I have created a Cisco IPsec vpn on my ASA using the VPN creation wizard. I am able to successfully connect to the vpn and seemingly join the network, but after I connect I am unable to connect to or ping any of the hosts on the network.

Checking the ASA I can see that a VPN session is open and my client reports that it is connected. If I attempt to ping the client from the ASA all packets are dropped.

I suspect it may be an issue with my firewall, but I am not really sure where to begin.

Here is a copy of my config, any pointers or tips are aprpeciated:

!

hostname mcfw

enable password Pt8fQ27yMZplioYq encrypted

passwd 2qaO2Gd6IBRkrRFm encrypted

names

!

interface Ethernet0/0

switchport access vlan 400

!

interface Ethernet0/1

switchport access vlan 400

!

interface Ethernet0/2

switchport access vlan 420

!

interface Ethernet0/3

switchport access vlan 420

!

interface Ethernet0/4

switchport access vlan 450

!

interface Ethernet0/5

switchport access vlan 450

!

interface Ethernet0/6

switchport access vlan 500

!

interface Ethernet0/7

switchport access vlan 500

!

interface Vlan400

nameif outside

security-level 0

ip address 58.13.254.10 255.255.255.248

!

interface Vlan420

nameif public

security-level 20

ip address 192.168.20.1 255.255.255.0

!

interface Vlan450

nameif dmz

security-level 50

ip address 192.168.10.1 255.255.255.0

!

interface Vlan500

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

ftp mode passive

clock timezone JST 9

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1

network-object host 58.13.254.11

network-object host 58.13.254.13

object-group service ssh_2220 tcp

port-object eq 2220

object-group service ssh_2251 tcp

port-object eq 2251

object-group service ssh_2229 tcp

port-object eq 2229

object-group service ssh_2210 tcp

port-object eq 2210

object-group service DM_INLINE_TCP_1 tcp

group-object ssh_2210

group-object ssh_2220

object-group service zabbix tcp

port-object range 10050 10051

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

group-object zabbix

port-object eq 9000

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service http_8029 tcp

port-object eq 8029

object-group network DM_INLINE_NETWORK_2

network-object host 192.168.20.10

network-object host 192.168.20.30

network-object host 192.168.20.60

object-group service imaps_993 tcp

description Secure IMAP

port-object eq 993

object-group service public_wifi_group

description Service allowed on the Public Wifi Group. Allows Web and Email.

service-object tcp-udp eq domain

service-object tcp-udp eq www

service-object tcp eq https

service-object tcp-udp eq 993

service-object tcp eq imap4

service-object tcp eq 587

service-object tcp eq pop3

service-object tcp eq smtp

access-list outside_access_in remark http traffic from outside

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www

access-list outside_access_in remark ssh from outside to web1

access-list outside_access_in extended permit tcp any host 58.13.254.11 object-group ssh_2251

access-list outside_access_in remark ssh from outside to penguin

access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group ssh_2229

access-list outside_access_in remark http from outside to penguin

access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group http_8029

access-list outside_access_in remark ssh from outside to hub & studio

access-list outside_access_in extended permit tcp any host 58.13.254.13 object-group DM_INLINE_TCP_1

access-list outside_access_in remark dns service to hub

access-list outside_access_in extended permit object-group TCPUDP any host 58.13.254.13 eq domain

access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any

access-list dmz_access_in extended permit tcp any host 192.168.10.251 object-group DM_INLINE_TCP_2

access-list public_access_in remark Web access to DMZ websites (mediastudio/civicrm)

access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www

access-list public_access_in remark General web access. (HTTP, DNS & ICMP and  Email)

access-list public_access_in extended permit object-group public_wifi_group any any

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192

pager lines 24

logging enable

logging timestamp

logging buffered notifications

logging trap notifications

logging asdm debugging

logging from-address asa@unu-mc.org

logging recipient-address mcternan@unu.edu level warnings

logging host dmz 192.168.10.90 format emblem

logging permit-hostdown

mtu outside 1500

mtu public 1500

mtu dmz 1500

mtu inside 1500

ip local pool OfficePool 192.168.0.80-192.168.0.90 mask 255.255.255.0

ip local pool VPN_Pool 192.168.0.91-192.168.0.99 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 60

global (outside) 1 interface

global (dmz) 2 interface

nat (public) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255

static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255

static (dmz,outside) 58.13.254.13 192.168.10.10 netmask 255.255.255.255 dns

static (dmz,outside) 58.13.254.11 192.168.10.30 netmask 255.255.255.255 dns

static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns

static (dmz,inside) 192.168.0.251 192.168.10.251 netmask 255.255.255.255

static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns

static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns

access-group outside_access_in in interface outside

access-group public_access_in in interface public

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 58.13.254.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.255.0 inside

http 59.159.40.188 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp dmz

sysopt noproxyarp inside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map public_map interface public

crypto isakmp enable outside

crypto isakmp enable public

crypto isakmp enable inside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 59.159.40.188 255.255.255.255 outside

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 20

console timeout 0

dhcpd dns 61.122.112.97 61.122.112.1

dhcpd auto_config outside

!

dhcpd address 192.168.20.200-192.168.20.254 public

dhcpd enable public

!

dhcpd address 192.168.10.190-192.168.10.195 dmz

dhcpd enable dmz

!

dhcpd address 192.168.0.200-192.168.0.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics host number-of-rate 2

no threat-detection statistics tcp-intercept

ntp server 130.54.208.201 source public

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 61.122.112.97 61.122.112.1

vpn-tunnel-protocol l2tp-ipsec

group-policy CiscoASA internal

group-policy CiscoASA attributes

dns-server value 61.122.112.97 61.122.112.1

vpn-tunnel-protocol IPSec

username mcit password 4alT9CZ8ayD8O8Xg encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_Pool

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group ocmc type remote-access

tunnel-group ocmc general-attributes

address-pool OfficePool

tunnel-group ocmc ipsec-attributes

pre-shared-key *****

tunnel-group CiscoASA type remote-access

tunnel-group CiscoASA general-attributes

address-pool VPN_Pool

default-group-policy CiscoASA

tunnel-group CiscoASA ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

smtp-server 192.168.10.10

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:222d6dcb583b5f5abc51a2251026f7f2

: end

asdm location 192.168.10.10 255.255.255.255 inside

asdm location 192.168.0.29 255.255.255.255 inside

asdm location 58.13.254.10 255.255.255.255 inside

no asdm history enable