cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
686
Views
0
Helpful
1
Replies

VPN CLIENT PROBLEM

saeedaraghi
Level 1
Level 1

ATA.jpg

Hi

I have a problem with ping in VPN Client,

In this senario, the VPN client should be able to ping PC-4 through ASA-1 (Site-A)but it could not.

The router is able to ping Z.Z.Z.0/24.

The Tunnel and VPN client are working.

-------------------------------------------------------------------------------------------

1. PC-1 can connect to ASA-1 and ping Network 20.20.0.0/16 and 10.10.10.0/24 but cannot ping PC-4.

2. PC-2 can ping PC-1 and PC-3 but cannot ping PC-4.

3. If PC-3 gateway be 10.10.10.1 , It can ping Z.Z.Z.2.

4. If PC-3 gateway be 10.10.10.20 , It cannot ping Z.Z.Z.2.

5. ASA-1 can ping ASA-2 and 10.10.10.1/24 but cannot ping Z.Z.Z.2.

6. ASA-2 can ping ASA-1 and Z.Z.Z.2.

--------------------------------------------------------------------------------------------

This is my config on ASA-1 and ASA-2:

hostname ASA-1

interface G0/0
nameif Outside
security-level 0
ip address x.x.x.1 255.255.255.224
NO SHUT

interface G0/3
nameif Inside
security-level 100
ip address 20.20.0.1 255.255.0.0
NO SHUT

route Outside 0.0.0.0 0.0.0.0 x.x.x.2 1

object-group network DM_INLINE_NETWORK_1
network-object 10.10.10.0 255.255.255.0
network-object 20.20.0.0 255.255.0.0
network-object z.z.z.0 255.255.255.0

ip local pool ATA 20.20.0.20-20.20.20.255 mask 255.255.0.0

access-list 100 extended permit icmp any any
access-group 100 in interface Outside

global (Outside) 1 interface

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400

crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp enable Outside

tunnel-group y.y.y.1 type ipsec-l2l
tunnel-group y.y.y.1 ipsec-attributes
pre-shared-key 1234

group-policy ATA internal
group-policy ATA attributes
vpn-tunnel-protocol IPSec

username TEST password TEST privilege 0
username TEST attributes
vpn-group-policy ATA

tunnel-group ATA type remote-access
tunnel-group ATA general-attributes
address-pool ATA
default-group-policy ATA
tunnel-group ATA ipsec-attributes
pre-shared-key 1234

access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer y.y.y.200
crypto map Outside_map 1 match address Outside_1_Cryptomap
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 set security-association lifetime kilobytes 10000

crypto map Outside_map interface Outside

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
access-list Inside_nat0_Outside extended permit ip object-group DM_INLINE_NETWORK_1 20.20.0.0 255.255.224.0
nat (Inside) 0 access-list Inside_nat0_Outside
nat (Inside) 1 0.0.0.0 0.0.0.0

policy-map global_policy
class inspection_default
  inspect icmp

same-security-traffic permit intra-interface

management-access Inside

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

hostname ASA-2

interface E0/0
nameif Outside
security-level 0
ip address y.y.y.1 255.255.255.192
NO SHUT

interface E0/3
nameif Inside
security-level 100
ip address 10.10.10.20 255.255.255.0
NO SHUT

route Outside 0.0.0.0 0.0.0.0 y.y.y.2 1
route Inside z.z.z.0 255.255.255.0 10.10.10.1 1

access-list 100 extended permit icmp any any
access-group 100 in interface Outside

global (Outside) 1 interface

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400

crypto isakmp enable Outside

tunnel-group x.x.x.1 type ipsec-l2l
tunnel-group x.x.x.1 ipsec-attributes
pre-shared-key 1234

access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
access-list Outside_1_Cryptomap extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer x.x.x.1
crypto map Outside_map 1 match address Outside_1_Cryptomap
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 set security-association lifetime kilobytes 10000

crypto map Outside_map interface Outside

access-list Inside_nat0_Outside extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
access-list Inside_nat0_Outside extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
nat (Inside) 0 access-list Inside_nat0_Outside
nat (Inside) 1 0.0.0.0 0.0.0.0

policy-map global_policy
class inspection_default
  inspect icmp

same-security-traffic permit intra-interface

management-access Inside

-------------------------------------------------------------------------------------------------------------------------------------------------------

Regards

1 Reply 1

JORGE RODRIGUEZ
Level 10
Level 10

Hi,

My suggestion to your puzzle  is to  either load your ASDM real time log and observe the logs while one host tries to ping each other and take notes on the log , this should provide you with  information  and some clues on what the issue could be.  You may also try  to packet capture in ASA-2  , either way,  I would start with easiest one which is  realtime log on ASDM.

Could you provide the folloing:

1 - Post output of    c:\ipconfig /all    from PC-4  z.z.z.2/24

2 - Post output of     show ip route     from Router   where PC-4 subnet is routed from

Regards

Jorge Rodriguez