VPN users can't ping or see inside resources

I am setting up a CISCO ASA5505 for VPN access, and while I can connect to the VPN fine, I cannot ping or see any of the inside resources, (on IP scheme 192.168.5.x) such as the Intranet site.  Can anybody tell me what's wrong? Here's the running config.

: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XolaqzZOF0GNB2KQ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.5.11 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.x.x.x 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list VPN extended permit ip any any
access-list inside_nat0_outbound extended permit ip any 192.168.6.0 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool CFGC 192.168.6.50-192.168.6.100 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 192.168.0.0 255.255.0.0 192.168.5.1 1
route outside 0.0.0.0 0.0.0.0 71.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy CFGC internal
group-policy CFGC attributes
 vpn-tunnel-protocol IPSec
username hiran password TxwwacgGUcdSGFtB encrypted privilege 15
username hiran attributes
 vpn-group-policy CFGC
username jeff password M.BNdpNp46vb1.wF encrypted privilege 0
username jeff attributes
 vpn-group-policy CFGC
tunnel-group CFGC type ipsec-ra
tunnel-group CFGC general-attributes
 address-pool CFGC
 default-group-policy CFGC
tunnel-group CFGC ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:54656de98a8c07b66b24abb0a94670f4
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

LVL 1
cfgchiranAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpetr000Commented:
Is the Cisco VPN client able to authenticate and connect to the ASA?  If so, what client configuration does it get?  IP, subnet, default gateway, etc.
0
batry_boyCommented:
Add the following commands:

crypto isakmp nat-traversal
nat (inside) 0 access-list inside_nat0_outbound

You'll also need to remove your "route inside" statement and replace with one that is more granular:

no route inside 192.168.0.0 255.255.0.0 192.168.5.1

That route statement will cause traffic returning to the VPN client pool of addresses to be directed back inside since they fall under the 192.168.0.0/255.255.0.0 summarization of that route.  Just make a list of all of your internal 192.168.x.x networks and add "route inside" statements for them.  For example, if you have 192.168.1.0/24, 192.168.2.0/24 and 192.168.10.0/24 existing on your inside LAN, then you could put in these routes:

route inside 192.168.1.0 255.255.255.0 192.168.5.1
route inside 192.168.2.0 255.255.255.0 192.168.5.1
route inside 192.168.10.0 255.255.255.0 192.168.5.1
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cfgchiranAuthor Commented:
Thanks for the responses. Yes I can authenticate to the VPN and the client gets the:

IP: 192.168.6.50
Subnet: 255.255.255.0
Gateway: 192.168.6.1 (Now I don't actually have a 6.1 device so not sure if that's an issue)

I had read elsewhere that I should not use the same IP scheme for my VPN as my inside scheme. However I do have it that way on a ASA 5510 which works fine, though it has an older ASDM version so it's different config.

That's all.

I have made the changes recommended by batry_boy but still cannot access the Intranet site, which is 192.168.5.5 nor can I ping a 5.x address or a 1.x address.

Here's the new running config. Any other suggestions?

: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XolaqzZOF0GNB2KQ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.5.11 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.x.x.x 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list VPN extended permit ip any any
access-list inside_nat0_outbound extended permit ip any 192.168.6.0 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool CFGC 192.168.6.50-192.168.6.100 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 192.168.1.0 255.255.255.0 192.168.5.1 1
route outside 0.0.0.0 0.0.0.0 71.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy CFGC internal
group-policy CFGC attributes
 vpn-tunnel-protocol IPSec
username hiran password TxwwacgGUcdSGFtB encrypted privilege 15
username hiran attributes
 vpn-group-policy CFGC
username jeff password M.BNdpNp46vb1.wF encrypted privilege 0
username jeff attributes
 vpn-group-policy CFGC
tunnel-group CFGC type ipsec-ra
tunnel-group CFGC general-attributes
 address-pool CFGC
 default-group-policy CFGC
tunnel-group CFGC ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:eb6b2f39e6c6e788ff93727ef3debb58
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

batry_boyCommented:
While in a VPN session, right-click the yellow padlock in the system tray and click "Statistics".  What values do you see in the box that is shown in the attached screenshot?
vpnstats.png
0
cfgchiranAuthor Commented:
Includes bytes in Sent but not received.

Packets - include Encrypted, but none decrypted and all are either Discarded or Bypassed.
0
batry_boyCommented:
You have an internal router at 192.168.5.1.  What does its routing table look like?  Packets are going but not making it back to the VPN client.  I'm starting to wonder if packets are not being sent back to the ASA when destined for 192.168.6.0/25.

You could set up a capture to see if traffic is making its way back to the ASA from the inside hosts when trying to ping them from a VPN client.  Issue these commands to set up a capture:

access-list vpntraffic permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.128
access-list vpntraffic permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.128
capture vpncap access-list vpntraffic interface inside

Then, perform some more ping tests from a VPN client.  To look at the results of the capture, issue the command:

sh capture vpncap

Does anything show up?
0
cfgchiranAuthor Commented:
Batry_boy.

I appreciate your help. I did find a solution.

I reset the device to factory settings and started from scratch.

By changing my VPN scope of addresses to the same subnet as my Inside address and creating a NAT exempt rule for "Any source" to "Inside Network" (Outbound) (which I think is the same as what you said before) I am able to navigate just fine.

So it probably has something to do with my routing scheme on the router, which I will look into.

Here's the running config now - and it works. Let me know if you see anything that should not be there.

: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XolaqzZOF0GNB2KQ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.5.11 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.x.x.x 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool CFGC 192.168.5.112-192.168.5.122 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 192.168.0.0 255.255.0.0 192.168.5.1 1
route outside 0.0.0.0 0.0.0.0 71.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy CFGC internal
group-policy CFGC attributes
 wins-server value 192.168.5.9 192.168.5.215
 dns-server value 192.168.5.215 192.168.5.9
 vpn-tunnel-protocol IPSec
 default-domain value childguidance.org
username hiran password TxwwacgGUcdSGFtB encrypted privilege 15
username hiran attributes
 vpn-group-policy CFGC
username jeff password M.BNdpNp46vb1.wF encrypted privilege 15
username jeff attributes
 vpn-group-policy CFGC
tunnel-group CFGC type ipsec-ra
tunnel-group CFGC general-attributes
 address-pool CFGC
 default-group-policy CFGC
tunnel-group CFGC ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:e3c13fb6a2485426bd43c805552e1645
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

0
cfgchiranAuthor Commented:
I have one other question. I would like to have L2TO-IPSec one this ASA as well for clients to connect using the Windows VPN client. Is that possible to have it at the same time as just IPSEC? Basically to use both CISCO and Windows clients.
0
batry_boyCommented:
To tell you the truth, I've never tried that.  I wouldn't see why not, but I'll try it and get back with you.
0
cfgchiranAuthor Commented:
Thank you. I have another question open for the Windows issue, so if you can please answer that and that way you can get points for that too, since it's a different question.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.