tunnel enabled from my vpn client but not able to ping internal ips on asa5510

johnny alves · ‎07-11-2017

Hi,

Can anyone help in identifying why once my vpn client enabled. Cant ping any of internal IPs configuration like 192.168.4.1(interface DatabaseZone) . My vpn client assigned 192.168.5.100 which is in the range ov Vpnclients object-group configuration.

Here attached current running configs for your reference..

Also "packet-tracer input outside icmp 192.168.5.100 8 0 192.168.4.1" allows all 12 phases from without any problem

Thanks in advance for your quick answer

Aditya Ganjoo · ‎07-11-2017

Hi,

The config looks fine.

Can you turn on debug icmp trace and check if the pings reach the ASA from the VPN client?

Use undebug all to stop the debugs.

Regards,

Aditya

johnny alves · ‎07-11-2017

Thanks Aditha for your quick response,

i am only having access to ASDM 6.3......is it possible to"turn on debug icmp trace" using that interce......as i can see it is not accepted by CLI Window.....but "undebug all " passes through

Aditya Ganjoo · ‎07-11-2017

Hi Johnny,

In that case please use the capture tool on ASDM on the DatabaseZone and check if you receive any packets from the VPN client?

Regards,

Aditya

johnny alves · ‎07-11-2017

Hi Aditha,

Here attached the screenshot showing how traffic passes from vpn client to databasezone

Also let me know if i can share with you my screen pc either using Teamviewer ...i am in a big urgency...i can even wait for ur tomorrow availability..

johnny alves · ‎07-11-2017

Sorrry Aditha sent you a wrong screen shoot, here is the correct one

Aditya Ganjoo · ‎07-11-2017

Hi Johnny,

We can setup a packet capture using the packet capture tool on the ASA.

Go to Wizards and packet capture option and use the client IP and the databasezone IP.

Initiate a ping and share the results.

If not we can sync up tomorrow on this for sure.

Regards,

Aditya

johnny alves · ‎07-12-2017

Good day Aditha,

Tried several time to capture the packet through wizard....have option for ingress interface and egress interface...i cant use DatabaseZone interface for both...also everytime i am getting error of not matching with netmask with parameter IPs specied for both source and destination Network.

In the mid time i am also sharing with you the TeamViewer ID: 822 011 672 Password: 1isj13 for sync

Aditya Ganjoo · ‎07-12-2017

Hi Johnny,

Do you have the CLI access for the ASA ?

Regards,

Aditya

johnny alves · ‎07-12-2017

thanks for ur quick response Aditha,

hum that is the issue of CLI access i told you yesterday...have credentials till EXEC mode not priviledged mode...but have access of ASDM...but if there is a way to force password reset of the en password please advise...

Aditya Ganjoo · ‎07-12-2017

Hi Johnny,

In that case you need to log in through an admin account.

Is that possible to create a new account with privilege 15 access?

Regards,

Aditya

johnny alves · ‎07-12-2017

I have Admin account with privilege 15 access...

Aditya Ganjoo · ‎07-12-2017

Hi Johnny,

Then you should be able to login into the exec mode.

When you get the enable prompt use the keyword login and then enter the credentials.

Regards,

Aditya

johnny alves · ‎07-12-2017

Thanks Aditha,

from the above instruction i am able to have CLI access.

i am in privilege mode...ready to proceed

Aditya Ganjoo · ‎07-12-2017

Hi Johnny,

Please use the command :

cap cap interface datazone match icmp host <Datazone IP> host <Anyconnect IP>

Regards,

Aditya