VPN user cannot ping other VPN user

Experts, to my rescue again:

We have a working VPN Tunnel in place here that we've been using for years without issue.  Users who are on our internal network exist in the 192.168.1.X subnet, while VPN users are given 172.16.223.X addresses.  

What I've just today found is when I am internal I can ping any of my VPN users with no problem.  Also, when I'm VPN'd in, I can ping internal resources with no problem.  However, if I'm VPN'd in, I can't ping other VPN'd in users.

I've tried the cursory addition of ACL's all over the place with no luck.  Packet trace reports that it should work fine (but it doesn't).  This is crucially important to our softphone deployment, as the phones work fine over VPN until an individual tries to call another VPN user (at which point, no audio is transmitted).

Here's the scrubbed running config (sorry about the length, lot of cooks in the kitchen):

: Saved
:
ASA Version 8.0(3)
!

!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.224 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.168.10.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/3
 speed 100
 duplex full
 nameif Dev
 security-level 50
 ip address 192.168.30.1 255.255.255.0
 ospf cost 10
!
interface Management0/0
 nameif Secure
 security-level 100
 ip address 192.168.60.1 255.255.255.0
 ospf cost 10
!

boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone Central -6
dns server-group DefaultDNS
 domain-name we-mail.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service TeleworkerTCP tcp
 port-object eq ssh
 port-object range 6800 6802
 port-object range 3998 3999
 port-object eq 6880
 port-object eq www
object-group service TeleworkerUDP udp
 port-object eq domain
 port-object range 1024 65535
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service BackupExec tcp
 port-object range 25100 25110
object-group service Cuda tcp
 port-object eq 8000
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group icmp-type DM_INLINE_ICMP_2
 icmp-object echo
 icmp-object echo-reply
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any time-exceeded
access-list inbound extended permit tcp any host XX.XXX.XXX.90 eq domain
access-list inbound extended permit udp any host XX.XXX.XXX.90 eq domain
access-list inbound extended permit tcp any host XX.XXX.XXX.72 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.75 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.80 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.80 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.81 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.81 eq ftp
access-list inbound extended permit tcp any host XX.XXX.XXX.81 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.82 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.82 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.83 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.83 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq ftp
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 990
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 3000
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 3001
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 3002
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 3003
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq ssh
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq https
access-list inbound extended permit ip any host XX.XXX.XXX.93
access-list inbound extended permit tcp any host XX.XXX.XXX.84 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.84 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.85 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.85 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.75 eq smtp
access-list inbound extended permit tcp any host XX.XXX.XXX.86 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.87 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.87 eq www
access-list inbound extended permit udp any host XX.XXX.XXX.75 eq ntp
access-list inbound extended permit tcp any host XX.XXX.XXX.86 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.91 eq www
access-list inbound extended permit icmp 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list dmz extended permit ip host 192.168.10.200 any
access-list dmz extended permit icmp any any unreachable
access-list dmz extended permit icmp any any echo-reply
access-list dmz extended permit icmp any any time-exceeded
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any eq domain
access-list dmz extended permit udp 192.168.10.0 255.255.255.0 any eq domain
access-list dmz extended permit tcp host 192.168.10.31 host 192.168.1.14 eq 1433
access-list dmz extended permit tcp host 192.168.10.50 host 192.168.1.17 eq smtp inactive
access-list dmz extended permit tcp host 192.168.10.31 host 192.168.1.17 eq smtp inactive
access-list dmz extended permit tcp host 192.168.10.50 host 192.168.1.4 eq 8100
access-list dmz extended permit tcp host 192.168.10.31 host 192.168.1.3 eq 1433
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any eq https
access-list dmz extended permit tcp host 192.168.10.100 host 192.168.1.17 eq smtp inactive
access-list dmz extended permit tcp host 192.168.10.32 host 192.168.1.14 eq 1433
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any eq ssh inactive
access-list dmz extended permit tcp host 192.168.10.31 host 192.168.1.14 eq www inactive
access-list dmz extended permit tcp host 192.168.10.33 host 192.168.1.14 eq www inactive
access-list dmz extended permit tcp host 192.168.10.17 host 192.168.1.11 eq smtp
access-list dmz extended permit tcp host 192.168.10.17 host 192.168.1.6 eq ldap
access-list dmz extended permit tcp host 192.168.10.17 host 192.168.1.252 eq ldap
access-list dmz extended permit tcp host 192.168.10.17 any eq smtp
access-list dmz extended permit tcp host 192.168.10.90 host 192.168.1.14 eq 1433
access-list dmz extended permit tcp host 192.168.10.80 host 192.168.1.14 eq 1433
access-list dmz extended permit tcp host 192.168.10.80 host 192.168.1.11 eq 993
access-list dmz extended permit udp host 192.168.10.17 host 192.168.1.19 eq syslog
access-list dmz extended permit icmp any any
access-list dmz extended permit tcp host 192.168.10.80 host 192.168.1.11 eq smtp
access-list dmz extended permit tcp host 192.168.10.31 object-group BackupExec host 192.168.1.22
access-list dmz extended permit udp 192.168.10.0 255.255.255.0 any eq ntp
access-list dmz extended permit tcp host 192.168.10.2 any eq ssh
access-list dmz extended permit tcp host 192.168.10.2 any object-group Cuda
access-list dmz extended deny tcp Allegheny 255.255.255.0 host 192.168.10.100 eq https inactive
access-list dmz extended permit tcp any any eq ssh inactive
access-list outbound extended permit ip 192.168.50.0 255.255.255.0 any
access-list outbound extended permit ip 192.168.1.0 255.255.255.0 any
access-list outbound extended permit udp any any object-group TeleworkerUDP
access-list outbound extended permit object-group DM_INLINE_PROTOCOL_2 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit ip 192.168.1.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit ip 192.168.10.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit ip 192.168.50.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list REMOTE extended permit udp 192.168.1.0 255.255.255.0 172.16.223.0 255.255.255.0 object-group TeleworkerUDP
access-list REMOTE extended permit ip 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit icmp 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit ip 192.168.1.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit ip 192.168.10.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit ip 192.168.50.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit udp 192.168.1.0 255.255.255.0 172.16.223.0 255.255.255.0 object-group TeleworkerUDP
access-list VPN_SPLIT_TUNNEL extended permit ip 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit icmp 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list global_mpc extended permit tcp any any
access-list Dev_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Dev_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq www
access-list Dev_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq domain
access-list Dev_access_in extended permit udp 192.168.30.0 255.255.255.0 any eq domain
access-list Dev_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq https
access-list Dev_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list Dev_access_in extended permit udp 192.168.30.0 255.255.255.0 any eq ntp
access-list Dev_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2
access-list Dev_access_in extended permit ip 192.168.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_mpc extended permit object-group TCPUDP any any eq www
access-list Secure_access_in extended permit ip any any
access-list Secure_access_in extended permit icmp any any echo-reply
access-list Secure_access_in extended permit icmp any any unreachable
access-list Secure_access_in extended permit icmp any any time-exceeded
access-list Secure_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq www
access-list Secure_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq domain
access-list Secure_access_in extended permit udp 192.168.30.0 255.255.255.0 any eq domain
pager lines 20
logging enable
logging timestamp
logging buffer-size 12000
logging trap notifications
logging history notifications
logging asdm informational
logging facility 23
logging host inside 192.168.1.19
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu Dev 1500
mtu Secure 1500
ip local pool VPN-IP2 172.16.223.10-172.16.223.70
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
global (Dev) 1 interface
nat (inside) 0 access-list REMOTE
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list REMOTE
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (Dev) 0 access-list Dev_nat0_outbound outside
nat (Dev) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp XX.XXX.XXX.80 https 192.168.1.5 https netmask 255.255.255.255 tcp 500 500
static (inside,outside) tcp XX.XXX.XXX.80 www 192.168.1.5 www netmask 255.255.255.255 tcp 500 500
static (inside,outside) tcp XX.XXX.XXX.82 https 192.168.1.11 https netmask 255.255.255.255 tcp 500 500
static (inside,outside) tcp XX.XXX.XXX.82 www 192.168.1.11 www netmask 255.255.255.255 tcp 500 500
static (dmz,outside) tcp XX.XXX.XXX.81 ftp 192.168.10.35 ftp netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.81 www 192.168.10.31 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.81 https 192.168.10.31 https netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.84 www 192.168.10.32 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.84 https 192.168.10.32 https netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.85 www 192.168.10.33 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.85 https 192.168.10.33 https netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.75 smtp 192.168.10.17 smtp netmask 255.255.255.255 tcp 500 500
static (dmz,outside) tcp XX.XXX.XXX.87 www 192.168.10.36 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.87 https 192.168.10.36 https netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.86 www 192.168.10.80 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.86 https 192.168.10.80 https netmask 255.255.255.255
static (dmz,outside) XX.XXX.XXX.72 192.168.10.20 netmask 255.255.255.255 tcp 500 500
static (dmz,outside) XX.XXX.XXX.90 192.168.10.10 netmask 255.255.255.255 tcp 1500 1500
static (dmz,outside) XX.XXX.XXX.83 192.168.10.50 netmask 255.255.255.255 tcp 500 500
static (dmz,outside) XX.XXX.XXX.94 192.168.10.200 netmask 255.255.255.255 tcp 500 500
static (dmz,outside) XX.XXX.XXX.92 192.168.10.100 netmask 255.255.255.255
static (inside,dmz) 192.168.10.10 192.168.10.10 netmask 255.255.255.255
static (inside,dmz) 192.168.10.31 192.168.10.31 netmask 255.255.255.255
static (inside,dmz) 192.168.1.14 192.168.1.14 netmask 255.255.255.255
static (inside,dmz) 192.168.1.4 192.168.1.4 netmask 255.255.255.255
static (inside,dmz) 192.168.1.17 192.168.1.17 netmask 255.255.255.255
static (inside,dmz) 192.168.1.3 192.168.1.3 netmask 255.255.255.255
static (inside,dmz) 192.168.1.19 192.168.1.19 netmask 255.255.255.255 tcp 500 500
static (inside,dmz) 192.168.1.86 192.168.1.86 netmask 255.255.255.255
static (inside,dmz) 192.168.1.6 192.168.1.6 netmask 255.255.255.255
static (inside,dmz) 192.168.1.252 192.168.1.252 netmask 255.255.255.255
static (inside,dmz) 192.168.1.11 192.168.1.11 netmask 255.255.255.255
static (inside,outside) XX.XXX.XXX.91 192.168.1.164 netmask 255.255.255.255
access-group inbound in interface outside
access-group outbound in interface inside
access-group dmz in interface dmz
access-group Dev_access_in in interface Dev
access-group Secure_access_in in interface Secure
!
router ospf 2003
 network 0.0.0.0 0.0.0.0 area 0
 log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 XX.XXX.XXX.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server partnerauth protocol radius
aaa-server partnerauth host 192.168.1.6
 key RSM.McGl@dr3y
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 192.168.1.19 community ncc1700
no snmp-server location
no snmp-server contact
snmp-server community ncc1700
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map mymap 30 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 60
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
ssl encryption aes256-sha1 aes128-sha1 rc4-sha1 3des-sha1
group-policy PFCremotePolicy internal
group-policy PFCremotePolicy attributes
 wins-server value 192.168.1.6 192.168.1.252
 dns-server value 192.168.1.6 192.168.1.252
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_SPLIT_TUNNEL
 default-domain value we-mail.com

tunnel-group PFCremote type remote-access
tunnel-group PFCremote general-attributes
 address-pool VPN-IP2
 authentication-server-group partnerauth LOCAL
 default-group-policy PFCremotePolicy
tunnel-group PFCremote ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match access-list global_mpc
class-map type regex match-any DomainBlockList
 match regex domainlist1
class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList
 match request uri regex class DomainBlockList
class-map inspection_default
 match default-inspection-traffic
class-map httptraffic
 match access-list inside_mpc
!
!
policy-map type inspect http http_inspection_policy
 parameters
  protocol-violation action drop-connection
 match request method connect
  drop-connection log
 class BlockDomainsClass
  reset log
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect esmtp
  inspect sip  
 class global-class
  ips inline fail-open
policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy
policy-map type inspect sip Test
 parameters
  max-forwards-validation action drop log
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:f2ba651cbf0c16936cc69b8829034fa1
: end
asdm image disk0:/asdm-613.bin
asdm location Allegheny 255.255.255.0 inside
no asdm history enable

Thanks in advance,
Matt
mhentrichAsked:
Who is Participating?
 
Svet PaperovConnect With a Mentor IT ManagerCommented:
Sorry, don’t have too much time to pass over the whole config file.

You could try one of the following:
1. Modify the line inspect ipsec-pass-thru to
inspect ipsec-pass-thru IPSEC_Pass_Thru

Open in new window

in order to enable the policy map you have created. May be you will want to set some timeouts for AH and ESP in the policy-map as in :
hostname(config)# policy-map type inspect ipsec-pass-thru IPSEC_Pass_Thru
hostname(config-pmap)# parameters
hostname(config-pmap-p)# esp per-client-max 32 timeout 00:06:00 
hostname(config-pmap-p)# ah per-client-max 16 timeout 00:05:00

Open in new window

or:
2. Use the following example from http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml :
hostname(config)#access-list test-udp-acl extended permit udp any any eq 500
hostname(config)#class-map test-udp-class
hostname(config-cmap)#match access-list test-udp-acl
hostname(config)#policy-map test-udp-policy
hostname(config-pmap)#class test-udp-class
hostname(config-pmap-c)#inspect ipsec-pass-thru
hostname(config)#service-policy test-udp-policy interface outside

Open in new window

to enable ipsec-pass-thru inspection on the outside interface only.

The answer of your question is inspect ipsec-pass-thru. However, it can be configured on different places. You can always consult the guides and references on cisco.com, they are pretty good. You don’t need to have an account in order to access them.
0
 
Svet PaperovIT ManagerCommented:
You need to enable IPSec Pass Thru inspection. From the Cisco ASA Command reference guide:
The inspect ipsec-pass-thru command enables or disables application inspection. IPSec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and/or AH (IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy access list configuration to permit ESP and AH traffic and also provides security using timeout and max connections.
You need to alter the following lines:
policy-map global_policy
 class inspection_default
   inspect ipsec-pass-thru

Open in new window

0
 
mhentrichAuthor Commented:
Spaperov,

Thank you much for your input.  I've tried it out (I believe I did it right) and no luck.  I've attached my new running config here.

Any other ideas?  Thanks!
Matt RunningConfig.txt
0
 
mhentrichAuthor Commented:
All,

I haven't had the time to try and implement this fully, but I'm guessing Spaperov is right (makes sense, anyways) :P

Thanks,
Matt
0
All Courses

From novice to tech pro — start learning today.