Solved: Cisco ASA 5510 - Cisco Client Can Connect To VPN But Can't Ping!

CHARALAMPOS TRIANTAFYLLIDIS · ‎05-28-2013

Hi,

I have an ASA 5510 with the configuration below. I have configure the ASA as remote access vpn server with cisco vpn client, my problem now is I can connect but I can't ping.

Config

ciscoasa# sh run

: Saved

:

ASA Version 8.0(3)

!

hostname ciscoasa

enable password 5QB4svsHoIHxXpF/ encrypted

names

name xxx.xxx.xxx.xxx SAP_router_IP_on_SAP

name xxx.xxx.xxx.xxx ISA_Server_second_external_IP

name xxx.xxx.xxx.xxx Mail_Server

name xxx.xxx.xxx.xxx IncomingIP

name xxx.xxx.xxx.xxx SAP

name xxx.xxx.xxx.xxx WebServer

name xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold

name 192.168.2.2 isa_server_outside

!

interface Ethernet0/0

nameif outside

security-level 0

ip address IncomingIP 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.253 255.255.255.0

management-only

!

passwd 123

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

object-group service TCP_8081 tcp

port-object eq 8081

object-group service DM_INLINE_TCP_1 tcp

port-object eq 3389

port-object eq ftp

port-object eq www

port-object eq https

port-object eq smtp

port-object eq pop3

port-object eq 3200

port-object eq 3300

port-object eq 3600

port-object eq 3299

port-object eq 3390

port-object eq 50000

port-object eq 3396

port-object eq 3397

port-object eq 3398

port-object eq imap4

port-object eq 587

port-object eq 993

port-object eq 8000

port-object eq 8443

port-object eq telnet

port-object eq 3901

group-object TCP_8081

port-object eq 1433

port-object eq 3391

port-object eq 3399

port-object eq 8080

port-object eq 3128

port-object eq 3900

port-object eq 3902

port-object eq 7777

port-object eq 3392

port-object eq 3393

port-object eq 3394

port-object eq 3395

port-object eq 92

port-object eq 91

port-object eq 3206

port-object eq 8001

port-object eq 8181

port-object eq 7778

port-object eq 8180

port-object eq 22222

port-object eq 11001

port-object eq 11002

port-object eq 1555

port-object eq 2223

port-object eq 2224

object-group service RDP tcp

port-object eq 3389

object-group service 3901 tcp

description 3901

port-object eq 3901

object-group service 50000 tcp

description 50000

port-object eq 50000

object-group service Enable_Transparent_Tunneling_UDP udp

port-object eq 4500

access-list inside_access_in remark connection to SAP

access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 host SAP_router_IP_on_SAP

access-list inside_access_in remark VPN Outgoing - PPTP

access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp

access-list inside_access_in remark VPN Outgoing - GRE

access-list inside_access_in extended permit gre 192.168.2.0 255.255.255.0 any

access-list inside_access_in remark VPN - GRE

access-list inside_access_in extended permit gre any any

access-list inside_access_in remark VPN Outgoing - IKE Client

access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq isakmp

access-list inside_access_in remark VPN Outgoing - IPSecNAT - T

access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq 4500

access-list inside_access_in remark DNS Outgoing

access-list inside_access_in extended permit udp any any eq domain

access-list inside_access_in remark DNS Outgoing

access-list inside_access_in extended permit tcp any any eq domain

access-list inside_access_in remark Outoing Ports

access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any object-group DM_INLINE_TCP_1

access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any any eq pptp

access-list outside_access_in extended permit gre any any

access-list outside_access_in extended permit gre any host Mail_Server

access-list outside_access_in extended permit tcp any host Mail_Server eq pptp

access-list outside_access_in extended permit esp any any

access-list outside_access_in extended permit ah any any

access-list outside_access_in extended permit udp any any eq isakmp

access-list outside_access_in extended permit udp any any object-group Enable_Transparent_Tunneling_UDP

access-list VPN standard permit 192.168.2.0 255.255.255.0

access-list corp_vpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool POOL 172.16.1.10-172.16.1.20 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 2 Mail_Server netmask 255.0.0.0

global (outside) 1 interface

global (inside) 2 interface

nat (inside) 0 access-list corp_vpn

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp Mail_Server 8001 ISA_Server_second_external_IP 8001 netmask 255.255.255.255

static (inside,outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255

static (inside,outside) tcp Mail_Server pptp isa_server_outside pptp netmask 255.255.255.255

static (inside,outside) tcp Mail_Server smtp isa_server_outside smtp netmask 255.255.255.255

static (inside,outside) tcp Mail_Server 587 isa_server_outside 587 netmask 255.255.255.255

static (inside,outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255

static (inside,outside) tcp Mail_Server 9443 isa_server_outside 9443 netmask 255.255.255.255

static (inside,outside) tcp Mail_Server 3389 isa_server_outside 3389 netmask 255.255.255.255

static (inside,outside) tcp Mail_Server 3390 isa_server_outside 3390 netmask 255.255.255.255

static (inside,outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255

static (inside,outside) tcp SAP 50000 isa_server_outside 50000 netmask 255.255.255.255

static (inside,outside) tcp SAP 3200 isa_server_outside 3200 netmask 255.255.255.255

static (inside,outside) tcp SAP 3299 isa_server_outside 3299 netmask 255.255.255.255

static (inside,outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255

static (inside,outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255

static (inside,outside) tcp Mail_Server pop3 isa_server_outside pop3 netmask 255.255.255.255

static (inside,outside) tcp Mail_Server imap4 isa_server_outside imap4 netmask 255.255.255.255

static (inside,outside) tcp cms_eservices_projects_sharepointold 9999 isa_server_outside 9999 netmask 255.255.255.255

static (inside,outside) 192.168.2.0 access-list corp_vpn

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.2.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set transet esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set pfs

crypto dynamic-map dynmap 10 set transform-set transet ESP-3DES-SHA

crypto map cryptomap 10 ipsec-isakmp dynamic dynmap

crypto map cryptomap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet 192.168.2.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside

dhcpd domain domain.local interface inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

tftp-server management 192.168.1.123 /

group-policy mypolicy internal

group-policy mypolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN

username vpdn password 123

username vpdn attributes

vpn-group-policy mypolicy

service-type remote-access

tunnel-group mypolicy type remote-access

tunnel-group mypolicy general-attributes

address-pool POOL

default-group-policy mypolicy

tunnel-group mypolicy ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac

: end

Thank you very much.

Jouni Forss · ‎05-28-2013

Hi,

You probably need

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Your Split Tunnel and NAT0 configurations seem fine.

- Jouni

View solution in original post

Jouni Forss · ‎05-28-2013

Hi,

You seem to have 2 NAT configurations related to the VPN

The NAT0 configuration and a Static Policy NAT

static (inside,outside) 192.168.2.0 access-list corp_vpn

Though in this case the NAT0 configurations should override this NAT.

Have you confirmed that the traffic from the VPN client user comes through the VPN all the way to the ASA? I just cant see anything wrong with the configurations.

Sometimes its possible that if the computer is connected to both wired and wireless network that the trffic wont get forwarded correctly from the VPN Client.

I guess you could try this on the ASA if you can while you are connected with VPN Client.

First check the IP address allocated for your VPN Client. Then use the "packet-tracer" command and see if it gives any usefull information (you can copy/paste it here)

packet-tracer input outside icmp 8 0

Though as you have yourself stated that RDP already works through the VPN Client connection then the VPN should already be working. I am not sure what the problem with ICMP is.

You are talking about file shares also? If this is based on broadcast traffic for the devices to locate eachother then this wont work through VPN Client connection. I would imagine you should be able to map drives though.

Your ASA doesnt currently have any rule that should block traffic coming through the VPN. Actually you have the global setting active which allows all traffic from the VPN connection through the "outside" interface ACL.

- Jouni

View solution in original post

Jouni Forss · ‎05-28-2013

Hi,

For some reason it gives an ACL DROP Phase. I imagine this is in no way related to any actual ACL but something else is blocking the traffic.

I guess we could try to remove the unusual NAT configuration and leave the NAT0 configuration and try again.

no static (inside,outside) 192.168.2.0 access-list corp_vpn

The above NAT configuration should not be needed as you already have this

access-list corp_vpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list corp_vpn

Try to remove the "static" configuration and testing again

- Jouni

View solution in original post

Jan Rolny · ‎05-28-2013

Hi CHARALAMPOS,

please tell us what IP you cannot reach from VPN?

Regards,

Jan

CHARALAMPOS TRIANTAFYLLIDIS · ‎05-28-2013

Thank you very much for your reply.

My ASA setup is:

Interface eth0/0 - Public IP

Interface eth0/1 - 192.168.2.1/24

Interface management - 192.168.1.253/24

I can send packets throught the Cisco VPN Client, but I can't receive from 192.168.2.0/24 network.

Jouni Forss · ‎05-28-2013

Hi,

You probably need

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Your Split Tunnel and NAT0 configurations seem fine.

- Jouni

CHARALAMPOS TRIANTAFYLLIDIS · ‎05-28-2013

Hi,

I' ve putted the commands you told me but still doesn't work... Nevertheless the RDP protocol works fine, I didn't check it before!

Thank you.

Jouni Forss · ‎05-28-2013

Hi,

I dont see anything else in the ASA configurations that could/should stop ICMP from going through both ways.

Split Tunnel is configured correctly so ICMP should reach from VPN Client user to LAN
NAT0 is configured between LAN and VPN Client Pool
ICMP Inspection is now configured correctly

There is always the possibility that the actual host is blocking the ICMP. So try to ping multiple hosts.

Also you should be able to try this command out

management-access inside

This will enable ICMP to the "inside" interface IP address and even management connections to the ASA "inside" interface IP address through the VPN Client connection. Naturally for the management to work you have to allow it otherwise also.

With that command enabled you could try to ping the ASA "inside" interface IP address through the VPN Client.

Hope this helps

- Jouni

CHARALAMPOS TRIANTAFYLLIDIS · ‎05-28-2013

Hi,

Thank you very much for your reply. I've already checked some other hosts but still the same problem. Also I can't see the SMB windows shares etc. I' ve checked windows firewall and it's disable.

I' ve put this command into the configuration management-access inside but I can't access to ASA throught it.

Jouni Forss · ‎05-28-2013

Hi,

You seem to have 2 NAT configurations related to the VPN

The NAT0 configuration and a Static Policy NAT

static (inside,outside) 192.168.2.0 access-list corp_vpn

Though in this case the NAT0 configurations should override this NAT.

Have you confirmed that the traffic from the VPN client user comes through the VPN all the way to the ASA? I just cant see anything wrong with the configurations.

Sometimes its possible that if the computer is connected to both wired and wireless network that the trffic wont get forwarded correctly from the VPN Client.

I guess you could try this on the ASA if you can while you are connected with VPN Client.

First check the IP address allocated for your VPN Client. Then use the "packet-tracer" command and see if it gives any usefull information (you can copy/paste it here)

packet-tracer input outside icmp 8 0

Though as you have yourself stated that RDP already works through the VPN Client connection then the VPN should already be working. I am not sure what the problem with ICMP is.

You are talking about file shares also? If this is based on broadcast traffic for the devices to locate eachother then this wont work through VPN Client connection. I would imagine you should be able to map drives though.

Your ASA doesnt currently have any rule that should block traffic coming through the VPN. Actually you have the global setting active which allows all traffic from the VPN connection through the "outside" interface ACL.

- Jouni

CHARALAMPOS TRIANTAFYLLIDIS · ‎05-28-2013

Hi,

Thank you very much for your reply. Yes I've tested and the traffic for rdp works well, also the vpn client statistics shows the vpn packets.

I've checked from my laptop with cisco vpn client with wifi but also and with wire. (one connection each time)

Yes the I've got problem also with shares but I am trying to access the shares throught IP Adress no via netbios.

I am going to try this command "packet-tracer input outside icmp 8 0 " and I will post the output if will be.

Thanks a lot.

CHARALAMPOS TRIANTAFYLLIDIS · ‎05-28-2013

Here is the output:

ciscoasa# packet-tracer input outside icmp 172.16.1.10 8 0 192.168.2.1

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
static translation to 192.168.2.0
translate_hits = 0, untranslate_hits = 139
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.2.0/0 to 192.168.2.0/0 using netmask 255.255.255.0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
static translation to 192.168.2.0
translate_hits = 0, untranslate_hits = 140
Additional Information:

Phase: 11
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Jouni Forss · ‎05-28-2013

Hi,

For some reason it gives an ACL DROP Phase. I imagine this is in no way related to any actual ACL but something else is blocking the traffic.

I guess we could try to remove the unusual NAT configuration and leave the NAT0 configuration and try again.

no static (inside,outside) 192.168.2.0 access-list corp_vpn

The above NAT configuration should not be needed as you already have this

access-list corp_vpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list corp_vpn

Try to remove the "static" configuration and testing again

- Jouni

CHARALAMPOS TRIANTAFYLLIDIS · ‎05-28-2013

Hi,

Thank you very much for your reply. This fixed the problem..!

no static (inside,outside) 192.168.2.0 access-list corp_vpn

Thank you very much all for your help..!

Jouni Forss · ‎05-28-2013

Hi,

Glad that its working now

The best way to thank here on the CSC is to mark the replys that answered your question as the correct answer and rating helpfull answers. You can do so by using the button that is at the bottom of the reply.

It might also help someone else find the solution in the long run

Please take the time to do that

- Jouni

CHARALAMPOS TRIANTAFYLLIDIS · ‎05-28-2013

Done! Thanks again!

Jouni Forss · ‎05-28-2013

No problem

Thanks for rating, much appriciated.

- Jouni