Can't ping anything from a VPN client - ASA 5510

kevin.woodhouse · ‎11-16-2011

Hi All,

I’ve seen similar posts to this problem and I still haven’t managed to crack it so I thought I’d try my own post. I have a VPN client running on a laptop connected a DSL circuit. The VPN client is configured correctly for an external address on another firewall, this external firewall passes through ISAKMP / IPSEC to an ASA where it terminates. The client authenticates and gets an address from the client pool (VPNCLIENTS – 10.2.16.x / 24) and the tunnel completes with no problems. From the internal ASA I can ping any internal network behind the 10.0.3.240 interface (INSIDE) and I have a route on the inside network to get to the 10.2.16/0 clients to point to this address (10.0.3.240). All good so far.

Now the problems begin. I cant ping anything from the VPN clients (10.2.16.0) network to anywhere, I cant ping any interface on the ASA or any internal network. I also cant ping the client from the ASA and therefore not from the internal network either. This configuration is bare bones configuration so I don’t even have the NAT exception rules added. Looking for advice to get this to work. Network diagram attached too.

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.40.10 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 0

ip address 10.0.3.240 255.255.254.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 10.2.16.0 255.255.255.0

pager lines 24

logging enable

logging buffered informational

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool VPNCLIENTS 10.2.16.5-10.2.16.250 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-525.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

no threat-detection statistics tcp-intercept

route outside 0.0.0.0 0.0.0.0 192.168.40.100 1

route inside 10.0.0.0 255.0.0.0 10.0.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

group-policy testvpn internal

group-policy testvpn attributes

dns-server value 10.31.2.189

vpn-tunnel-protocol IPSec

default-domain value xxxxxxxxxxx

username testvpnuser password xxxxxxxxxxx encrypted privilege 0

username testvpnuser attributes

vpn-group-policy testvpn

username admin password GeamAtCaplZpZvZJ encrypted

tunnel-group testvpn type ipsec-ra

tunnel-group testvpn general-attributes

address-pool VPNCLIENTS

default-group-policy testvpn

tunnel-group testvpn ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

policy-map global_default

class inspection_default

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c7487f1fbd0ca1d6fec057ef8ae2600f

:

acomiskey · ‎11-16-2011

Kevin,

My first recommendation would be to use another network for your vpn clients. You don't want it to overlap with your inside networks. Use something outside of 10.0.0.0/8 since you have a route in the ASA for this which points inside.

kevin.woodhouse · ‎11-17-2011

Thanks for the response.

Upon further investigation it seems echo requests destined to internal hosts are getting there however the replies are not getting back to the client. Could this be a simple case of traffic not originating from an inside to outside interface. I'm still not sure where VPN client traffic originates. the client pool is from the ASA however is traffic from this subnet originating from the client or from the ASA itself when the VPN is connected. ??

Good point about the client subnet and I will change it, there is a more specific route to this subnet though and that seems to be working fine, do need to change it though.

kevin.woodhouse · ‎11-17-2011

UPDATE:

I can see ICMP traffic from an internal host hitting the ASA however no traffic is seen at the other end of the tunnel on the client, can anyone suggest why traffic destined for the client is not being pushed down the tunnel ??