Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
320
Views
0
Helpful
3
Replies

Can't ping and access internal network using VPN.

Lost & Found
Level 2
Level 2

‎11-16-2015 05:08 PM

Hi,

I'm connected using anyconnect but the prob is I can't ping and access internal network.

 

TEST# sh run

ASA Version 9.2(2)4

!

hostname TEST

domain-name test.com

names

ip local pool vpnpool 10.34.17.1-10.34.17.252 mask 255.255.240.0

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 124.X.X.X 255.255.255.248

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.34.33.254 255.255.255.0

!

boot system disk0:/asa922-4-smp-k8.bin

ftp mode passive

clock timezone PHST 8

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.34.31.236

name-server 10.34.63.239

domain-name test.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-10.34.33.253

host 10.34.33.253

object service TCP_3389

service tcp destination eq 3389

object network obj-10.34.31.221

host 10.34.31.221

description Domino Server

object service UDP_18001

service udp destination eq 18001

object network obj-translate

host 10.34.31.221

object network NETWORK_OBJ_10.34.18.0_26

subnet 10.34.18.0 255.255.255.192

object network Test-Network

subnet 10.230.230.0 255.255.255.0

object network NETWORK_OBJ_10.34.33.0_24

subnet 10.34.33.0 255.255.255.0

object network Site-A-Subnet

subnet 10.34.48.0 255.255.240.0

object network Site-B-Subnet

subnet 10.34.16.0 255.255.240.0

object network obj-10.34.17.0

subnet 10.34.17.0 255.255.255.0

object network NETWORK_OBJ_10.34.17.0_24

subnet 10.34.17.0 255.255.255.0

object-group service tcp_lotusnotesgrp tcp

port-object eq www

port-object eq lotusnotes

port-object eq smtp

port-object eq imap4

port-object eq https

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service citrix-ica2 tcp

port-object eq 2898

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object icmp

protocol-object icmp6

object-group network FrontbridgeServers

network-object 94.245.120.64 255.255.255.192

network-object 213.199.180.128 255.255.255.192

object-group service DM_INLINE_TCP_3 tcp

group-object citrix

group-object citrix-ica2

access-list IPS extended permit ip any any inactive

access-list inside_nat0_outbound extended permit ip 10.34.33.0 255.255.255.0 10.34.17.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.34.63.0 255.255.255.0 10.34.17.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.34.16.0 255.255.255.0 10.34.17.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.34.33.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip 10.34.33.0 255.255.255.0 10.34.18.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.34.63.0 255.255.255.0 10.34.18.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.34.16.0 255.255.255.0 10.34.18.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.34.18.0 255.255.255.0

access-list outside_access_in_2 extended permit ip any 10.34.16.0 255.255.240.0

access-list outside_access_in_2 extended permit ip any 10.34.33.0 255.255.255.0

access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_2 any object obj-10.34.31.221

access-list outside_access_in_2 extended permit tcp any object obj-10.34.63.223 object-group DM_INLINE_TCP_3

access-list outside_access_in_2 extended permit tcp any object obj-10.34.61.1 object-group SAP

access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_1 any object obj-10.34.63.115

access-list outside_cryptomap extended permit ip 10.34.33.0 255.255.255.0 object Test-Network

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-7221.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.34.17.0_24 NETWORK_OBJ_10.34.17.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static any any destination static obj-10.34.17.0 obj-10.34.17.0 no-proxy-arp route-lookup inactive

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.34.18.0_26 NETWORK_OBJ_10.34.18.0_26 no-proxy-arp route-lookup inactive

!

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in_2 in interface outside

route outside 0.0.0.0 0.0.0.0 124.X.X.X 1

route inside 10.0.0.0 255.0.0.0 10.34.33.253 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.34.33.0 255.255.255.0 inside

http 10.34.31.236 255.255.255.255 inside

http 10.34.16.21 255.255.255.255 inside

http 10.34.0.0 255.255.0.0 inside

http 122.53.151.96 255.255.255.224 outside

http 10.34.48.195 255.255.255.255 inside

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map dynmap 10 set ikev1 transform-set myset

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap

crypto map outside_map 1 set ikev1 transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto ca trustpoint self

enrollment self

fqdn asa-mkt.test.com

subject-name CN=asa-mkt.test.com

keypair sslvpnkey

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=cbkmktfw.test.com

keypair asacbkmkt.key

crl configure

crypto ca trustpool policy

crypto ca certificate chain self

certificate 55b3b855

    30820304 308201ec a0030201 02020455 b3b85530 0d06092a 864886f7 0d010105

    05003044 311d301b 06035504 03131461 73612d6d 6b742e63 626b706f 7765722e

    636f6d31 23302106 092a8648 86f70d01 09021614 6173612d 6d6b742e 63626b70

    6f776572 2e636f6d 301e170d 31353037 33303039 32383239 5a170d32 35303732

    37303932 3832395a 3044311d 301b0603 55040313 14617361 2d6d6b74 2e63626b

    706f7765 722e636f 6d312330 2106092a 864886f7 0d010902 16146173 612d6d6b

    742e6362 6b706f77 65722e63 6f6d3082 0122300d 06092a86 4886f70d 01010105

    00038201 0f003082 010a0282 01010098 be55fe19 35624651 96ae90f2 4ca9e0de

    579efe8d 3449dabf 88290529 453677d9 ca0baa57 94d0773d b82d4978 ea8e713c

    d18d1c10 5816ff36 d948c077 1cce6529 10f9929d 20086a3f 3b100ecf 89e93a12

    f194a4f8 0e3c530c 7c4f6645 f53b3fa5 4c46bc83 c8d0f2c1 557bc17b 92acf3cf

    f38961ab 6649c851 c6a2c775 38596fd6 5560b5d7 01948e22 9d3dd722 bd67aa1f

    75a47cb6 412ec32f c9c3d429 f4a1cdf1 a1aa6e0c 5cf65ce9 e8c941ff 44c07ab8

    4821a473 fb4cf1b1 3be5d23a 38c2c9fc 710591d5 9db12b2a f534fe50 633b3974

    d2058589 4ea5fa4a 717f5c8f 40a8d2f5 f939475f e922cc73 d3c34b89 7269cd8b

    f4389d1e 4da5939f e512afd1 62a44302 03010001 300d0609 2a864886 f70d0101

    05050003 82010100 79e920c5 dbcff926 e3a8fd6b 04f09d4e d6b10cf1 c6afa1b7

    32df8909 1a6f5fc6 786c8f00 6eb4f55e 938823e3 69f1895e fd510ba7 c6c87ffd

    d07b7474 09682859 80ce82a6 d08a7a2c 5be61067 b6ca54e2 fa92cd81 8f9f2f40

    5d05d514 1285d71c 24ddc3a1 08b53f3e 92b221e2 ec9be3d6 e2178e38 7f1f1613

    0fec837e e0727660 59b22d6c a39c2cda be558315 25c2f275 6bb63b62 7eb83fc0

    e0fa502f 594e5708 f7c6a963 03cce0e6 5b6a7280 cda6bccf 3ab2730b b5473fce

    30109509 b0557488 0a28c284 b80a419e e4533aae e176adb8 ff6d2763 321984ee

    4f9f561d 4ee518e0 09d40254 0dbd5674 18c0aeb6 64cdb174 ea7fa665 8477e18b

    d3f1bf41 67a88b07

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev2 remote-access trustpoint self

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet 10.0.0.0 255.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 management

telnet timeout 30

no ssh stricthostkeycheck

ssh 122.53.151.98 255.255.255.255 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

ssl trust-point self inside

ssl trust-point self outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect profiles asa-mkt_client_profile disk0:/asa-mkt_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy cbkciscovpnfw1 internal

group-policy cbkciscovpnfw1 attributes

wins-server none

dns-server value 10.34.31.236 10.34.63.239

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

default-domain value test.com

group-policy DfltGrpPolicy attributes

dns-server value 10.34.31.237 10.34.63.238

ip-comp enable

default-domain value test.com

vpn-group-policy DfltGrpPolicy

tunnel-group cbkciscovpnfw1 type remote-access

tunnel-group cbkciscovpnfw1 general-attributes

address-pool vpnpool

default-group-policy cbkciscovpnfw1

password-management

tunnel-group cbkciscovpnfw1 webvpn-attributes

group-alias CBK-MKT-VPN enable

tunnel-group cbkciscovpnfw1 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 122.X.X.X type ipsec-l2l

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

class class-default

  user-statistics accounting

!

: end

 

thanksnewest.png

VPN CLIENT
10.34.17.1
/20
10.34.16.1
------------------------------------------------------------------------------------------
Debug ip icmp
ter monitor
Firewall – 10.34.33.254
ICMP echo request from outside:10.34.17.1 to inside:10.34.31.221 ID=1 seq=31424 len=32
ICMP echo request from outside:10.34.17.1 to outside:8.8.8.8 ID=1 seq=31426 len=32
ICMP echo request from outside:10.34.17.1 to inside:10.34.31.254 ID=1 seq=31427 len=32
ICMP echo request from outside:10.34.17.1 to inside:10.34.31.221 ID=1 seq=31428 len=32
ICMP echo request from outside:10.34.17.1 to outside:8.8.8.8 ID=1 seq=31429 len
Router – 10.34.31.254
Nov 3 11:54:49.404: ICMP: echo reply sent, src 10.34.31.254, dst 10.34.17.1, topology BASE, dscp 0 topoid 0
*Nov 3 11:54:53.000: ICMP: echo reply sent, src 10.34.31.254, dst 10.34.31.236, topology BASE, dscp 0 topoid 0
*Nov 3 11:54:53.000: ICMP: echo reply sent, src 10.34.31.254, dst 10.34.31.236, topology BASE, dscp 0 topoid 0
*Nov 3 11:54:54.396: ICMP: echo reply sent, src 10.34.31.254, dst 10.34.17.1,
Show Capture
1: 19:53:12.413323 10.34.17.1 > 10.34.31.254: icmp: echo request
2: 19:53:17.156898 10.34.17.1 > 10.34.31.254: icmp: echo request
3: 19:53:22.159797 10.34.17.1 > 10.34.31.254: icmp: echo request
4: 19:53:27.153602 10.34.17.1 > 10.34.31.254: icmp: echo request
5: 19:53:32.159629 10.34.17.1 > 10.34.31.254: icmp: echo request
6: 19:53:37.152381 10.34.17.1 > 10.34.31.254: icmp: echo request
From firewall I can ping 10.34.17.1 (Success)
From router I can't ping 10.34.17.1 (Not Successful)
Router#traceroute 10.34.17.1
1 * * *
Router#sh arp | in 10.34.17.1
Internet 10.34.17.1 0 Incomplete ARPA

Labels:
0 Helpful
3 Replies 3

rvarelac
Level 7
Level 7

‎11-19-2015 04:39 PM

Hi, 

An observation of the group-policy configured , it ahs the split tunnel enabled but it does not has the ACL to define the intersting traffic. 

group-policy cbkciscovpnfw1 attributes

wins-server none

dns-server value 10.34.31.236 10.34.63.239

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network list  value ?????   ( missed command) 

I would  fix that part of the configuration first and try again.

Hope it helps

-Randy-

0 Helpful

Lost & Found
Level 2
Level 2
In response to rvarelac

‎11-19-2015 06:18 PM

Hi randy,

Already the ff. commands

#access-list splitvpn standard permit any

#group-policy cbkciscovpnfw1 attributes           

    #split-tunnel-network-list value splitvpn

Result was still the same.

thanks

0 Helpful

rvarelac
Level 7
Level 7
In response to Lost & Found

‎11-20-2015 10:53 AM

Is the IP 10.34.31.254 part of the internal network?  Maybe the device is just not replyng to the pings. I would cehck if the routing on the inside network is correct before continue troubleshooting the ASA. 

Hope it helps

-Randy-

0 Helpful
Customers Also Viewed These Support Documents