Hi Jouni,

Thanks for helping. However, I tried both of them one at a time and neither got the pings through.

I will keep trying.

-Sun

Hi,

Have you been able to use the ASDM to monitor connections while attempting the ICMP? Does anything get blocked?

Is there a particular reason you are using the "tunneled" route configuration?

If you want to check if there is any ICMP Echo Reply reaching the ASA firewall you can configure the following Capture

access-list ICMP-CAPTURE permit icmp 10.0.0.0 255.255.255.224 any

access-list ICMP-CAPTURE permit icmp any 10.0.0.0 255.255.255.224

capture ICMP-CAPTURE type raw-data access-list ICMP-CAPTURE interface inside buffer 1000000 circular-buffer

After this you can use the commands

show capture

and

show capture ICMP-CAPTURE

To view information about what is capture. The more interesting one is the "show capture ICMP-CAPTURE". It should tells us after ICMP test from the VPN Client if any internal hosts are replying to the ICMP Echo messages sent from the VPN Client.

You can even copy the capture file to some TFTP server and open the file with Wireshark

copy /pcap capture:ICMP-CAPTURE tftp://x.x.x.x/ICMP-CAPTURE.pcap

- Jouni

Also,

You could try to ping the ASA "inside" interface IP address from the VPN Client.

If this doesnt work I would imagine the reason for that might be the "tunneled" route.

The configuration command "management-access inside" should allow the above described ICMP from VPN Client to ASA "inside" interface.

- Jouni

Hi Jouni,

Again, thanks for this.

I was in impression that tunelled traffic to reach inside, needs it. However, after removing it also, I can telnet. From google, I found that it may be used to send to any other interface other than inside.

Your suggestion to capture was great. I can see on ASA (attached) that there are only echo-requests, no echo-replies.

On inside host I did a packet-capture, there are echo-requests and replies too. (also attached)

Could it be nat or inspection?

-Sun

Hi,

Strange situation.

To my understanding the ASA should be able to capture the ICMP Echo Reply before any rule on it would drop it. So it should probably be visible if it ever reached the ASA or so I understand it.

Furthermore since you say that TCP connections are working makes the situation even more confusing. This should mean that the routing between VPN Client and LAN host should be fine.

So that would seem to point out to possibly having problem with "inspect icmp" but also you already had ACLs allowing ICMP in both directions.

Here is the default inspect configurations I have on my ASA

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

  no protocol-enforcement

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect icmp error

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect rtsp

  inspect icmp

service-policy global_policy global

What happens btw if you start an ICMP Echo from a LAN host towards VPN Pool IP address (even though none might be connected)? Can you see that ICMP on the ASA?

Is there anything else in the network that could interfere with the ICMP?

With regards to NAT for VPN Client, I usually configure it in the following way

object network VPN-POOL

subnet 10.0.0.0 255.255.255.224

object-group network LAN-NETWORKS

network-object 10.10.0.0 255.255.252.0

network-object 172.17.0.0 255.255.0.0

nat (inside,outside) source static LAN-NETWORKS LAN-NETWORKS destination static VPN-POOL VPN-POOL

Instead of the current configuration

nat (inside,outside) source static any any destination static RA-VPN RA-VPN

Does seem strange. I guess if you have made changes you can post/attach the configuration again.

- Jouni

Hello Junoni,

After a nice sleep, back up in the morning here in UK.

I did the following after reading your most recent reply.

Reset the old capture and created a new capture by the same name and then pinged from inside host (172.17.0.28) to the vpn-host. Guess What? I can ping and RDP too.

Then, reset the NAT as per your reccomendation however while using the object group RA-VPN and deleting my inspect config and putting in the default as suggested by you.

In 9.0, I noticed that there is (or at leat was no default service policy) when I started.

However, after the tunnel is reset, I still can't get ICMP/PING working from vpn-client to inside. Not that it is end of the world but it would be good to get it working before I start assigning this to the users in case Network team needs to actually troubleshoot from home on to any where inside.

On my inside, I don't think there is any block to ICMP or anything else blocking ICMPs.

As requested, here is my updated attached config.

I honestly appreciate all your comments.

Kind Regards,
Sun