cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2287
Views
0
Helpful
8
Replies

can't ping remote hosts

matrixitllc
Level 1
Level 1

Need help configuring ASA 5505 to be able to ping remote host.

Setup - We have a site-to-site (192.168.1.0/24 - 192.168.2.0/24) VPN setup with client VPN access (IP Pool, 172.16.50.0/24) on 192.168.1.0 ASA 5505.

Issue - Not able to ping host on 192.168.2.0 from VPN client 172.16.50.0 but  able to ping 192.168.1.0 host.

Thanks in advance for any input.

Matthew

8 Replies 8

As this traffic is entering and leaving the ASA on the same interface you need to allow hairpinning:

"same-security-traffic permit intra-interface"

Additionally the S2S-crypto-ACL must include the traffic from the Client-Pool to the remote-site.

Thanks for your feed back but can you explain in detail please.

Your traffic-flow looks like this:

1) RA-Client sends 172.16.50.x -> 192.168.2.y

2) ASA receives the traffic on the outside interface and wants to route the traffic to 192.168.2.y which is also reachable throug the outside interface. That is not allowed by default and is enabled with "same-security-traffic permit intra-interface".

3) When the ASA sends the packet to the remote-network, the ASA needs to now that this traffic has to be encrypted.

At the moment your crypto ACL (which you attach with crypto map NAME SEQ match ACL-NAME) probably only has the entry:

access-list ACL-NAME permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

This ACL has to include the traffic from the client to the remote site:

access-list ACL-NAME permit ip 172.16.50.0 255.255.255.0 192.168.2.0 255.255.255.0

with these additions your VPN should work as expected.

I think I've done what you are saying but no luck. See below ACL. Thanks!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 VPN_IP_Pool 255.255.255.0

access-list NONAT extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0

access-list 102 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list split standard permit 192.168.1.0 255.255.255.0

access-list split standard permit 192.168.2.0 255.255.255.0

access-list 103 extended permit tcp any host 64.115.97.123 eq 3389 inactive

access-list 103 extended permit tcp any host 64.115.97.124 eq 3389 inactive

access-list 103 extended permit ip VPN_IP_Pool 255.255.255.0 any

access-list 103 extended permit ip any any

access-list 103 extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0

access-list 203 extended permit tcp any host 72.76.42.79 eq 3389

access-list 203 extended permit tcp any host 72.76.42.80 eq 3389

access-list 303 extended permit icmp any any

access-list outside_access_out extended permit ip any any

access-list outside_access_out extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0

access-list Bkupisp_access_out extended permit ip any any

access-list Bkupisp_access_in extended permit ip any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit ip VPN_IP_Pool 255.255.255.0 192.168.1.0 255.255.255.0

access-list Spray-Tek_VPN_Users_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list Spray-Tek_VPN_Users_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list Spray-Tek_VPN_Users_splitTunnelAcl standard permit VPN_IP_Pool 255.255.255.0

access-list outside_nat0_outbound extended permit ip VPN_IP_Pool 255.255.255.0 any

access-list outside_nat0_outbound extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0

without knowing where these ACLs are used it's not possible to know where the problem is. Please post your complete config.

Here you go. BTY, I appreciate your help very much!

Result of the command: "sh run"

: Saved

:

ASA Version 8.0(4)

!

hostname Spraytek-NJ

enable password OOoDSvttJA58UiK7 encrypted

passwd OOoDSvttJA58UiK7 encrypted

names

name 172.16.50.0 VPN_IP_Pool description VPN users IP pool

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.115.97.122 255.255.255.248

!

interface Vlan12

nameif backup-isp

security-level 1

ip address 108.35.117.139 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 12

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 VPN_IP_Pool 255.255.255.0

access-list NONAT extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0

access-list 102 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list split standard permit 192.168.1.0 255.255.255.0

access-list split standard permit 192.168.2.0 255.255.255.0

access-list 103 extended permit tcp any host 64.115.97.123 eq 3389 inactive

access-list 103 extended permit tcp any host 64.115.97.124 eq 3389 inactive

access-list 103 extended permit ip VPN_IP_Pool 255.255.255.0 any

access-list 103 extended permit ip any any

access-list 103 extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0

access-list 203 extended permit tcp any host 72.76.42.79 eq 3389

access-list 203 extended permit tcp any host 72.76.42.80 eq 3389

access-list 303 extended permit icmp any any

access-list outside_access_out extended permit ip any any

access-list outside_access_out extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0

access-list Bkupisp_access_out extended permit ip any any

access-list Bkupisp_access_in extended permit ip any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit ip VPN_IP_Pool 255.255.255.0 192.168.1.0 255.255.255.0

access-list Spray-Tek_VPN_Users_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list Spray-Tek_VPN_Users_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list Spray-Tek_VPN_Users_splitTunnelAcl standard permit VPN_IP_Pool 255.255.255.0

access-list outside_nat0_outbound extended permit ip VPN_IP_Pool 255.255.255.0 any

access-list outside_nat0_outbound extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu backup-isp 1500

ip local pool Spray-Tek_VPN_IP_Pool 172.16.50.1-172.16.50.254 mask 255.255.255.0

ip local pool Spray-Tek_VPN_IP_Pool_BClass 192.168.1.170-192.168.1.180 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0_outbound

access-group inside_access_in in interface inside

access-group 103 in interface outside

access-group outside_access_out out interface outside

route outside 0.0.0.0 0.0.0.0 64.115.97.121 1 track 1

route backup-isp 0.0.0.0 0.0.0.0 108.35.117.1 254

route inside VPN_IP_Pool 255.255.255.0 192.168.1.1 255

route outside 192.168.2.0 255.255.255.0 192.168.1.1 1

route inside 0.0.0.0 0.0.0.0 192.168.1.1 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 100

type echo protocol ipIcmpEcho 4.2.2.2 interface outside

timeout 3000

sla monitor schedule 100 life forever start-time now

crypto ipsec transform-set my-set esp-des esp-md5-hmac

crypto ipsec transform-set NORMAL esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 20 set pfs group1

crypto dynamic-map dynmap 20 set transform-set my-set

crypto dynamic-map dynmap 20 set security-association lifetime seconds 28800

crypto dynamic-map dynmap 20 set security-association lifetime kilobytes 4608000

crypto map MANAGED 10 match address 101

crypto map MANAGED 10 set peer 146.145.91.26

crypto map MANAGED 10 set transform-set NORMAL

crypto map MANAGED 10 set security-association lifetime seconds 28800

crypto map MANAGED 10 set security-association lifetime kilobytes 4608000

crypto map MANAGED 20 ipsec-isakmp dynamic dynmap

crypto map MANAGED interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption des

hash md5

group 2

lifetime 1000

crypto isakmp policy 40

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 100 reachability

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 146.145.0.0 255.255.0.0 outside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy Spray-Tek_VPN_Users internal

group-policy Spray-Tek_VPN_Users attributes

banner value All system access to Spray-Tek is for authorized users ONLY.

banner value If you are not an authorized user, please logout and disconnect IMMEDIATELY!!!

wins-server value 192.168.1.4 192.168.1.6

dns-server value 192.168.1.4 192.168.1.6

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Spray-Tek_VPN_Users_splitTunnelAcl

default-domain value spray-tek.mid

address-pools value Spray-Tek_VPN_IP_Pool

group-policy spraytech internal

group-policy spraytech attributes

vpn-tunnel-protocol webvpn

username bbullman password GwiT5qRPplm8Y1yM encrypted

username bbullman attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username edvr password 6aGmnrdggFUYLeaN encrypted

username edvr attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username dewandpc password N1eT7pkiwfZ5SXcu encrypted

username dewandpc attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username paulo password dxL0la/wakUYpJIb encrypted

username ashishg password Zbo2YZKvUHfcLCTN encrypted privilege 15

username ashishg attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-access-hours none

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username rambowski password Bhr0HmU4yWzfAaC7 encrypted

username rambowski attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username hkaswan password z6Cg93j5ZeeqAcse encrypted

username hkaswan attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username dpcinfo2 password ydjDfiftOZ4.yGja encrypted

username dpcinfo2 attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username michelleb password e/23OJYc2mI1qRLs encrypted

username michelleb attributes

vpn-group-policy Spray-Tek_VPN_Users

username dpcinfo1 password 0PJZOFw5BiV/.8BC encrypted

username dpcinfo1 attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username davidb password zGHKJsNnkJK03V8J encrypted

username davidb attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username daveb password OihwAsaXCIo0MUDs encrypted

username daveb attributes

vpn-group-policy Spray-Tek_VPN_Users

username johnm password E.e/Waknzi4K4MxL encrypted

username johnm attributes

vpn-group-policy Spray-Tek_VPN_Users

username administrator password rvq0wAiWaMfle6Yi encrypted privilege 15

username sunils password RVvZDEDOw8zX6QF5 encrypted privilege 15

username sunils attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username dbaadmin password mtxz5RXmRcGEUsFp encrypted

username dbaadmin attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username steve password z2mjHFq2ZNMzbGD1 encrypted

username steve attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username infotech password uIi7zsriJJjOAsP4 encrypted

username infotech attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username elgardo password tAqMQzyVQbS3IEnO encrypted

username elgardo attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username cisco password l1R8/I2gulShtAbs encrypted privilege 15

username cisco attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username neallu password q4oUMPOVJgWEg9G7 encrypted

username neallu attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-access-hours none

username matthewc password gzMv7mdkJPL1uqqv encrypted privilege 15

username matthewc attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username keiths password M3i5d4dyCafd0GQ9 encrypted

username keiths attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username jeitel password jzxCiuOgQ4cvSX16 encrypted

username jennifer password TD3l/SqRLAD074ja encrypted

username jennifer attributes

vpn-group-policy Spray-Tek_VPN_Users

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

tunnel-group 216.214.6.74 type ipsec-l2l

tunnel-group 216.214.6.74 ipsec-attributes

pre-shared-key *

tunnel-group 146.145.91.26 type ipsec-l2l

tunnel-group 146.145.91.26 ipsec-attributes

pre-shared-key *

tunnel-group spraytek type remote-access

tunnel-group spraytek general-attributes

default-group-policy spraytech

tunnel-group spraytek ipsec-attributes

pre-shared-key *

tunnel-group Spray-Tek_VPN_Users type remote-access

tunnel-group Spray-Tek_VPN_Users general-attributes

address-pool Spray-Tek_VPN_IP_Pool

default-group-policy Spray-Tek_VPN_Users

dhcp-server 192.168.1.4

dhcp-server 192.168.1.6

tunnel-group Spray-Tek_VPN_Users ipsec-attributes

pre-shared-key *

!

class-map sqlnet

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map sqlnet

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect xdmcp

  inspect sip 

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8f3db378fa46d51a6a378e34f225fe2f

: end

Do you have a local Cisco-Partner? The config is full of discrepancies and really should be completely revised.

For the VPN:

1) ACL 101 is used for the S2S-Tunnel:

> crypto map MANAGED 10 match address 101

> access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

here you nedd to add the traffic from the VPN-Pool to the remote-site:

access-list 101 extended permit ip 172.16.50.0 255.255.255.0 192.168.2.0 255.255.255.0

2) For the VPN-Clients you use DES with MD-5. The security-margin to cleartext is not really big ...

> crypto ipsec transform-set my-set esp-des esp-md5-hmac

> crypto dynamic-map dynmap 20 set transform-set my-set

same for the isakmp-policy 20

3) If you want to ping to the other networks you should enable ICMP-Inspection:

policy-map global_policy

class inspection_default

  inspect icmp

4) you should get rid of the "nat-control" as that would make your NAT-config easier. With NAT-control you need to exempt the traffic from the remote-site to the VPN-Pool:

access-list outside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 VPN_IP_Pool 255.255.255.0

5) Your outgoing ACLs are not needed as they permit everything.

That's what I see what should be changed for your VPN-problem.

thanks for your help! This is beyond what I want to do so I will go look for a hire to do it right.

You can contact me directly if you have some ideas. matthew.chun@matrixitllc.com

Thanks!

Matthew