Solved: ASA VPN Cannot ping across split Tunnel - Page 2

chris.bias · ‎05-16-2022

Hello little bit of a newbie when it comes to Cisco ASA and setting up the VPN but I have it configured but not able to ping anything internally. Please advise if you need to see my config I will be happy to provide it.

MHM Cisco World · ‎05-19-2022

Friend you attach this config and I don't see the POOL ??
may be I am wrong

SinghRaminder · ‎05-17-2022

Few Things missing here:

1. Your Split tunnel does not appear to be correct because:

a. Your anyconnect pool is 192.168.15.0/24 and you are using the same subnet in the split tunnel, it actually should be the destination subnets that you need to access over vpn, fox example : access-list Split-Tunnel standard permit 10.0.0.0 255.0.0.0

2. You do not have the NAT to allow the VPN pool subnet to access internal resources, for example you need something like this:

nat (outside,inside) source static obj-AnyConnectPool obj-AnyConnectPool destination static internalSUBNETS internalSUBNETS no-proxy-arp route-lookup

3. I am not sure of your internal Network Topology but if there are some network behind another layer 3 devices, you may need to add the route to your anyconnect pool and redistribute it(this step depeneds on your topology as you do have a default route) but i would check that too

route outside 192.168.15.0 255.255.255.0 190.110.209 1 track 1

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

MHM Cisco World · ‎05-17-2022

tunnel-group LifeShareVPN type remote-access

tunnel-group LifeShareVPN general-attributes

address-pool VPN_POOL_2

authentication-server-group ActiveDirectory

default-group-policy GroupPolicy_LifeShareVPN

tunnel-group LifeShareVPN webvpn-attributes

group-alias LifeShareVPN enable

group-policy GroupPolicy_LifeShareVPN internal

group-policy GroupPolicy_LifeShareVPN attributes

wins-server none

dns-server value 172.22.45.115 172.22.45.116

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split-Tunnel

default-domain value lifeshare.int

webvpn

port 444

enable outside

http-headers

hsts-server

enable

max-age 31536000

include-sub-domains

no preload

hsts-client

enable

x-content-type-options

x-xss-protection

content-security-policy

anyconnect image disk0:/anyconnect-win-4.10.04071-webdeploy-k9.pkg 1

anyconnect enable

tunnel-group-list enable

cache

disable

error-recovery disable

nat (inside,outside) 1 source static NETWORK_OBJ_172.22.45.0_24 NETWORK_OBJ_172.22.45.0_24 destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup

access-list Split-Tunnel standard permit 192.168.15.0 255.255.255.0<-remove

access-list Split-Tunnel standard permit 172.22.45.0 255.255.255.0

there are two point one
one
push NAT with add number 1
second why you not remove the OLD ACL

do this and then do packet-tracer and share output here

chris.bias · ‎05-18-2022

@MHM Cisco World and @SinghRaminder I was able to determine with some help from Singh that this is boiling down to a ACL issue where I am missing an ACL.

MHM Cisco World · ‎05-18-2022

So this issue is solved ?

chris.bias · ‎05-18-2022

@MHM Cisco World and @SinghRaminder no we are still look at which ACLs I am missing.

SinghRaminder · ‎05-18-2022

@chris.bias I sent you a message, check it

Thanks

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

MHM Cisco World · ‎05-18-2022

https://www.petenetlive.com/KB/Article/0001298

this link show you how do packet-tracer for Anyconnect.
share the output here we can find which ACL is drop the traffic.
please note that the Anyconnect must not be use.

chris.bias · ‎05-19-2022

@MHM Cisco Worldand @SinghRaminder here is the output

vpn# packet-tracer input inside icmp 172.22.45.13 8 0 192.168.15.10

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 12.190.110.209 using egress ifc outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_172.22.45.0_24 NETWORK_OBJ_172.22.45.0_24 destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.15.10/0 to 192.168.15.10/0

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055e35b571b00 flow (NA)/NA

vpn#

MHM Cisco World · ‎05-19-2022

vpn# packet-tracer input outside imp 192.168.15.10 8 0 172.22.45.13

chris.bias · ‎05-19-2022

@MHM Cisco World and @SinghRaminder see outpout:

vpn# packet-tracer input outside icmp 192.168.15.10 8 0 172.22.45.13

Phase: 1
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Phase: 2
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Phase: 3
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Phase: 4
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x000055e35b57a40e flow (NA)/NA

vpn#

MHM Cisco World · ‎05-19-2022

192.168.15.10 <- this IP use already use by one any connect host, try other IP from VPN pool NOT USE

chris.bias · ‎05-19-2022

@MHM Cisco World and @SinghRaminder see output:

vpn# packet-tracer input outside icmp 192.168.15.20 8 0 172.22.45.13

Phase: 1
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Phase: 2
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Phase: 3
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Phase: 4
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x000055e35b57a40e flow (NA)/NA

vpn#

MHM Cisco World · ‎05-19-2022

vpn# packet-tracer input outside tcp 192.168.15.20 12345 172.22.45.13 80

ICMP always headache in ASA, try tcp.

chris.bias · ‎05-19-2022

@MHM Cisco Worldsee the below output:

vpn# packet-tracer input outside tcp 192.168.15.20 12345 172.22.45.13 80

Phase: 1
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Phase: 2
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Phase: 3
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Phase: 4
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x000055e35b57a40e flow (NA)/NA

vpn#