Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1673
Views
5
Helpful
14
Replies

Can Connect to VPN from outside with VPN Client cannot route to inside

selang1958
Level 1
Level 1

‎03-10-2018 06:14 AM - edited ‎03-12-2019 05:06 AM

We had a power outage onsite and our original ASA5505 died. We have received 2 replacements from Cisco in the last 2 weeks. The first Cisco helped us get the new ASA5505 up and running it died 1.5 days later. We received another first of this week and even with Cisco's help have not been able to get it totally up and running. I can connect over VPN client from remote location, can telnet into ASA and can also run ASDM from ASA5505. I can ping ASA address but cannot ping any address on the inside network from the VPN connected client. Can ping inside addresses from the ASA5505. I have pasted in my config. Has to be some kind of routing issue but I cannot seem to find it. The config was from the first replacement ASA5505 we had that worked for 1.5 days before the ASA died.

ASA Version 8.4(1)
!
hostname mciiasa5505
domain-name xxxx.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.10 midcon description Server
name 24.249.1.65 outside description outside address
ddns update method companyx.xxxx.local
ddns both
interval maximum 0 1 0 0
!
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.xx 255.255.255.0
!
interface Vlan2
description Test
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server companyx
domain-name xxxx.local
same-security-traffic permit intra-interface
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network xxxx
host 192.168.1.10
description Created during name migration
object network outside
host 24.249.1.65
description Created during name migration
access-list inside_nat0_outbound extended permit ip any object midcon
access-list Local_Lan_Access remark VPN Local Lan Access
access-list Local_Lan_Access standard permit host 0.0.0.0
access-list inside_authentication extended permit tcp any any
access-list inside_access_in extended permit ip any any
access-list tac extended permit ip host 98.137.149.56 object outside
access-list tac extended permit ip object outside host 98.137.149.56
access-list outside_crptomap_dyn_20 remark outside_crytomap_dyn_20
access-list outside_crptomap_dyn_20 extended permit ip 192.168.1.0 255.255.255.0
any
access-list nonat extended permit ip any 192.168.2.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list split standard permit 192.168.1.0 255.255.255.0
access-list tac1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.25
5.255.0
access-list tac1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.25
5.255.0
access-list cap extended permit ip host 192.168.1.40 host 192.168.2.200
access-list cap extended permit ip host 192.168.2.200 host 192.168.1.40
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool TestPool 192.168.2.200-192.168.2.210
ip local pool test2 192.168.1.200-192.168.1.210 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static obj-192.168.2.0 ob
j-192.168.2.0
nat (inside,outside) source static any any destination static obj-192.168.1.0 ob
j-192.168.1.0
!
object network obj-192.168.1.0
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 174.79.102.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
file-browsing enable
file-entry enable
url-entry enable
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa proxy-limit disable
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-D
ES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=xxxxasa5505
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate d554794d
308201f1 3082015a a0030201 020204d5 54794d30 0d06092a 864886f7 0d010104
0500303d 31143012 06035504 03130b6d 63696961 73613535 30353125 30230609
2a864886 f70d0109 0216166d 63696961 73613535 30352e6d 6369692e 6c6f6361
6c301e17 0d313130 33313032 32343634 355a170d 32313033 30373232 34363435
5a303d31 14301206 03550403 130b6d63 69696173 61353530 35312530 2306092a
864886f7 0d010902 16166d63 69696173 61353530 352e6d63 69692e6c 6f63616c
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00860567
47915fc4 1914260b 3ff4ddd7 8ae70721 40741dd7 f47f58b9 5c46d0e7 f350b0e7
b24f574e 026b5c75 c3737403 f9d98483 e72fe84b 292acb0a 36c88e25 2e23b686
4bfacf39 da60c468 ec3ad60d d54046c2 38a5f0b4 e045e817 53546b70 95927540
15cc9e96 c47ab85e fe770437 74039928 02c3accc 0ec816d1 d6be4f9c 19020301
0001300d 06092a86 4886f70d 01010405 00038181 00017e25 26f8f7e9 d67beeea
fbfabeb1 0fc5e0aa c01bf8b5 f506b1e2 baccf186 69202512 2fae3041 43122330
7cd881d2 978bd206 edbff48f db5bbec8 e28782bb bee69798 32bb98d3 d855511a
56caefa5 117ff9f0 c0dc04b0 f5f609d9 218d005e 9e0aa435 ba4665d4 6f091958
5348ed93 6469790b 6b3c0af2 208fbbe4 38addf1b f4
quit
crypto isakmp nat-traversal 33
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpn-addr-assign local reuse-delay 5

dhcp-client broadcast-flag
dhcp-client client-id interface outside
dhcp-client update dns server both
dhcpd dns 68.105.28.16 68.105.29.16
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.10010-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.10
vpn-tunnel-protocol ikev1 ssl-client
group-policy firsttunnelgroup internal
group-policy firsttunnelgroup attributes
dns-server value 192.168.1.10
vpn-session-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value xxxx.local

tunnel-group DefaultRAGroup general-attributes
address-pool TestPool
authorization-server-group LOCAL
default-group-policy firsttunnelgroup
authorization-required
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev1 user-authentication none
ikev1 user-authentication (inside) none
tunnel-group firsttunnelgroup type remote-access
tunnel-group firsttunnelgroup general-attributes
address-pool test2
authentication-server-group (inside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
default-group-policy firsttunnelgroup
tunnel-group firsttunnelgroup webvpn-attributes
group-alias AnyConnect enable
tunnel-group firsttunnelgroup ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9fe30d3ec24f08fc8686c2eeee33e3ea

Labels:
0 Helpful
14 Replies 14

Richard Burts
Hall of Fame
Hall of Fame

‎03-10-2018 07:46 AM

I am confused. You describe several times when you have had to replace your ASA and the current ASA is having some problems. Then you tell us that the config that you are posting is from the ASA that did work - until it stopped working. Seeing a config that probably worked does not give us any insight into what is not working in the current config.

 

HTH

 

Rick

HTH

Rick
0 Helpful

selang1958
Level 1
Level 1
In response to Richard Burts

‎03-10-2018 07:54 AM

What I pasted in is the running-config. I can connect to the ASA thru the VPN client from my remote location. I can bring up ASDM and look at the device. I cannot ping to any inside address from the connected client. Not to the inside Windows server, not to an IP connected printer, nothing on the inside network. I can ping from the ASA to these internal devices. Cannot ping from the ASA to the connected VPN client machine either. 192.168.2.200 as an example. Hope that clarifies things a bit.

0 Helpful

Rob Ingram
VIP
VIP
In response to selang1958

‎03-10-2018 09:34 AM

Hi,

The only static route you have on the ASA is the default route to the internet "route outside 0.0.0.0 0.0.0.0 174.79.102.129 1". The inside interface is on the 192.168.1.0/24 network and you are attempting to access 192.168.2.200. You have no static route to the 192.168.2.0/24 network.

 

You need something like this:

route inside 192.168.2.0 255.255.255.0 192.168.1.x

 

HTH

0 Helpful

selang1958
Level 1
Level 1
In response to Rob Ingram

‎03-10-2018 09:49 AM

Added the route statement as you described, not sure what the.x was supposed to be but I tried both the ASA inside address 192.168.1.33 and the state 192.168.1.0 checked to make sure the statement was in the running config.

 

object network obj-192.168.1.0
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 174.79.102.129 1
route inside 192.168.2.0 255.255.255.0 192.168.1.0 1

 

Still cannot ping to anything on the inside network, even the ip attached printer in that office which has no firewall capability. I can only ping the inside ASA interface 192.168.1.33

0 Helpful

Rob Ingram
VIP
VIP
In response to selang1958

‎03-10-2018 09:56 AM

The .x would be the the last octet of the next hop routing device directly connected to the ASA. I assume you have a switch connected to the ASA and this switch is routing?
0 Helpful

selang1958
Level 1
Level 1
In response to Rob Ingram

‎03-10-2018 10:08 AM

The ASA is connected from the cox cable internet router to the 0 port on the ASA then from the ASA port 7 to a passive non-managed ethernet switch.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to selang1958

‎03-10-2018 11:21 AM

There has been discussion about a route for network 192.168.2.0. That network is used in one of the address pools configured on the ASA.

ip local pool TestPool 192.168.2.200-192.168.2.210

as such there is no need for any route statement for this network.

 

HTH

 

Rick

 

HTH

Rick
0 Helpful

Rob Ingram
VIP
VIP
In response to Richard Burts

‎03-10-2018 11:28 AM

Thanks, didn't spot that!
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎03-10-2018 11:14 AM

Perhaps you can clarify something for us. I see two address pools are defined and am not clear which one is actually being used. I see a pool defined for DefaultRAGroup

tunnel-group DefaultRAGroup general-attributes
address-pool TestPool

 

and I see a pool defined for firsttunnelgroup

tunnel-group firsttunnelgroup general-attributes
address-pool test2

 

Which of these pools is supplying the address for your AnyConnect session?

 

HTH

 

Rick

HTH

Rick
0 Helpful

selang1958
Level 1
Level 1
In response to Richard Burts

‎03-10-2018 11:30 AM

Not using an AnyConnect client. Using a Cisco Systems VPN Client Version 5.0.06.0160. Have been using this client for the last 6.5 years till the original ASA dies 2 weeks ago. Have used it since as well just not able to route inside at present. This is IPsec(IKEv1).

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to selang1958

‎03-10-2018 02:32 PM

Thanks for the clarification. I saw config for AnyConnect and assumed that is what you were using. Will now look in terms of IKEv1 traditional client. Can you tell us what IP address you get when you establish the client VPN session?

 

HTH

 

Rick

HTH

Rick
0 Helpful

selang1958
Level 1
Level 1
In response to Richard Burts

‎03-10-2018 03:17 PM

Rather than the following 2 NAT statements :

 

nat (inside,outside) source static any any destination static obj-192.168.2.0 ob
j-192.168.2.0
nat (inside,outside) source static any any destination static obj-192.168.1.0 ob
j-192.168.1.0

 

It should have been just 1 NAT statement as follows :

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination s
tatic obj-192.168.2.0 obj-192.168.2.0

 

Changing those 2 to that 1 did the trick. Thanks for all the input !

 

0 Helpful

selang1958
Level 1
Level 1
In response to Richard Burts

‎03-10-2018 03:18 PM

Rather than the following 2 NAT statements :



nat (inside,outside) source static any any destination static
obj-192.168.2.0 ob
j-192.168.2.0
nat (inside,outside) source static any any destination static
obj-192.168.1.0 ob
j-192.168.1.0



It should have been just 1 NAT statement as follows :

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0
destination s
tatic obj-192.168.2.0 obj-192.168.2.0



Changing those 2 to that 1 did the trick. Thanks for all the input !



Everyone's tags (0)

Add tags
<>-vpn-client-cannot-route-to/m-p/3346126/highlight/false>


Richard Burts
Hall of Fame
Hall of Fame
In response to selang1958

‎03-11-2018 06:18 AM

Glad to know that you got the problem solved. Thanks for sharing the solution with us.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents