cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1044
Views
0
Helpful
2
Replies
Highlighted
Beginner

Client VPN can gets connected but can't ping lan's server

CISCO ASA 5520 -K9

ASA Version 8.4(4)1

!

hostname LExfielawASA5520

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address a.b.c.d  255.255.255.240

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.1.3 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!            

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name lexfieldlaw.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network inside-network

subnet 192.168.0.0 255.255.0.0

object network vpn1-address

subnet 172.18.30.0 255.255.255.0

object network vpn2-address

subnet 172.18.31.0 255.255.255.0

object-group network vpn

network-object object vpn1-address

network-object object vpn2-address

access-list 50 standard permit any

access-list 60 extended permit icmp any any

access-list 60 extended permit ip any any

access-list 60 extended permit tcp any any

access-list 60 extended permit udp any any

access-list split-tunnel extended permit ip 192.168.0.0 255.255.128.0 172.16.31.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool vpn-pool 172.16.30.2-172.16.30.250 mask 255.255.255.0

ip local pool vpn-pool-yuangong 172.16.31.5-172.16.31.200 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static inside-network inside-network destination static vpn vpn

nat (inside,outside) source dynamic inside-network interface

access-group 60 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 192.168.0.0 255.255.128.0 192.168.1.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set test esp-aes esp-sha-hmac

crypto dynamic-map dyn1 10 set ikev1 transform-set test

crypto dynamic-map dyn1 10 set reverse-route

crypto map crymap 10 ipsec-isakmp dynamic dyn1

crypto map crymap interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

crypto isakmp reload-wait

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

console timeout 0

dhcpd auto_config inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

group-policy clientvpn1 internal

group-policy clientvpn1 attributes

dns-server value 192.168.0.12

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

username aaa password iEykhCQ1TmA9FWQG encrypted

tunnel-group test type remote-access

tunnel-group test general-attributes

address-pool vpn-pool-yuangong

default-group-policy clientvpn1

tunnel-group test ipsec-attributes

ikev1 pre-shared-key *****

!            

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:f8ee1379f1feeeb1228207b52ad521f5

: end

cisco client vpn 5.007.0440-k9 +win7 X64

Client can connects ASA server and get ip address(172.168.31.X),but can't ping ASA inside interface ip address and other servers in lan .

Could you do me a favor to fix this issue?please tell me the wrong,thanks!

2 REPLIES 2
Highlighted
Mentor

Client VPN can gets connected but can't ping lan's server

Hi,

Can you try the following changes to your configurations and try again

Make new Split Tunnel ACL

access-list split-tunnel-acl standard permit 192.168.0.0 255.255.128.0

Remove the old Split Tunnel ACL and add new one under the "group-policy"

group-policy clientvpn1 attributes

no split-tunnel-network-list value split-tunnel

split-tunnel-network-list value split-tunnel-acl

Add ICMP Inspection on the ASA

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

- Jouni

Highlighted
Beginner

Client VPN can gets connected but can't ping lan's server

Hi,my friend,

I try it and it still can't work .I think the new ACL is  the same as old .

Who can help me fix it ?

Tom