ASA 5510 VPN net unable to access 'inside' net

Posted on 2011-10-18
Last Modified: 2012-05-12
I have an ASA that I've been playing around with. I've successfully taught myself how to set it up, configure some of the ACL, NAT and AnyConnect. I do have one issue. My VPN subnet is: 192.168.54/24. I can ping the default route for (assigned to asa mgmt 0/0) but I'm unable to ping (assigned to ASA ether 0/1).

What's strange is that I can ping a switch in the remote network but I can't ping the ASA's .1. I tried pinging the ASA from the switch and it works. If I ping the ASA from a host that's connected to the switch (VLAN 30), it won't work. That might be a different issue though.

Any ideas since I've burnt myself out of thinking logically.

Here is my running config:

: Saved
ASA Version 8.4(2) 
hostname mine-fwcore-0
domain-name mine.pvt
enable password xxxxxxxx encrypted
passwd xxxxxxxx  encrypted
name 72.x.x.x outside-gateway
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 72.x.x.x 
interface Ethernet0/1
 duplex full
 nameif inside
 security-level 100
 ip address 
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 duplex full
 nameif management
 security-level 100
 ip address 
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
 domain-name mine.pvt
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network outside-gateway
object network vpn-network
object network inside-network
object network remote-network
object-group network management0
object-group network inside0
object-group service tcp-inbound-common
 service-object tcp destination eq www 
 service-object tcp destination eq https 
object-group service udp-inbound-common
 service-object udp destination eq domain 
access-list outside_access_in extended permit ip any any 
access-list outside_access_in extended permit ip any 
access-list outside_access_in extended permit tcp object remote-network eq ssh 
access-list nat-zero extended permit ip object vpn-network 
access-list nat-zero extended permit ip object vpn-network 
access-list management_access_in extended permit ip any any 
access-list global_access extended permit ip any any 
access-list acl_split-tunnel standard permit 
access-list acl_split-tunnel standard permit 
access-list outside_mpc extended permit ip any any 
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool mine_vpn-pool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (management,outside) source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
nat (any,any) after-auto source static vpn-network vpn-network
access-group outside_access_in in interface outside
access-group management_access_in in interface management
access-group global_access global
route outside outside-gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http management
http management
no snmp-server location
no snmp-server contact
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=mine-fwcore-0
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 3e1f8f4e
telnet timeout 5
ssh management
ssh management
ssh timeout 15
ssh version 2
console timeout 0
management-access management
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 aes256-sha1 3des-sha1
 enable outside
 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
 anyconnect profiles mineClientProfile disk0:/mineclientprofile.xml
 anyconnect enable
group-policy mineGrpPolicy internal
group-policy mineGrpPolicy attributes
 wins-server none
 dns-server value
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl_split-tunnel
 default-domain value mine.pvt
 split-dns value
 split-tunnel-all-dns disable
 address-pools value mine_vpn-pool
 ipv6-address-pools none
  url-list none
  anyconnect firewall-rule client-interface public value outside_access_in
  anyconnect firewall-rule client-interface private value outside_access_in
  anyconnect ask enable default webvpn
username root password adsadasdadsadasdasdasdasdasdasd encrypted privilege 15
username mine password asdasdasdasdasdasdasdasdasdasdasd encrypted privilege 0
username mine attributes
 vpn-group-policy mineGrpPolicy
tunnel-group mine_vpn type remote-access
tunnel-group mine_vpn general-attributes
 address-pool (outside) mine_vpn-pool
 address-pool mine_vpn-pool
 default-group-policy mineGrpPolicy
class-map inspection_default
 match default-inspection-traffic
class-map outside-class
 match access-list outside_mpc
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
policy-map outside-policy
 class outside-class
  ips inline fail-open sensor vs0
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context 
no call-home reporting anonymous
: end
asdm image disk0:/asdm-645-106.bin
no asdm history enable

Open in new window

Question by:wsani
    LVL 5

    Expert Comment

    are you using cmd line or asdm, run a constant ping and look at the log and see why it is being blocked.

    Author Comment

    ASDM, and not much to go on using debug logging:  

    Teardown ICMP connection for faddr gaddr laddr

    I might need to explain a little more. is a VM guest on an ESXi host. The ESXi server is using the management interface of That is running on an IBM Bladecenter chassis. So here goes the layout.

    VM Guest <- vswitch VLAN 30 -> ESXI <- BNT L2 INT1 VLAN 20 trunk -> DELL PowerConnect port5 VLAN20 trunk -> ASA mgmt 0/0

    I have the same setup for the 'inside' network expect the vlan trunk is set to 30, with the 10.20.50 IP subnet. So the BNT switch that's connected on the backplane of the IBM chassis has Layer2 functionality.

    I guess I'm confused why I'm able to ping from the L2 switch to the ASA. I can ping the L2 switch from the ESXi host but I can't ping the ASA.

    Am I severely confused?
    LVL 7

    Expert Comment

    By the design of the ASA you can not ping another interface on the ASA than the interface you connect in to. So if you come into the firewall on the outside interface and is pinging the inside interface it will not work.

    Author Comment

    Right, but, I'm pinging the from, which is an L2 switch. If I'm doing VLAN tagging, do I need to specify the VLAN on the ASA inside interface?
    LVL 7

    Accepted Solution

    You could ping from the switch? right?

    If the port on the switch is a trunk port then you will need to assign the asa interface to a vlan but if the switch port is in access mode on vlan 30 then it is ok

    Author Comment

    Ah, sometimes putting it in print helps. I need to trunk the ports before I can ping... duh.

    Author Closing Comment

    Walking me through what I was doing wrong. Not necessarily a 100% solution.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now