Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4785
Views
0
Helpful
5
Replies

VPN Clients Can't Ping Hosts

Go to solution
dc5chris209
Level 1
Level 1

‎02-21-2013 09:59 PM

I will include a post of my config. I have the clients connecting through the VPN tunnel on the 180.0.0.0/24 network, 192.168.1.0/24 is the primary network for the office.

I can connect to the VPN and I do recieve the correct address assignment. I belive tunneling may be setup correct in the aspect that I can still connect to the internet while on the VPN, but I can not ping any hosts on the 192.168.1.0 network. In the debug log from the ASDM I can see pings reaching the ASA, but no responce is received on the client.

6Feb 21 201321:54:26
180.0.0.153508192.168.1.10Built inbound ICMP connection for faddr 180.0.0.1/53508 gaddr 192.168.1.1/0 laddr 192.168.1.1/0 (christopher)

Any help would be greatly appreciated, I am currently presuring my CCNP so I would like to get a deeper understanding of how to solve these issues.

-Chris

hostname RegencyRE-ASA

domain-name regencyrealestate.info

enable password 2/VA7dRFkv6fjd1X encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 180.0.0.0 Regency

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

description link to REGENCYSERVER

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

description link to RegencyRE-AP

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.120 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 208.67.220.220

name-server 208.67.222.222

domain-name regencyrealestate.info

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 Regency 255.255.255.224

access-list RegencyRE_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool Regency 180.0.0.1-180.0.0.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm location Regency 255.255.255.0 inside

asdm location 192.168.0.0 255.255.0.0 inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 12.186.110.2 1

route inside 192.0.0.0 255.0.0.0 192.168.1.102 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable 8443

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 15

ssh version 2

console timeout 0

dhcprelay server 192.168.1.102 inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 69.25.96.13 source outside prefer

ntp server 216.171.124.36 source outside prefer

webvpn

group-policy RegencyRE internal

group-policy RegencyRE attributes

dns-server value 208.67.220.220 208.67.222.222

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RegencyRE_splitTunnelAcl

username adriana password  encrypted privilege 0

username christopher password  encrypted privilege 15

username irene password  encrypted privilege 0

tunnel-group RegencyRE type remote-access

tunnel-group RegencyRE general-attributes

address-pool Regency

default-group-policy RegencyRE

tunnel-group RegencyRE ipsec-attributes

pre-shared-key R3&eNcY1.

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:35bc3a41701f7f8e9dde5fa35532896d

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
malshbou
Level 1
Level 1

‎02-25-2013 10:29 AM

Hi

- be you sure that the destination host 192.168.1.x has a route to 180.0.0.0 through the ASA as gateway.

- configure the following capturea:

     capture capin interface inside match icmp host 192.168.1.x host 180.0.0.x

     capture asp type asp-drop all

then make a continuous ping and get "show cap capin" and "show cap asp"

- check while pinging, the "encrypted" counter is incrementing in the VPN client statistics

let me know about that, hope this helps

----

Mashal

------------------ Mashal Shboul

View solution in original post

0 Helpful
5 Replies 5

Go to solution
dc5chris209
Level 1
Level 1

‎02-21-2013 10:02 PM

Looking at a previous ASA 5520 I configured when I ping hosts I see the following in the logs. I know there is something obvious I am missing.

6Feb 21 201322:01:49302020170.0.0.113317172.16.0.2530Built inbound ICMP connection for faddr 170.0.0.1/13317 gaddr 172.16.0.253/0 laddr 172.16.0.253/0 (cxv1)

6Feb 21 201322:01:49302020172.16.0.2530170.0.0.113317Built outbound ICMP connection for faddr 170.0.0.1/13317 gaddr 172.16.0.253/0 laddr 172.16.0.253/0
0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to dc5chris209

‎02-21-2013 10:59 PM

Check if firewall is enabled on host you're trying to ping in LAN 192.168.1.0 (so that host doesn't respond to echo request) and default GW on that host set up to be ASA's inside interface.

0 Helpful

Go to solution
dc5chris209
Level 1
Level 1
In response to Andrew Phirsov

‎02-25-2013 08:12 AM

So I double checked and none of the internal hosts have any firewall active. Prior to enabling split tunneling I was able to ping all hosts. Below are the sniplet from the VPN software.

0 Helpful

Go to solution
malshbou
Level 1
Level 1

‎02-25-2013 10:29 AM

Hi

- be you sure that the destination host 192.168.1.x has a route to 180.0.0.0 through the ASA as gateway.

- configure the following capturea:

     capture capin interface inside match icmp host 192.168.1.x host 180.0.0.x

     capture asp type asp-drop all

then make a continuous ping and get "show cap capin" and "show cap asp"

- check while pinging, the "encrypted" counter is incrementing in the VPN client statistics

let me know about that, hope this helps

----

Mashal

------------------ Mashal Shboul
0 Helpful

Go to solution
dc5chris209
Level 1
Level 1
In response to malshbou

‎02-26-2013 07:38 PM

Thank you! You brought me to the correct area. It was a conflicting route, fixed that and now I am golden.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents