09-04-2010 03:45 AM
Hi,
I have configured the SSL VPN client on ASA. I am able to establish the SSL VPN with the ASA and getting IP address from defined subnet (CorporateVPN 172.16.0.100-172.16.0.110). But when I trying to ping inside IP addresses i.e. 172.16.0.1 and other machine in LAN range then getting packet loss from remote machine.
What could be the problem ?
Please find below the configuration of ASA.
ASA Version 7.2(1)
!
hostname Cisco-ASA
domain-name test.com
enable password password
names
dns-guard
!
interface Ethernet0/0
description Connected to ISP
nameif outside
security-level 0
ip address "Public IP"
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
description Connected To LAN
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone GMT 3 30
dns domain-lookup management
dns server-group DefaultDNS
name-server 203.123.165.75
domain-name test.com
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool CorporateVPN 172.16.0.100-172.16.0.110 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
webvpn
svc enable
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
group-policy Netadmin internal
group-policy Netadmin attributes
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
webvpn
svc required
svc keep-installer installed
svc rekey time 30
svc rekey method new-tunnel
svc dpd-interval client 500
svc dpd-interval gateway 500
username cisco password ffIRPGpDSOJh9YLq encrypted privilege 15
username cisco attributes
vpn-group-policy Netadmin
http server enable 444
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool CorporateVPN
tunnel-group NetForceGroup type webvpn
tunnel-group NetForceGroup general-attributes
address-pool (inside) CorporateVPN
address-pool CorporateVPN
default-group-policy Netadmin
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
svc image disk0:/crypto_archive/sslclient-win-1.1.1.164 2
svc enable
prompt hostname context
Cryptochecksum:13f5616c7345efb239d7996741ffa7b3
: end
Solved! Go to Solution.
09-04-2010 07:57 AM
Yes, "management-access inside" is only to manage/ping the ASA inside interface. Without that command, they would still be able to access the internal network. That command is only used to manage the ASA inside interface itself.
09-04-2010 04:33 AM
VPN pool needs to be in different subnet than the inside subnet. Pls change the vpn pool subnet to a unique subnet.
Example:
ip local pool CorporateVPN 172.16.100.100-172.16.100.110 mask 255.255.255.0
Then you would also need to configure NAT exemption to allow traffic through:
access-list nonat permit ip 172.16.0.0 255.255.255.0 172.16.100.0 255.255.255.0
nat (inside) 0 access-list nonat
And if you are testing by ping, then enable icmp inspection:
policy-map global_policy
class inspection_default
inspect icmp
Hope that helps.
09-04-2010 05:53 AM
I tried your solution , it's working. But when i ping to inside interface IP (172.16.0.1) from remote machine I an getting reply from public IP address.
means 202.174.148.35
ping -t 172.16.0.1
reply from "public IP"
How to overcome this
?
Regards,
Nilesh
09-04-2010 06:21 AM
Configure the following command:
management-access inside
09-04-2010 07:03 AM
Hi,
Thanks for the reply.
without using "management-access inside" can remote users able to access the PC/servers inside the LAN means "inside" interface network (172.16.0.0/24).
Regards,
Nilesh
09-04-2010 07:57 AM
Yes, "management-access inside" is only to manage/ping the ASA inside interface. Without that command, they would still be able to access the internal network. That command is only used to manage the ASA inside interface itself.
09-06-2010 05:00 AM
i am facing one more issue.
users who are using windows vista and windiws 7 platform are not able to establish the SSL VPN, It's giving the error like "contact to IT Administrator"
Is the cisco ASA don't supports on windiws vista and windows 7 platform ?
Any solution for this ?
Regards,
Nilesh
09-06-2010 05:12 AM
Windows 7 is only supported from AnyConnect version 2.4, and it requires ASA version 8.0.3(1) and above, however, I would suggest that you upgrade to 8.0.5 at the minimum, or 8.2.3.
Here is the AnyConnect release notes for your reference:
Please also be advised that from version 8.x onwards, you would need to purchase SSL license to run more than 2 SSL VPN connections.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide