ASA 5510 VPN net unable to access 'inside' net

Posted on 2011-10-18
Medium Priority
Last Modified: 2012-05-12
I have an ASA that I've been playing around with. I've successfully taught myself how to set it up, configure some of the ACL, NAT and AnyConnect. I do have one issue. My VPN subnet is: 192.168.54/24. I can ping the default route for (assigned to asa mgmt 0/0) but I'm unable to ping (assigned to ASA ether 0/1).

What's strange is that I can ping a switch in the remote network but I can't ping the ASA's .1. I tried pinging the ASA from the switch and it works. If I ping the ASA from a host that's connected to the switch (VLAN 30), it won't work. That might be a different issue though.

Any ideas since I've burnt myself out of thinking logically.

Here is my running config:

: Saved
ASA Version 8.4(2) 
hostname mine-fwcore-0
domain-name mine.pvt
enable password xxxxxxxx encrypted
passwd xxxxxxxx  encrypted
name 72.x.x.x outside-gateway
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 72.x.x.x 
interface Ethernet0/1
 duplex full
 nameif inside
 security-level 100
 ip address 
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 duplex full
 nameif management
 security-level 100
 ip address 
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
 domain-name mine.pvt
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network outside-gateway
object network vpn-network
object network inside-network
object network remote-network
object-group network management0
object-group network inside0
object-group service tcp-inbound-common
 service-object tcp destination eq www 
 service-object tcp destination eq https 
object-group service udp-inbound-common
 service-object udp destination eq domain 
access-list outside_access_in extended permit ip any any 
access-list outside_access_in extended permit ip any 
access-list outside_access_in extended permit tcp object remote-network eq ssh 
access-list nat-zero extended permit ip object vpn-network 
access-list nat-zero extended permit ip object vpn-network 
access-list management_access_in extended permit ip any any 
access-list global_access extended permit ip any any 
access-list acl_split-tunnel standard permit 
access-list acl_split-tunnel standard permit 
access-list outside_mpc extended permit ip any any 
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool mine_vpn-pool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (management,outside) source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
nat (any,any) after-auto source static vpn-network vpn-network
access-group outside_access_in in interface outside
access-group management_access_in in interface management
access-group global_access global
route outside outside-gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http management
http management
no snmp-server location
no snmp-server contact
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=mine-fwcore-0
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 3e1f8f4e
telnet timeout 5
ssh management
ssh management
ssh timeout 15
ssh version 2
console timeout 0
management-access management
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 aes256-sha1 3des-sha1
 enable outside
 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
 anyconnect profiles mineClientProfile disk0:/mineclientprofile.xml
 anyconnect enable
group-policy mineGrpPolicy internal
group-policy mineGrpPolicy attributes
 wins-server none
 dns-server value
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl_split-tunnel
 default-domain value mine.pvt
 split-dns value
 split-tunnel-all-dns disable
 address-pools value mine_vpn-pool
 ipv6-address-pools none
  url-list none
  anyconnect firewall-rule client-interface public value outside_access_in
  anyconnect firewall-rule client-interface private value outside_access_in
  anyconnect ask enable default webvpn
username root password adsadasdadsadasdasdasdasdasdasd encrypted privilege 15
username mine password asdasdasdasdasdasdasdasdasdasdasd encrypted privilege 0
username mine attributes
 vpn-group-policy mineGrpPolicy
tunnel-group mine_vpn type remote-access
tunnel-group mine_vpn general-attributes
 address-pool (outside) mine_vpn-pool
 address-pool mine_vpn-pool
 default-group-policy mineGrpPolicy
class-map inspection_default
 match default-inspection-traffic
class-map outside-class
 match access-list outside_mpc
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
policy-map outside-policy
 class outside-class
  ips inline fail-open sensor vs0
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context 
no call-home reporting anonymous
: end
asdm image disk0:/asdm-645-106.bin
no asdm history enable

Open in new window

Question by:wsani
  • 4
  • 2

Expert Comment

ID: 36990652
are you using cmd line or asdm, run a constant ping and look at the log and see why it is being blocked.

Author Comment

ID: 36991074
ASDM, and not much to go on using debug logging:  

Teardown ICMP connection for faddr gaddr laddr

I might need to explain a little more. is a VM guest on an ESXi host. The ESXi server is using the management interface of That is running on an IBM Bladecenter chassis. So here goes the layout.

VM Guest <- vswitch VLAN 30 -> ESXI <- BNT L2 INT1 VLAN 20 trunk -> DELL PowerConnect port5 VLAN20 trunk -> ASA mgmt 0/0

I have the same setup for the 'inside' network expect the vlan trunk is set to 30, with the 10.20.50 IP subnet. So the BNT switch that's connected on the backplane of the IBM chassis has Layer2 functionality.

I guess I'm confused why I'm able to ping from the L2 switch to the ASA. I can ping the L2 switch from the ESXi host but I can't ping the ASA.

Am I severely confused?

Expert Comment

ID: 36991665
By the design of the ASA you can not ping another interface on the ASA than the interface you connect in to. So if you come into the firewall on the outside interface and is pinging the inside interface it will not work.
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.


Author Comment

ID: 36994419
Right, but, I'm pinging the from, which is an L2 switch. If I'm doing VLAN tagging, do I need to specify the VLAN on the ASA inside interface?

Accepted Solution

Ironmannen earned 1500 total points
ID: 36995245
You could ping from the switch? right?

If the port on the switch is a trunk port then you will need to assign the asa interface to a vlan but if the switch port is in access mode on vlan 30 then it is ok

Author Comment

ID: 36995349
Ah, sometimes putting it in print helps. I need to trunk the ports before I can ping... duh.

Author Closing Comment

ID: 36995353
Walking me through what I was doing wrong. Not necessarily a 100% solution.

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question