cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1330
Views
0
Helpful
5
Replies

VPN cant ping inside network

Steve Chapman
Level 1
Level 1

I missing something simple i sure.  I have a basic vpn setup.  ISP to 5520 asa to cisco switch.  Outside is dhcp with setroute and allows vpn connection(192.168.20.xx).  I can rpd to inside (192.168.10.xx) workstation, however I can't ping anything inside and cant map any drives to my inside network.  

 

ASA Version 9.1(7)32
!
hostname xxxxxxx
enable password xxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxxxxx encrypted
names
ip local pool VPNusers 192.168.20.50-192.168.20.150 mask 255.255.255.0
ip local pool VPNUsersInside 192.168.30.50-192.168.30.150 mask 255.255.255.0
ip local pool test 192.168.10.200-192.168.10.250 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa917-32-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_192.168.30.0_24
subnet 192.168.30.0 255.255.255.0
access-list from_outside extended permit icmp any4 any4 echo
access-list TunnelNetwork extended permit ip 192.168.10.0 255.255.255.0 any
access-list Split_tunnel_list standard permit 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-752-153.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 no-proxy-arp route-lookup
nat (inside,inside) source static any any destination static NETWORK_OBJ_192.168.30.0_24 NETWORK_OBJ_192.168.30.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.30.0_24 NETWORK_OBJ_192.168.30.0_24 no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=xxxxxxxxx
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
xxxxxxxxxxxxxxxx
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.10.50-192.168.10.150 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.6.03049-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-linux64-4.6.03049-webdeploy-k9.pkg 2
anyconnect profiles VPNInside_client_profile disk0:/VPNInside_client_profile.xml
anyconnect profiles VPNinside_client_profile disk0:/VPNinside_client_profile.xml
anyconnect profiles VPNusers_client_profile disk0:/VPNusers_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy GroupPolicy_VPNinside internal
group-policy GroupPolicy_VPNinside attributes
wins-server none
dns-server value xxxxxxxxxxxxxxxxxxxxx
vpn-tunnel-protocol ikev2 ssl-client
default-domain none
webvpn
anyconnect profiles value VPNInside_client_profile type user
group-policy GroupPolicy_test internal
group-policy GroupPolicy_test attributes
wins-server none
dns-server value 24.xxx.xxx.xxx 24.xxx.xxx.xxxx
vpn-tunnel-protocol ssl-client
default-domain none
group-policy GroupPolicy_VPNusers internal
group-policy GroupPolicy_VPNusers attributes
wins-server none
dns-server value 71.xxx.xxx.x 71.xx.xxx.xxxx
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel_list
default-domain none
webvpn
anyconnect profiles value VPNusers_client_profile type user
username xxxxxxxxxxxxxxxxxx
username xxxxxxxxxxxxxxxxxxx
username xxxx attributes
vpn-simultaneous-logins 15
vpn-idle-timeout none
password-storage disable
tunnel-group VPNusers type remote-access
tunnel-group VPNusers general-attributes
address-pool VPNusers
default-group-policy GroupPolicy_VPNusers
tunnel-group VPNusers webvpn-attributes
group-alias VPNusers enable
tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool VPNusers
default-group-policy GroupPolicy_test
tunnel-group test webvpn-attributes
group-alias test enable
tunnel-group VPNinside type remote-access
tunnel-group VPNinside general-attributes
address-pool test
default-group-policy GroupPolicy_VPNinside
tunnel-group VPNinside webvpn-attributes
group-alias VPNinside enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
xxxxxx

 

5 Replies 5

Try to enable ' inspect icmp error' in your default inspection policy,

enabled and still no luck.

Why are you using local pools in the same subnet as your inside interface. Use something else and try to test

the local pool was a test.  i actually using 192.168.20.xx  separate network.  

Figured it out. I knew it was going to be stupid :) forgot to enable a routing protocol