cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1019
Views
0
Helpful
4
Replies

ASA5520 ver 9.1- Remote VPN client can login but cannot ping to internal network

Craigxxxxx
Level 1
Level 1

Hi Experts,

 

I am having some issue with ASA5520 after upgrading the version to 9.1.

I am able to log in to ASA device using remote vpn client but I cannot ping to internal network.

I did not have any issue with ASA version 8.0 with same configuration last time.

Could you please assist to review below configuration and advise what I missed out in the configuration?

Thanks in advance.

 

Best Regards,

Craig

 

ASA Version 9.1(4)
!
hostname ASA5520
domain-name test.com
enable password S3tnQLXTAbsdcawi encrypted
names
ip local pool VPNPOOL 10.215.197.129-10.215.197.254 mask 255.255.255.128
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.215.197.3 255.255.255.128
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 112.222.x.x 255.255.255.248
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
<--- More --->
              
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
  ip address 192.168.1.1 255.255.255.0  
!
ftp mode passive
dns server-group DefaultDNS
 domain-name test.com
object network obj-local
 subnet 10.0.0.0 255.0.0.0
object network obj-vpnpool
 subnet 10.215.197.128 255.255.255.128
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp any any
pager lines 24
<--- More --->
              
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 112.222.x.x 1
route inside 10.0.0.0 255.0.0.0 10.215.197.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
<--- More --->
              
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYN_MAP 10 set ikev1 transform-set RA-TS
crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP
crypto map VPN_MAP interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
<--- More --->
              
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpnpolicy internal
group-policy vpnpolicy attributes
 dns-server value 10.215.2.17 10.215.19.1
 vpn-idle-timeout 30
 vpn-tunnel-protocol ikev1 ssl-clientless
 default-domain value test.com
username admin password VmGyz44NawnM/MGj encrypted privilege 15
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
 address-pool VPNPOOL
 default-group-policy vpnpolicy
tunnel-group vpnclient ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
<--- More --->
              
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
<--- More --->
              
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6c09423a7758bc9f54a1f8fb1a25f53e
: end

 

4 Replies 4

Vishnu Sharma
Level 1
Level 1

Hi Craig,

Assuming that this is the scenario (attached file), then I see that the internal interface ip address and external ip address (assigned ip) are of the same range. Ideally this should work because of subnetting however it is always recommended to use a different range of ip's in the vpn pool so as to identify local subnet and remote subnet.

 

Another thing that you can try is that you can check if you are able to ping inside interface of the ASA. If you are not able to ping inside interface then run this command on the ASA "show run man" and it will show you whether management access is enabled on inside interface or not. If it is not enabled then enable it by running command "man inside" and then try to ping it again. If you are getting some error while enabling management access on inside interface then try to disable management access from any other interface because on ASA we can have management access enabled on one interface only.

 

Please give it a shot and let me know. If this does not work then I will need output of these two commands so as to fix this issue:

show run all group-policy vpnpolicy

show run nat

show crypto ipsec sa (capture this output once you are connected to the ASA using VPN)

 

Thanks,

Vishnu Sharma

 

Hi Vishnu,

 

Thanks for your advise.

I have changed the vpnpool to different range and also enable the management access.

But I am still not able to ping to inside interface and internal network.

Could you please find the below output and let me know your further advice.

Thanks again.

 

Best Regards,

Craig

 

 

sh run all group-policy vpnpolicy

group-policy vpnpolicy internal
group-policy vpnpolicy attributes
 dns-server value 10.215.2.17 10.215.19.1
 vpn-idle-timeout 30
 vpn-tunnel-protocol ikev1 ssl-clientless
 default-domain value test.com

sh run nat

nat (inside,outside) source static obj-local obj-local destination static obj-vpnpool obj-vpnpool

sh crypto ipsec sa

interface: outside
    Crypto map tag: DYN_MAP, seq num: 10, local addr: 112.222.x.x

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.215.208.130/255.255.255.255/0/0)
      current_peer: 202.166.74.41, username: user
      dynamic allocated peer ip: 10.215.208.130
      dynamic allocated peer ip(ipv6): 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 480, #pkts decrypt: 480, #pkts verify: 480
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 112.222.x.x/4500, remote crypto endpt.: 202.166.74.41/1605
      path mtu 1500, ipsec overhead 66(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 4678FE40
      current inbound spi : 0696C619

    inbound esp sas:
      spi: 0x0696C619 (110544409)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 49152, crypto-map: DYN_MAP
         sa timing: remaining key lifetime (sec): 28449
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x4678FE40 (1182334528)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 49152, crypto-map: DYN_MAP
         sa timing: remaining key lifetime (sec): 28449
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

 

Hi Craig,

 

Instead of this command:

nat (inside,outside) source static obj-local obj-local destination static obj-vpnpool obj-vpnpool

 

Use this command:

nat (inside,outside) source static obj-local obj-local destination static obj-vpnpool obj-vpnpool no-proxy route-lookup

 

Let me know if this helps.

 

Thanks,

Vishnu Sharma

 

Hi Vishnu,

 

After adding 'no-proxy route-lookup', I am able to ping to inside interface and internal network.

I really appreciate for your advice and help.

 

Best Regards,

Craig