ciscoasa# sh run

: Saved

:

ASA Version 9.0(2)

!

hostname ciscoasa

enable password iD6GLB0Ojs0LBMC6 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 175.136.235.163 255.255.255.248

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.100.2 255.255.255.192

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 175.136.235.161 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username admin password K.6YwQlnpitiutiGz encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly 12

  subscribe-to-alert-group configuration periodic monthly 12

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c734c82ec4392d319604e5cb878de822

: end

ciscoasa#

This is the configuration. I did not save any with the VPN setup, so i can put in any of the 3 config above.

Hi Jouni,

Thank you for your advise, finally i manage to test it out. I am able to connect to through VPN client and i can see all the network in SECURED ROUTES, however, i still not able to ping anything in the network. When i did the following packet tracer, i got the following.

Hi,

Seems to me that you have changed your VPN Pool network? Or used different one compared to the one originally suggested.

Can you copy/paste your current ASA configuration in CLI format?

- Jouni

Hi Jouni,

I've sent you the current ASA configuration.

Hi,

Well my first thought looking at the configuration is that even though one LAN interface and the VPN Pool have the same type of IP addresses they are still on other subnets.

I would however consider changing the VPN Pool to completely different network.

The "packet-tracer" is not very good at testing connections that are supposed to enter from a VPN connection. In the case of VPN Client connections, if you are going to use "packet-tracer" command then have the VPN client be connected to the ASA while you use the command. Also naturally use the IP address the VPN client got as the source address of the "packet-tracer" command.

- Jouni

Hi Jouni,

Thank you for your feedback. So, other than the VPN pool, you can see any obvious configuration problem in the running config?

I will try to change the VPN POOL IP after i do another round of test later.

Hi,

To my eye the basic configurations needed are there

• Split Tunnel configuration lists the LAN networks
• Manual NAT / Twice NAT configurations handle the NAT between VPN Pool and LANs
• ICMP Inspection is enable
• Your firewall should by default allow all connections coming from VPN connections to bypass the "outside" interface ACL.

One thing you could make sure that the link network that you have configured on the ASA "inside" interface has the same 255.255.255.192 mask on the Core side also.

If the core for example had 255.255.255.0 then ALL return traffic from the LAN to the VPN Pool would get lost between the Core and the ASA. This is because the Core would thing the VPN pool hosts were directly connected (because of the larger mask on the core side) and would ARP them and fail at that. But this is just a guess and might not be the problem.

- Jouni

Hi Jouni,

Its solved. Apparently it was due to my testing during office hour with Mobile Broadband. I had the same issue the other time at another Cisco ASA5510, which is why i asked if the configuration looks OK. There is some VPN client problem connecting using mobile broadband,which could be due to the setup or routing in Service Provider's environment.

Anyway, thank you very much for your help on this.

Hi,

The old Cisco VPN Client software is known for having problems when you are using some other method than Wired or WLAN network connection.

USB connected 3G connections and separate cards have been very common source of problems.

Though personally I have never run into any of the problems so I have not been able to thoroughly troubleshoot the issues.

The new Cisco AnyConnect VPN Client or Cisco AnyConnect Secure Mobility Client (same software, different version number) are the VPN clients that should be currently used for VPN Client connectivity. The Cisco VPN Client is at its end currently so eventually it will become unusable.

- Jouni