Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1232
Views
0
Helpful
2
Replies

Client VPN can gets connected but can't ping lan's server

mengxi zhang
Level 1
Level 1

‎04-22-2013 07:33 AM

CISCO ASA 5520 -K9

ASA Version 8.4(4)1

!

hostname LExfielawASA5520

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address a.b.c.d  255.255.255.240

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.1.3 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!            

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name lexfieldlaw.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network inside-network

subnet 192.168.0.0 255.255.0.0

object network vpn1-address

subnet 172.18.30.0 255.255.255.0

object network vpn2-address

subnet 172.18.31.0 255.255.255.0

object-group network vpn

network-object object vpn1-address

network-object object vpn2-address

access-list 50 standard permit any

access-list 60 extended permit icmp any any

access-list 60 extended permit ip any any

access-list 60 extended permit tcp any any

access-list 60 extended permit udp any any

access-list split-tunnel extended permit ip 192.168.0.0 255.255.128.0 172.16.31.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool vpn-pool 172.16.30.2-172.16.30.250 mask 255.255.255.0

ip local pool vpn-pool-yuangong 172.16.31.5-172.16.31.200 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static inside-network inside-network destination static vpn vpn

nat (inside,outside) source dynamic inside-network interface

access-group 60 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 192.168.0.0 255.255.128.0 192.168.1.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set test esp-aes esp-sha-hmac

crypto dynamic-map dyn1 10 set ikev1 transform-set test

crypto dynamic-map dyn1 10 set reverse-route

crypto map crymap 10 ipsec-isakmp dynamic dyn1

crypto map crymap interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

crypto isakmp reload-wait

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

console timeout 0

dhcpd auto_config inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

group-policy clientvpn1 internal

group-policy clientvpn1 attributes

dns-server value 192.168.0.12

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

username aaa password iEykhCQ1TmA9FWQG encrypted

tunnel-group test type remote-access

tunnel-group test general-attributes

address-pool vpn-pool-yuangong

default-group-policy clientvpn1

tunnel-group test ipsec-attributes

ikev1 pre-shared-key *****

!            

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:f8ee1379f1feeeb1228207b52ad521f5

: end

cisco client vpn 5.007.0440-k9 +win7 X64

Client can connects ASA server and get ip address(172.168.31.X),but can't ping ASA inside interface ip address and other servers in lan .

Could you do me a favor to fix this issue?please tell me the wrong,thanks!

Labels:
Preview file
120 KB
Preview file
213 KB
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎04-22-2013 07:43 AM

Hi,

Can you try the following changes to your configurations and try again

Make new Split Tunnel ACL

access-list split-tunnel-acl standard permit 192.168.0.0 255.255.128.0

Remove the old Split Tunnel ACL and add new one under the "group-policy"

group-policy clientvpn1 attributes

no split-tunnel-network-list value split-tunnel

split-tunnel-network-list value split-tunnel-acl

Add ICMP Inspection on the ASA

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

- Jouni

0 Helpful

mengxi zhang
Level 1
Level 1
In response to Jouni Forss

‎04-22-2013 07:10 PM

Hi,my friend,

I try it and it still can't work .I think the new ACL is  the same as old .

Who can help me fix it ?

Tom

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents