traffic from the ASA to 172.22.45.143 does NOT go through 172.22.45.1 but the return traffic goes via 172.22.45.1

Also provide us the output of show ip route 192.168.15.10 from the 172.22.45.1 device as well

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

chris.bias · ‎05-19-2022

@SinghRaminder and @MHM Cisco World see the output from the following:

From ASA CLI:

vpn# sh run route
route outside 0.0.0.0 0.0.0.0 12.190.110.209 1 track 1
route isp2 0.0.0.0 0.0.0.0 75.145.220.86 254
route inside 10.45.15.0 255.255.255.0 172.22.45.11 1
route inside 10.255.255.0 255.255.255.0 172.22.45.1 1
route inside 172.22.43.0 255.255.255.0 172.22.45.1 1
route inside 192.168.200.0 255.255.255.0 172.22.45.254 1
vpn# sh route 172.22.45.143

Routing entry for 172.22.45.0 255.255.255.0
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via ospf 1
Routing Descriptor Blocks:
* directly connected, via inside
Route metric is 0, traffic share count is 1

vpn# sh route 172.22.45.113

Routing entry for 172.22.45.0 255.255.255.0
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via ospf 1
Routing Descriptor Blocks:
* directly connected, via inside
Route metric is 0, traffic share count is 1

vpn#

from 172.22.45.1:

shv_core_stack#sh ip route 192.168.15.10
% Network not in table
shv_core_stack#

MHM Cisco World · ‎05-19-2022

@chris.bias
can I see
show vpn-sessiondb any connect

chris.bias · ‎05-19-2022

@MHM Cisco Worldand @SinghRaminder here is the output for a connected and disconnected session:

vpn# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : cbias Index : 463
Assigned IP : 192.168.15.10 Public IP : 76.107.0.220
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 14594 Bytes Rx : 4548
Group Policy : GroupPolicy_LifeShareVPN
Tunnel Group : LifeShareVPN
Login Time : 11:09:12 CDT Thu May 19 2022
Duration : 0h:00m:17s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 00000000001cf00062866ba8
Security Grp : none

vpn# show vpn-sessiondb anyconnect
INFO: There are presently no active sessions of the type specified

vpn#

SinghRaminder · ‎05-19-2022

@MHM Cisco World @chris.bias

Please also check the output of show ip route from 172.22.45.1 device

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

chris.bias · ‎05-19-2022

@SinghRaminderand @MHM Cisco World see output below:

shv_core_stack#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 172.22.45.254 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 172.22.45.254
10.0.0.0/8 is variably subnetted, 82 subnets, 7 masks
C 10.10.10.0/24 is directly connected, Vlan1010
L 10.10.10.1/32 is directly connected, Vlan1010
C 10.10.11.0/24 is directly connected, Vlan1011
L 10.10.11.1/32 is directly connected, Vlan1011
C 10.10.12.0/24 is directly connected, Vlan1012
L 10.10.12.1/32 is directly connected, Vlan1012
S 10.10.21.0/24 [1/0] via 172.22.45.254
S 10.10.22.0/24 [1/0] via 172.22.45.254
S 10.10.101.0/24 [1/0] via 172.22.45.13
S 10.11.1.0/24 [1/0] via 172.22.45.173
O E2 10.11.20.0/30 [110/20] via 172.22.45.2, 7w0d, Vlan45
O E2 10.11.21.0/30 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.11.23.0/30 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.11.24.0/30 [110/2] via 172.22.45.2, 05:03:10, Vlan45
O E2 10.11.25.0/30 [110/2] via 172.22.45.2, 1w0d, Vlan45
O E2 10.11.26.0/30 [110/2] via 172.22.45.2, 6d11h, Vlan45
O E2 10.11.29.0/30 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.11.50.0/29 [110/2] via 172.22.45.2, 3w3d, Vlan45
C 10.20.2.0/24 is directly connected, Vlan2
L 10.20.2.1/32 is directly connected, Vlan2
S 10.20.8.0/24 [1/0] via 172.22.45.11
O E2 10.21.1.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
S 10.21.2.0/24 [120/0] via 172.22.45.13
O E2 10.21.3.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.21.4.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.21.8.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
S 10.22.1.0/24 [120/0] via 172.22.45.13
S 10.22.2.0/24 [120/0] via 172.22.45.13
S 10.22.3.0/24 [120/0] via 172.22.45.13
S 10.22.4.0/24 [120/0] via 172.22.45.13
S 10.22.8.0/24 [120/0] via 172.22.45.13
O E2 10.23.1.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
S 10.23.2.0/24 [120/0] via 172.22.45.13
O E2 10.23.3.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.23.4.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.23.8.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.24.1.0/24 [110/2] via 172.22.45.2, 04:59:44, Vlan45
S 10.24.2.0/24 [120/0] via 172.22.45.13
O E2 10.24.3.0/24 [110/2] via 172.22.45.2, 04:59:14, Vlan45
O E2 10.24.4.0/24 [110/2] via 172.22.45.2, 04:59:14, Vlan45
O E2 10.24.8.0/24 [110/2] via 172.22.45.2, 04:59:14, Vlan45
O E2 10.25.1.0/24 [110/2] via 172.22.45.2, 1w0d, Vlan45
S 10.25.2.0/24 [120/0] via 172.22.45.13
O E2 10.25.3.0/24 [110/2] via 172.22.45.2, 1w0d, Vlan45
O E2 10.25.4.0/24 [110/2] via 172.22.45.2, 1w0d, Vlan45
O E2 10.25.8.0/24 [110/2] via 172.22.45.2, 1w0d, Vlan45
O E2 10.26.1.0/24 [110/2] via 172.22.45.2, 6d11h, Vlan45
S 10.26.2.0/24 [120/0] via 172.22.45.13
O E2 10.26.3.0/24 [110/2] via 172.22.45.2, 6d11h, Vlan45
O E2 10.26.4.0/24 [110/2] via 172.22.45.2, 6d11h, Vlan45
O E2 10.26.8.0/24 [110/2] via 172.22.45.2, 6d11h, Vlan45
S 10.27.0.0/16 [1/0] via 172.22.45.13
S 10.28.1.0/24 [1/0] via 172.22.45.13
S 10.28.4.0/24 [1/0] via 172.22.45.13
S 10.28.8.0/24 [1/0] via 172.22.45.13
O E2 10.29.1.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.29.3.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.29.4.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.29.7.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 10.29.8.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
S 10.45.15.0/24 [1/0] via 172.22.45.11
O E2 10.45.64.0/24 [110/20] via 172.22.45.13, 1d23h, Vlan45
O E2 10.45.65.0/24 [110/20] via 172.22.45.13, 1d23h, Vlan45
S 10.45.240.0/24 [1/0] via 172.22.45.11
O E2 10.50.1.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
O E2 10.50.2.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
O E2 10.50.3.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
O E2 10.50.4.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
O E2 10.50.5.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
O E2 10.50.6.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
O E2 10.50.7.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
O E2 10.50.8.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
S 10.140.152.176/28 [1/0] via 172.22.45.13
S 10.146.57.64/27 [1/0] via 172.22.45.13
C 10.255.199.0/24 is directly connected, Vlan199
L 10.255.199.1/32 is directly connected, Vlan199
C 10.255.253.0/24 is directly connected, Vlan253
L 10.255.253.1/32 is directly connected, Vlan253
C 10.255.254.0/24 is directly connected, Vlan254
L 10.255.254.1/32 is directly connected, Vlan254
C 10.255.255.0/24 is directly connected, Vlan255
L 10.255.255.1/32 is directly connected, Vlan255
12.0.0.0/28 is subnetted, 4 subnets
O E2 12.253.89.176 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 12.253.93.32 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 12.253.93.64 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 12.253.93.96 [110/2] via 172.22.45.2, 7w0d, Vlan45
32.0.0.0/32 is subnetted, 1 subnets
S 32.244.139.42 [1/0] via 172.22.45.254
172.21.0.0/24 is subnetted, 6 subnets
O E2 172.21.45.0 [110/20] via 172.22.45.13, 1d23h, Vlan45
O E2 172.21.48.0 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 172.21.145.0 [110/20] via 172.22.45.13, 1d23h, Vlan45
O E2 172.21.148.0 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 172.21.245.0 [110/20] via 172.22.45.13, 1d23h, Vlan45
O E2 172.21.248.0 [110/2] via 172.22.45.2, 7w0d, Vlan45
172.22.0.0/16 is variably subnetted, 17 subnets, 2 masks
C 172.22.10.0/24 is directly connected, Vlan10
L 172.22.10.1/32 is directly connected, Vlan10
S 172.22.42.0/24 [1/0] via 172.22.45.13
C 172.22.43.0/24 is directly connected, Vlan43
L 172.22.43.1/32 is directly connected, Vlan43
O E2 172.22.44.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
C 172.22.45.0/24 is directly connected, Vlan45
L 172.22.45.1/32 is directly connected, Vlan45
O E2 172.22.46.0/24 [110/2] via 172.22.45.2, 04:59:44, Vlan45
S 172.22.47.0/24 [1/0] via 172.22.45.13
O E2 172.22.48.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 172.22.49.0/24 [110/2] via 172.22.45.2, 6d11h, Vlan45
O E2 172.22.50.0/24 [110/2] via 172.22.45.2, 1w0d, Vlan45
O E2 172.22.51.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 172.22.244.0/24 [110/2] via 172.22.45.2, 7w0d, Vlan45
O E2 172.22.245.0/24 [110/20] via 172.22.45.13, 1d23h, Vlan45
O E2 172.22.246.0/24 [110/2] via 172.22.45.2, 04:59:44, Vlan45
172.23.0.0/24 is subnetted, 1 subnets
S 172.23.45.0 [1/0] via 172.22.45.13
O E2 192.168.1.0/24 [110/2] via 172.22.45.2, 3w3d, Vlan45
S 192.168.49.0/24 [120/0] via 172.22.45.13
S 192.168.52.0/24 [1/0] via 172.22.45.13
shv_core_stack#sh ip route 192.168.15.10
% Network not in table
shv_core_stack#

SinghRaminder · ‎05-19-2022

So your 172.22.45.1 device sends all the traffic to 172.22.45.254 which we do not know what it is.

Your routing does not look good here at tall for the VPN subnet , see below picture for understanding, blue line is for the incoming traffic and green is for the return traffic

you also said "the 172.22.45.1 is the gateway of the 172.22.45.13 device." which is not the case from the output of the show run route on ASA

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer