cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
684
Views
0
Helpful
1
Replies

Remote VPN cannot ping any host on remote site

M09041985
Level 1
Level 1

Hello everyone!

I've tried to deploy remote vpn on my asa 5515-x. And my VPN client succesfully connected, but i can't ping any host in remote network.

Here is my configuration:

ASA Version 8.6(1)2

!

names

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 192.168.10.252 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.252

!

interface GigabitEthernet0/2

description DMZ

nameif dmz

security-level 50

ip address 192.168.20.252 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.2.40 255.255.255.0

management-only

!

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network inside-subnet

subnet 192.168.10.0 255.255.255.0

object network dmz-subnet

subnet 192.168.20.0 255.255.255.0

access-list split_tunnel remark LAN_VLAN_10

access-list split_tunnel standard permit 192.168.10.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

mtu dmz 1500

ip local pool testpool 192.168.10.240-192.168.10.250 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

!

object network inside-subnet

nat (inside,outside) dynamic interface

object network dmz-subnet

nat (dmz,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 93.174.55.181 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.0.0 255.255.0.0 management

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set firstset esp-des esp-md5-hmac

crypto dynamic-map dyn1 1 set ikev1 transform-set firstset

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 43200

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 management

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy testgroup internal

group-policy testgroup attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

username user1 password fvosA8L1anfyxTw3 encrypted

tunnel-group testgroup type remote-access

tunnel-group testgroup general-attributes

address-pool testpool

default-group-policy testgroup

tunnel-group testgroup ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

What's wrong?

TNX!

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I would change the current VPN Pool to something else that doesnt overlap with the LAN network.

You are also missing NAT0 for the VPN Client connection which is your problem most likely.

You could try these changes

ip local pool VPN-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0

tunnel-group testgroup general-attributes

no address-pool testpool

address-pool VPN-POOL

no ip local pool testpool 192.168.10.240-192.168.10.250 mask 255.255.255.0

object network LAN

subnet 192.168.10.0 255.255.255.0

object network VPN-POOL

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

You might also want to change your encryption setting to something else than DES. You could use AES.

Hope this helps

Let us know if it helped.

Please remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I would change the current VPN Pool to something else that doesnt overlap with the LAN network.

You are also missing NAT0 for the VPN Client connection which is your problem most likely.

You could try these changes

ip local pool VPN-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0

tunnel-group testgroup general-attributes

no address-pool testpool

address-pool VPN-POOL

no ip local pool testpool 192.168.10.240-192.168.10.250 mask 255.255.255.0

object network LAN

subnet 192.168.10.0 255.255.255.0

object network VPN-POOL

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

You might also want to change your encryption setting to something else than DES. You could use AES.

Hope this helps

Let us know if it helped.

Please remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni