Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
4
Replies

VPN Cannot ping internal network

giasone777
Level 1
Level 1

‎11-12-2012 01:26 PM

I have the connection working with my ASA 5505 but cannot ping the internal network. (Note external interface is getting the IP via DHCP)

Please help - Thank-you.

ASA Version 8.2(5)

!

hostname JasonFirewall

domain-name Jason.local

enable password 60XMoEi4PKKHiqxX encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description physical connection to Cogeco CableModem

!

interface Ethernet0/1

switchport access vlan 10

!

interface Ethernet0/2

switchport access vlan 10

!

interface Ethernet0/3

switchport access vlan 10

!

interface Ethernet0/4

switchport access vlan 10

!

interface Ethernet0/5

switchport access vlan 15

!

interface Ethernet0/6

switchport access vlan 10

!

interface Ethernet0/7

switchport access vlan 10

!

interface Vlan1

description to outside interface (DHCP Modem)

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan10

description to inside VLAN

nameif inside

security-level 100

ip address 192.168.241.1 255.255.255.0

!

interface Vlan15

description to outside interface DHCP to Servers

no nameif

security-level 0

ip address dhcp setroute

!

ftp mode passive

clock timezone EST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name Jason.local

object-group icmp-type DefaultICMP

description Default ICMP Types permitted

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list acl-outside extended permit icmp any any object-group DefaultICMP

access-list acl_outside extended permit icmp any any object-group DefaultICMP

access-list acl_outside extended permit tcp any interface outside eq https

access-list acl_outside extended permit tcp any interface outside eq www

access-list acl_outside extended permit tcp any interface outside eq smtp

access-list nonat remark ACL for Nat Bypass

access-list nonat extended permit ip 192.168.241.0 255.255.255.0 10.11.12.0 255.255.255.0

access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel

access-list vpn_SplitTunnel standard permit 192.168.241.0 255.255.255.0

access-list vpn_SplitTunnel standard permit 10.0.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 10.11.12.1-10.11.12.255

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1 0.0.0.0 0.0.0.0

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.241.0 255.255.255.0

static (inside,outside) tcp interface https 192.168.241.50 https netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.241.50 www netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.241.50 56789 netmask 255.255.255.255

access-group acl_outside in interface outside

route inside 10.0.0.0 255.255.255.0 192.168.241.0 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.241.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set strong-des esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 30 set transform-set strong-des

crypto map ScoobyDoo 65535 ipsec-isakmp dynamic dynmap

crypto map ScoobyDoo interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 11

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.241.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

dhcp-client client-id interface outside

dhcpd dns 24.226.10.193 24.226.10.194

dhcpd lease 691200

dhcpd ping_timeout 750

dhcpd domain Jason.local

!

dhcpd address 192.168.241.100-192.168.241.131 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy ScoobyDoo internal

group-policy ScoobyDoo attributes

vpn-idle-timeout 120

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn_SplitTunnel

username admin password KsqUgrhmZhkLHfTx encrypted privilege 15

username jratter password 0fzma7xnAA3b4Iag encrypted privilege 15

username jason password ZzwBgpZVaeKSQD18 encrypted privilege 15

tunnel-group ScoobyDoo-VPN type remote-access

tunnel-group ScoobyDoo-VPN general-attributes

address-pool vpnpool

default-group-policy ScoobyDoo

tunnel-group ScoobyDoo-VPN ipsec-attributes

pre-shared-key *****

!

!

!

policy-map global-policy

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:5d1409e9d642fa3fe41c79dd7b6fae9e

: end

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎11-12-2012 11:21 PM

Is it really only Pings that don't work? For that I don't see a reason in your config. But the following command in your config can cause general trouble for out-to-in communication (what VPNs are) and should be removed:

nat (outside) 1 0.0.0.0 0.0.0.0


Sent from Cisco Technical Support iPad App

0 Helpful

giasone777
Level 1
Level 1
In response to Karsten Iwen

‎11-13-2012 08:41 AM

Is nat (outside) 1 0.0.0.0 0.0.0.0 like a default route command (gateway of last resort as in routers)

Thank-you for your response.

Jason.

0 Helpful

giasone777
Level 1
Level 1
In response to Karsten Iwen

‎11-13-2012 08:57 AM

Actually I checked the assigned Ips and I am able to ping them, what I can't ping though is the router itself for some reason and so I also cannot ssh into it. Router number is 192.168.241.1

Thanks again.

0 Helpful

giasone777
Level 1
Level 1
In response to giasone777

‎11-13-2012 10:24 AM

Never mind I got it, it was

managment-access inside

Thanks again.

Jason.

0 Helpful
Customers Also Viewed These Support Documents