Thanks for your answer!

About ICMP: it sometime works and other times it doesn't; usually it works the first time I try, but doesn't work after that.

I've attached a log from the firewall; please, tell me if you can understand the problem from it and from my configuration.

(i have changed the vpn pool too, to test from .120/129 to .13/139)

Hi,

I suggest you change your VPN Pool first and then try again.

The changes you would need are the following

What we do is

• Remove the current VPN Pool from the VPN configurations
• Remove the current VPN Pool from the ASA
• Create a new VPN Pool on the ASA
• Attach this new VPN Pool to the VPN configurations
• Create a NAT0 ACL rule for the new VPN Pool
• Remove the old NAT0 ACL rule

tunnel-group DefaultRAGroup general-attributes

no address-pool VPN_pool

no ip local pool VPN_pool 192.168.90.120-192.168.90.129 mask 255.255.255.0

ip local pool VPN_pool 192.168.190.120-192.168.190.129 mask 255.255.255.0

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_pool

access-list LAN_nat0_outbound extended permit ip 192.168.90.0 255.255.255.0 192.168.190.0 255.255.255.0

no access-list LAN_nat0_outbound extended permit ip any 192.168.90.0 255.255.255.0

The above changes are in the order they should be entered.

I think the problem is simply due to the fact that your VPN Pool and LAN network overlap.

- Jouni

I too had thought it was conflicting ip adresses, and had tried changing the pool. However, I tried your instructions step by step, but it still doesn't work: I could ping none of my servers from remote.

Still, thank you very much for your answers.

ASA Version 8.2(5)

!

hostname FIREWALLP01

domain-name MYDOMAIN.local

enable password **** encrypted

passwd **** encrypted

names

name 192.168.90.2 SERVERP02

name 192.168.90.3 SERVERP03

name 192.168.92.4 SERVERP04

name XXX.YYY.ZZZ.91 Pubblica_HTTP

name XXX.YYY.ZZZ.88 Pubblica_SIADSL-network

name XXX.YYY.ZZZ.92 Pubblica_VOIP

name XXX.YYY.ZZZ.89 ROUTERP01

name XXX.YYY.ZZZ.90 Pubblica_FTP

name XXX.YYY.ZZZ.235 SRVPIN1

!

interface Ethernet0/0

nameif Pubblica_SIADSL

security-level 0

ip address XXX.YYY.ZZZ.94 255.255.255.248

!

interface Ethernet0/1

nameif LAN

security-level 100

ip address 192.168.90.254 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 98

ip address 192.168.92.254 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup Pubblica_SIADSL

dns domain-lookup LAN

dns domain-lookup DMZ

dns domain-lookup management

dns server-group DefaultDNS

name-server SERVERP02

domain-name MYDOMAIN.local

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service rtp udp

port-object range 9000 9049

port-object eq 10000

access-list LAN_nat0_outbound extended permit ip 192.168.90.0 255.255.255.0 192.168.190.0 255.255.255.0

access-list Pubblica_SIADSL_access_in extended permit tcp any host Pubblica_HTTP eq ssh

access-list Pubblica_SIADSL_access_in extended permit udp any host Pubblica_VOIP object-group rtp

access-list Pubblica_SIADSL_access_in extended permit object-group TCPUDP any host Pubblica_VOIP eq sip

access-list Pubblica_SIADSL_access_in extended permit tcp any host Pubblica_HTTP eq www

access-list Pubblica_SIADSL_access_in extended permit tcp host SRVPIN1 host Pubblica_FTP eq ftp inactive

pager lines 24

logging enable

logging asdm informational

mtu Pubblica_SIADSL 1500

mtu LAN 1500

mtu DMZ 1500

mtu management 1500

ip local pool VPN_pool 192.168.190.120-192.168.190.129 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (Pubblica_SIADSL) 1 interface

global (DMZ) 1 interface

nat (LAN) 1 0.0.0.0 0.0.0.0

static (LAN,Pubblica_SIADSL) tcp Pubblica_FTP ftp SERVERP02 ftp netmask 255.255.255.255

static (DMZ,Pubblica_SIADSL) Pubblica_HTTP SERVERP04 netmask 255.255.255.255

static (LAN,Pubblica_SIADSL) Pubblica_VOIP SERVERP03 netmask 255.255.255.255

access-group Pubblica_SIADSL_access_in in interface Pubblica_SIADSL

route Pubblica_SIADSL 0.0.0.0 0.0.0.0 ROUTERP01 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

  url-list value Link

aaa-server SERVERP02 protocol ldap

aaa-server SERVERP02 (LAN) host SERVERP02

ldap-base-dn DC=MYDOMAIN,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=Administrator,CN=Users,DC=MYDOMAIN,DC=local

server-type microsoft

http server enable

http 192.168.1.0 255.255.255.0 management

http authentication-certificate management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA

crypto map Pubblica_SIADSL_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Pubblica_SIADSL_map interface Pubblica_SIADSL

crypto isakmp enable Pubblica_SIADSL

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access management

dhcpd address 192.168.1.2-192.168.1.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 193.204.114.232 source Pubblica_SIADSL prefer

ntp server 193.204.114.233 source Pubblica_SIADSL

webvpn

enable Pubblica_SIADSL

enable LAN

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.90.2

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value MYDOMAIN.local

username test password P4ttSyrm33SV8TYp encrypted

username test attributes

service-type remote-access

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_pool_new

address-pool VPN_pool

authentication-server-group SERVERP02

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

no authentication chap

no authentication ms-chap-v1

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group SERVERP02

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:1d8ead766bba4efea3d40468ee47741e

Hi,

It seems you have removed your LANs NAT0 configuration

You need to add this back and test again

nat (LAN) 0 access-list LAN_nat0_outbound

I guess you must have removed the existing NAT0 ACL first rather than add the new one. That would explain the above command from dissapearing

- Jouni

Also,

Can you tell us if ALL the hosts that you are trying to reach through the VPN Client connection are behind the interface "LAN"?

If there are some hosts behind the "DMZ" for example then you would need a NAT0 configuration for that interface too for connections to work.

- Jouni

i'm adding the nat rule, and try!

the pc that i try to connect (or ping) are all behind the LAN interface!

unfortunately it not works!

Hi,

I guess you manage the ASA locally?

If so then could you remove this setting

no management-access management

And add

management-access LAN

You could also add

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

And then try to ping the "LAN" interface IP address of 192.168.90.254 through the VPN connection.

- Jouni

ok, from remote VPN PC or VPN MOBILE PHONE i can ping the ip of firewall, 192.168.90.254 but i cant use any service of server (rdp, vopi, ping) on 192.168.90.2 or 192.168.90.3

i ping also the ip phone on office .40 and .41

if i try to ping the switch .253 it not works.

if i try to ping vm-ware server .1 it not works.

i have restored the vpn pool on 90.120-90.129, See the config.

ASA Version 8.2(5)

!

hostname FIREWALLP01

domain-name MYDOMAIN.local

enable password **** encrypted

passwd **** encrypted

names

name 192.168.90.2 SERVERP02

name 192.168.90.3 SERVERP03

name 192.168.92.4 SERVERP04

name XXX.YYY.ZZZ.91 Pubblica_HTTP

name XXX.YYY.ZZZ.88 Pubblica_SIADSL-network

name XXX.YYY.ZZZ.92 Pubblica_VOIP

name XXX.YYY.ZZZ.89 ROUTERP01

name XXX.YYY.ZZZ.90 Pubblica_FTP

name XXX.YYY.ZZZ.235 SRVPIN1

!

interface Ethernet0/0

nameif Pubblica_SIADSL

security-level 0

ip address XXX.YYY.ZZZ.94 255.255.255.248

!

interface Ethernet0/1

nameif LAN

security-level 100

ip address 192.168.90.254 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 98

ip address 192.168.92.254 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup Pubblica_SIADSL

dns domain-lookup LAN

dns domain-lookup DMZ

dns domain-lookup management

dns server-group DefaultDNS

name-server SERVERP02

domain-name MYDOMAIN.local

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service rtp udp

port-object range 9000 9049

port-object eq 10000

access-list Pubblica_SIADSL_access_in extended permit tcp any host Pubblica_HTTP eq ssh

access-list Pubblica_SIADSL_access_in extended permit udp any host Pubblica_VOIP object-group rtp

access-list Pubblica_SIADSL_access_in extended permit object-group TCPUDP any host Pubblica_VOIP eq sip

access-list Pubblica_SIADSL_access_in extended permit tcp any host Pubblica_HTTP eq www

access-list Pubblica_SIADSL_access_in extended permit tcp host SRVPIN1 host Pubblica_FTP eq ftp inactive

access-list LAN_nat0_outbound extended permit ip any 192.168.90.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu Pubblica_SIADSL 1500

mtu LAN 1500

mtu DMZ 1500

mtu management 1500

ip local pool VPN_pool 192.168.90.120-192.168.90.129 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (Pubblica_SIADSL) 1 interface

global (DMZ) 1 interface

nat (LAN) 0 access-list LAN_nat0_outbound

nat (LAN) 1 0.0.0.0 0.0.0.0

static (LAN,Pubblica_SIADSL) tcp Pubblica_FTP ftp SERVERP02 ftp netmask 255.255.255.255

static (DMZ,Pubblica_SIADSL) Pubblica_HTTP SERVERP04 netmask 255.255.255.255

static (LAN,Pubblica_SIADSL) Pubblica_VOIP SERVERP03 netmask 255.255.255.255

access-group Pubblica_SIADSL_access_in in interface Pubblica_SIADSL

route Pubblica_SIADSL 0.0.0.0 0.0.0.0 ROUTERP01 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

  url-list value Link

aaa-server SERVERP02 protocol ldap

aaa-server SERVERP02 (LAN) host SERVERP02

ldap-base-dn DC=MYDOMAIN,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=Administrator,CN=Users,DC=MYDOMAIN,DC=local

server-type microsoft

http server enable

http 192.168.1.0 255.255.255.0 management

http authentication-certificate management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA

crypto map Pubblica_SIADSL_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Pubblica_SIADSL_map interface Pubblica_SIADSL

crypto isakmp enable Pubblica_SIADSL

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access LAN

dhcpd address 192.168.1.2-192.168.1.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 193.204.114.232 source Pubblica_SIADSL prefer

ntp server 193.204.114.233 source Pubblica_SIADSL

webvpn

enable Pubblica_SIADSL

enable LAN

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.90.2

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value MYDOMAIN.local

username test password P4ttSyrm33SV8TYp encrypted

username test attributes

service-type remote-access

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_pool

authentication-server-group SERVERP02

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

no authentication chap

no authentication ms-chap-v1

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group SERVERP02

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:32a96ad0d25ca834d043798a5aad7df2

Hi,

I wouldnt change the VPN pool to the old since it doesnt make sense. Its an overlapping network and even though the hosts are on the same network/subnet it doesnt mean that they are actually on the same L2 segment of the network.

Since your ICMP goes through the VPN Client connection to the ASA "LAN" interface IP address that means the traffic goes through the VPN and back through the VPN to the client. That raises a question if the actual servers are blocking the connection from this VPN Pool network.

Since you changed the VPN Pool we might be in the same starting situation again.

I would have next checked the logs to see what happens to the connection attempts.

The last time the logs hinted to a sitaution where the NAT configuration was the problem. It might have also meant that you were connecting to the server on their public IP address. Since we saw NAT reverse path failure it means the traffic matched one rule going in and another NAT rule for the other direction.

- Jouni

if i try to ping the ip phone on office .40 and .41 it works.

if i try to ping my printer on .50 it not works.

if i try to ping the switch .253 it not works.

if i try to ping vm-ware server .1 it not works.

on the other devices only first ping is successful

Hi,

What I meant with the overlap is that this is your LAN interface

interface Ethernet0/1

nameif LAN

security-level 100

ip address 192.168.90.254 255.255.255.0

This is your original VPN Pool

ip local pool VPN_pool 192.168.90.120-192.168.90.129 mask 255.255.255.0

They are the exact same subnet.

From the VPN Clients perspective I guess it might even be that it sends the traffic to the other IP address on this subnet to the VPN connection since its a Full Tunnel VPN. Return traffic from the host on the LAN would probably result in the host sending an ARP request since it sees the traffic coming from the same subnet. If this works then I guess it means the firewall must be answering the ARP requests and forwarding the traffic to the VPN Client.

If you can ping some hosts on your LAN network then I dont see the firewall configurations being the problem.

I am not sure if you tested with the original VPN Pool or the new one but I would suggest checking the default gateway setting of both the Printer and the switch. I would also check that the local software firewall on the VMware is not blocking the connections.

You already sent the some logs that were taken from the ASDM. You can attempt a TCP connection to the server and show both the Build and Teardown messages for the TCP connection attempts so we can see what happens to the RDP connection attempt for example.

- Jouni