06-25-2012 06:01 AM
Need help configuring ASA 5505 to be able to ping remote host.
Setup - We have a site-to-site (192.168.1.0/24 - 192.168.2.0/24) VPN setup with client VPN access (IP Pool, 172.16.50.0/24) on 192.168.1.0 ASA 5505.
Issue - Not able to ping host on 192.168.2.0 from VPN client 172.16.50.0 but able to ping 192.168.1.0 host.
Thanks in advance for any input.
Matthew
06-25-2012 06:11 AM
As this traffic is entering and leaving the ASA on the same interface you need to allow hairpinning:
"same-security-traffic permit intra-interface"
Additionally the S2S-crypto-ACL must include the traffic from the Client-Pool to the remote-site.
06-25-2012 06:19 AM
Thanks for your feed back but can you explain in detail please.
06-25-2012 06:36 AM
Your traffic-flow looks like this:
1) RA-Client sends 172.16.50.x -> 192.168.2.y
2) ASA receives the traffic on the outside interface and wants to route the traffic to 192.168.2.y which is also reachable throug the outside interface. That is not allowed by default and is enabled with "same-security-traffic permit intra-interface".
3) When the ASA sends the packet to the remote-network, the ASA needs to now that this traffic has to be encrypted.
At the moment your crypto ACL (which you attach with crypto map NAME SEQ match ACL-NAME) probably only has the entry:
access-list ACL-NAME permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
This ACL has to include the traffic from the client to the remote site:
access-list ACL-NAME permit ip 172.16.50.0 255.255.255.0 192.168.2.0 255.255.255.0
with these additions your VPN should work as expected.
06-25-2012 07:22 AM
I think I've done what you are saying but no luck. See below ACL. Thanks!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 VPN_IP_Pool 255.255.255.0
access-list NONAT extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0
access-list 102 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list split standard permit 192.168.1.0 255.255.255.0
access-list split standard permit 192.168.2.0 255.255.255.0
access-list 103 extended permit tcp any host 64.115.97.123 eq 3389 inactive
access-list 103 extended permit tcp any host 64.115.97.124 eq 3389 inactive
access-list 103 extended permit ip VPN_IP_Pool 255.255.255.0 any
access-list 103 extended permit ip any any
access-list 103 extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0
access-list 203 extended permit tcp any host 72.76.42.79 eq 3389
access-list 203 extended permit tcp any host 72.76.42.80 eq 3389
access-list 303 extended permit icmp any any
access-list outside_access_out extended permit ip any any
access-list outside_access_out extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0
access-list Bkupisp_access_out extended permit ip any any
access-list Bkupisp_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip VPN_IP_Pool 255.255.255.0 192.168.1.0 255.255.255.0
access-list Spray-Tek_VPN_Users_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Spray-Tek_VPN_Users_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list Spray-Tek_VPN_Users_splitTunnelAcl standard permit VPN_IP_Pool 255.255.255.0
access-list outside_nat0_outbound extended permit ip VPN_IP_Pool 255.255.255.0 any
access-list outside_nat0_outbound extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0
06-25-2012 08:00 AM
without knowing where these ACLs are used it's not possible to know where the problem is. Please post your complete config.
06-25-2012 08:03 AM
Here you go. BTY, I appreciate your help very much!
Result of the command: "sh run"
: Saved
:
ASA Version 8.0(4)
!
hostname Spraytek-NJ
enable password OOoDSvttJA58UiK7 encrypted
passwd OOoDSvttJA58UiK7 encrypted
names
name 172.16.50.0 VPN_IP_Pool description VPN users IP pool
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.115.97.122 255.255.255.248
!
interface Vlan12
nameif backup-isp
security-level 1
ip address 108.35.117.139 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 12
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 VPN_IP_Pool 255.255.255.0
access-list NONAT extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0
access-list 102 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list split standard permit 192.168.1.0 255.255.255.0
access-list split standard permit 192.168.2.0 255.255.255.0
access-list 103 extended permit tcp any host 64.115.97.123 eq 3389 inactive
access-list 103 extended permit tcp any host 64.115.97.124 eq 3389 inactive
access-list 103 extended permit ip VPN_IP_Pool 255.255.255.0 any
access-list 103 extended permit ip any any
access-list 103 extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0
access-list 203 extended permit tcp any host 72.76.42.79 eq 3389
access-list 203 extended permit tcp any host 72.76.42.80 eq 3389
access-list 303 extended permit icmp any any
access-list outside_access_out extended permit ip any any
access-list outside_access_out extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0
access-list Bkupisp_access_out extended permit ip any any
access-list Bkupisp_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip VPN_IP_Pool 255.255.255.0 192.168.1.0 255.255.255.0
access-list Spray-Tek_VPN_Users_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Spray-Tek_VPN_Users_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list Spray-Tek_VPN_Users_splitTunnelAcl standard permit VPN_IP_Pool 255.255.255.0
access-list outside_nat0_outbound extended permit ip VPN_IP_Pool 255.255.255.0 any
access-list outside_nat0_outbound extended permit ip VPN_IP_Pool 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup-isp 1500
ip local pool Spray-Tek_VPN_IP_Pool 172.16.50.1-172.16.50.254 mask 255.255.255.0
ip local pool Spray-Tek_VPN_IP_Pool_BClass 192.168.1.170-192.168.1.180 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
access-group inside_access_in in interface inside
access-group 103 in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 64.115.97.121 1 track 1
route backup-isp 0.0.0.0 0.0.0.0 108.35.117.1 254
route inside VPN_IP_Pool 255.255.255.0 192.168.1.1 255
route outside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 0.0.0.0 0.0.0.0 192.168.1.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
timeout 3000
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set my-set esp-des esp-md5-hmac
crypto ipsec transform-set NORMAL esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 20 set pfs group1
crypto dynamic-map dynmap 20 set transform-set my-set
crypto dynamic-map dynmap 20 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 20 set security-association lifetime kilobytes 4608000
crypto map MANAGED 10 match address 101
crypto map MANAGED 10 set peer 146.145.91.26
crypto map MANAGED 10 set transform-set NORMAL
crypto map MANAGED 10 set security-association lifetime seconds 28800
crypto map MANAGED 10 set security-association lifetime kilobytes 4608000
crypto map MANAGED 20 ipsec-isakmp dynamic dynmap
crypto map MANAGED interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 1000
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 100 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 146.145.0.0 255.255.0.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Spray-Tek_VPN_Users internal
group-policy Spray-Tek_VPN_Users attributes
banner value All system access to Spray-Tek is for authorized users ONLY.
banner value If you are not an authorized user, please logout and disconnect IMMEDIATELY!!!
wins-server value 192.168.1.4 192.168.1.6
dns-server value 192.168.1.4 192.168.1.6
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Spray-Tek_VPN_Users_splitTunnelAcl
default-domain value spray-tek.mid
address-pools value Spray-Tek_VPN_IP_Pool
group-policy spraytech internal
group-policy spraytech attributes
vpn-tunnel-protocol webvpn
username bbullman password GwiT5qRPplm8Y1yM encrypted
username bbullman attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username edvr password 6aGmnrdggFUYLeaN encrypted
username edvr attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username dewandpc password N1eT7pkiwfZ5SXcu encrypted
username dewandpc attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username paulo password dxL0la/wakUYpJIb encrypted
username ashishg password Zbo2YZKvUHfcLCTN encrypted privilege 15
username ashishg attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-access-hours none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username rambowski password Bhr0HmU4yWzfAaC7 encrypted
username rambowski attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username hkaswan password z6Cg93j5ZeeqAcse encrypted
username hkaswan attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username dpcinfo2 password ydjDfiftOZ4.yGja encrypted
username dpcinfo2 attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username michelleb password e/23OJYc2mI1qRLs encrypted
username michelleb attributes
vpn-group-policy Spray-Tek_VPN_Users
username dpcinfo1 password 0PJZOFw5BiV/.8BC encrypted
username dpcinfo1 attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username davidb password zGHKJsNnkJK03V8J encrypted
username davidb attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username daveb password OihwAsaXCIo0MUDs encrypted
username daveb attributes
vpn-group-policy Spray-Tek_VPN_Users
username johnm password E.e/Waknzi4K4MxL encrypted
username johnm attributes
vpn-group-policy Spray-Tek_VPN_Users
username administrator password rvq0wAiWaMfle6Yi encrypted privilege 15
username sunils password RVvZDEDOw8zX6QF5 encrypted privilege 15
username sunils attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username dbaadmin password mtxz5RXmRcGEUsFp encrypted
username dbaadmin attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username steve password z2mjHFq2ZNMzbGD1 encrypted
username steve attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username infotech password uIi7zsriJJjOAsP4 encrypted
username infotech attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username elgardo password tAqMQzyVQbS3IEnO encrypted
username elgardo attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username cisco password l1R8/I2gulShtAbs encrypted privilege 15
username cisco attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username neallu password q4oUMPOVJgWEg9G7 encrypted
username neallu attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-access-hours none
username matthewc password gzMv7mdkJPL1uqqv encrypted privilege 15
username matthewc attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username keiths password M3i5d4dyCafd0GQ9 encrypted
username keiths attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username jeitel password jzxCiuOgQ4cvSX16 encrypted
username jennifer password TD3l/SqRLAD074ja encrypted
username jennifer attributes
vpn-group-policy Spray-Tek_VPN_Users
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group 216.214.6.74 type ipsec-l2l
tunnel-group 216.214.6.74 ipsec-attributes
pre-shared-key *
tunnel-group 146.145.91.26 type ipsec-l2l
tunnel-group 146.145.91.26 ipsec-attributes
pre-shared-key *
tunnel-group spraytek type remote-access
tunnel-group spraytek general-attributes
default-group-policy spraytech
tunnel-group spraytek ipsec-attributes
pre-shared-key *
tunnel-group Spray-Tek_VPN_Users type remote-access
tunnel-group Spray-Tek_VPN_Users general-attributes
address-pool Spray-Tek_VPN_IP_Pool
default-group-policy Spray-Tek_VPN_Users
dhcp-server 192.168.1.4
dhcp-server 192.168.1.6
tunnel-group Spray-Tek_VPN_Users ipsec-attributes
pre-shared-key *
!
class-map sqlnet
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map sqlnet
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect xdmcp
inspect sip
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8f3db378fa46d51a6a378e34f225fe2f
: end
06-25-2012 09:01 AM
Do you have a local Cisco-Partner? The config is full of discrepancies and really should be completely revised.
For the VPN:
1) ACL 101 is used for the S2S-Tunnel:
> crypto map MANAGED 10 match address 101
> access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
here you nedd to add the traffic from the VPN-Pool to the remote-site:
access-list 101 extended permit ip 172.16.50.0 255.255.255.0 192.168.2.0 255.255.255.0
2) For the VPN-Clients you use DES with MD-5. The security-margin to cleartext is not really big ...
> crypto ipsec transform-set my-set esp-des esp-md5-hmac
> crypto dynamic-map dynmap 20 set transform-set my-set
same for the isakmp-policy 20
3) If you want to ping to the other networks you should enable ICMP-Inspection:
policy-map global_policy
class inspection_default
inspect icmp
4) you should get rid of the "nat-control" as that would make your NAT-config easier. With NAT-control you need to exempt the traffic from the remote-site to the VPN-Pool:
access-list outside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 VPN_IP_Pool 255.255.255.0
5) Your outgoing ACLs are not needed as they permit everything.
That's what I see what should be changed for your VPN-problem.
06-25-2012 11:08 AM
thanks for your help! This is beyond what I want to do so I will go look for a hire to do it right.
You can contact me directly if you have some ideas. matthew.chun@matrixitllc.com
Thanks!
Matthew
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide