03-06-2013 03:31 AM
I am using 2 cisco asa 5505 routers, i have established vpn between them but i cant ping client internal or outside interface, client can ping my outside interface. Only configuration on client is basic easy vpn settings and interfaces, here is server part configuration on my side:
ASA Version 9.1(1)
!
hostname ciscoasa
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group iskon
ip address pppoe setroute
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside
subnet 10.1.2.0 255.255.255.0
object network outside
subnet 10.1.3.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list 101 extended permit object-group DM_INLINE_PROTOCOL_1 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 102 extended permit object-group DM_INLINE_PROTOCOL_2 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.1.3.0 255.255.255.0 echo-reply inside
icmp permit any inside
icmp permit any outside
icmp permit 10.1.3.0 255.255.255.0 echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static outside outside destination static inside inside no-proxy-arp
!
object network obj_any
nat (inside,outside) dynamic interface
access-group global_access global
route inside 0.0.0.0 0.0.0.0 10.1.3.1 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set mySET esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYN-MAP 5 set ikev1 transform-set mySET
crypto map MAP 60 ipsec-isakmp dynamic DYN-MAP
crypto map MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group iskon request dialout pppoe
vpdn group iskon localname *********
vpdn group iskon ppp authentication pap
vpdn username ***** password *****
dhcpd auto_config outside
!
dhcpd address 10.1.2.5-10.1.2.132 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy VPN internal
group-policy VPN attributes
split-tunnel-policy tunnelall
split-tunnel-network-list value 101
nem enable
username user password enq05bKrudsJMMBu encrypted privilege 15
username user attributes
vpn-group-policy VPN
vpn-session-timeout none
group-lock value VPN-TUNNEL
tunnel-group VPN-TUNNEL type remote-access
tunnel-group VPN-TUNNEL general-attributes
default-group-policy VPN
tunnel-group VPN-TUNNEL ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3f2923b78a04ee8cfe9324e3e2733d78
03-06-2013 05:58 AM
If i understand you correctly, u're successfully established tunnel between one 5505 acting as ezvpn-server and other 5505 acting as ezvpn-client in netwrok-extension mode.
Everything fine with tunnel establishment, but you can't ping outside ip of your client device. You mean public outside ip?
Isn't that device behind nat? What IP you're trying to ping? It's certainly reachable from server device, otherwise the tunnel woudn't establish. Only thing - maybe it's behind nat.
About pinging inside interface: probably you can use command management-access inside. But i'm not sure it'll work on client device, though it should.
03-06-2013 06:42 AM
VPN is established but 2 asa devices cant ping each other, and pc on client side cant ping pc on server side and vice versa. I added management-access inside on server and client side but then only client can ping router gateway of server not the inside interface
03-06-2013 07:19 AM
SOLVED!!! i just needed to configure nat here is configuration for any1 with same problem
: Saved : ASA Version 9.1(1) ! hostname ciscoasa enable password NuLKvvWGg.x9HEKO encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 10.1.2.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 pppoe client vpdn group iskon ip address pppoe setroute ! ftp mode passive object network obj_any subnet 0.0.0.0 0.0.0.0 object network ladimirevci subnet 10.1.2.0 255.255.255.0 object network lekenik subnet 10.1.3.0 255.255.255.0 access-list 101 extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0 access-list 101 extended permit ip object lekenik object ladimirevci access-list 101 extended permit ip object ladimirevci object lekenik access-list outside_access_in extended permit ip object ladimirevci object lekenik access-list outside_access_in extended permit ip object lekenik object ladimirevci access-list outside_access_in extended permit ip any any access-list inside_access_in extended permit ip object ladimirevci object lekenik access-list inside_access_in extended permit ip object lekenik object ladimirevci access-list inside_access_in extended permit ip any any access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0 access-list 102 extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0 access-list global_access extended permit ip object lekenik object ladimirevci access-list global_access extended permit ip object ladimirevci object lekenik access-list global_access extended permit ip any any pager lines 24 logging enable logging buffered debugging logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any echo-reply outside asdm image disk0:/asdm-712.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (any,any) source static ladimirevci ladimirevci destination static lekenik lekenik ! object network obj_any nat (inside,outside) dynamic interface dns access-group inside_access_in in interface inside access-group outside_access_in in interface outside access-group global_access global timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 0.0.0.0 0.0.0.0 inside http 10.1.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart no sysopt connection permit-vpn crypto ipsec ikev1 transform-set mySET esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association pmtu-aging infinite crypto dynamic-map DYN-MAP 5 set pfs crypto dynamic-map DYN-MAP 5 set ikev1 transform-set mySET crypto dynamic-map DYN-MAP 5 set reverse-route crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route crypto map MAP 60 ipsec-isakmp dynamic DYN-MAP crypto map MAP interface outside crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto ca trustpool policy crypto ikev1 enable inside crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh scopy enable ssh 0.0.0.0 0.0.0.0 inside ssh timeout 60 console timeout 0 management-access inside vpdn group iskon request dialout pppoe vpdn group iskon localname vivaindo@iskon-dsl vpdn group iskon ppp authentication pap vpdn username vivaindo@iskon-dsl password ***** dhcpd auto_config outside ! dhcpd address 10.1.2.5-10.1.2.36 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev2 ssl-clientless group-policy VPN internal group-policy VPN attributes vpn-tunnel-protocol ikev1 l2tp-ipsec group-lock value VPN-TUNNEL split-tunnel-policy tunnelspecified split-tunnel-network-list value 101 nem enable username user password enq05bKrudsJMMBu encrypted privilege 15 username user attributes vpn-group-policy VPN group-lock value VPN-TUNNEL tunnel-group VPN-TUNNEL type remote-access tunnel-group VPN-TUNNEL general-attributes default-group-policy VPN tunnel-group VPN-TUNNEL ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:ddac35422ebbf57095be7a1d33b0b67d : end asdm image disk0:/asdm-712.bin no asdm history enable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide