ASA 5510 VPN net unable to access 'inside' net
I have an ASA that I've been playing around with. I've successfully taught myself how to set it up, configure some of the ACL, NAT and AnyConnect. I do have one issue. My VPN subnet is: 192.168.54/24. I can ping the default route for 172.25.111.1 (assigned to asa mgmt 0/0) but I'm unable to ping 10.20.50.1 (assigned to ASA ether 0/1).
What's strange is that I can ping a switch 10.20.50.2 in the remote network but I can't ping the ASA's .1. I tried pinging the ASA from the switch 10.20.50.2 and it works. If I ping the ASA from a host that's connected to the switch (VLAN 30), it won't work. That might be a different issue though.
Any ideas since I've burnt myself out of thinking logically.
Here is my running config:
What's strange is that I can ping a switch 10.20.50.2 in the remote network but I can't ping the ASA's .1. I tried pinging the ASA from the switch 10.20.50.2 and it works. If I ping the ASA from a host that's connected to the switch (VLAN 30), it won't work. That might be a different issue though.
Any ideas since I've burnt myself out of thinking logically.
Here is my running config:
: Saved
:
ASA Version 8.4(2)
!
hostname mine-fwcore-0
domain-name mine.pvt
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
names
name 72.x.x.x outside-gateway
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 72.x.x.x 255.255.255.240
!
interface Ethernet0/1
duplex full
nameif inside
security-level 100
ip address 10.20.50.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
duplex full
nameif management
security-level 100
ip address 172.25.111.1 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name mine.pvt
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network outside-gateway
host 72.20.110.1
object network vpn-network
subnet 192.168.54.0 255.255.255.0
object network inside-network
subnet 10.20.50.0 255.255.255.0
object network remote-network
host 122.176.67.90
object-group network management0
network-object 172.25.111.0 255.255.255.0
object-group network inside0
network-object 10.20.50.0 255.255.255.0
object-group service tcp-inbound-common
service-object tcp destination eq www
service-object tcp destination eq https
object-group service udp-inbound-common
service-object udp destination eq domain
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any 10.20.50.0 255.255.255.0
access-list outside_access_in extended permit tcp object remote-network 10.20.50.0 255.255.255.0 eq ssh
access-list nat-zero extended permit ip 10.20.50.0 255.255.255.0 object vpn-network
access-list nat-zero extended permit ip 172.25.111.0 255.255.255.0 object vpn-network
access-list management_access_in extended permit ip any any
access-list global_access extended permit ip any any
access-list acl_split-tunnel standard permit 172.25.111.0 255.255.255.0
access-list acl_split-tunnel standard permit 10.20.50.0 255.255.255.0
access-list outside_mpc extended permit ip any any
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool mine_vpn-pool 192.168.54.10-192.168.54.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (management,outside) source dynamic any interface
!
nat (inside,outside) after-auto source dynamic any interface
nat (any,any) after-auto source static vpn-network vpn-network
access-group outside_access_in in interface outside
access-group management_access_in in interface management
access-group global_access global
route outside 0.0.0.0 0.0.0.0 outside-gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.25.111.0 255.255.255.0 management
http 192.168.54.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=mine-fwcore-0
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 3e1f8f4e
asdasdasdasdasdasdadsadadasdsadadasdadasdad
quit
telnet timeout 5
ssh 172.25.111.0 255.255.255.0 management
ssh 192.168.54.0 255.255.255.0 management
ssh timeout 15
ssh version 2
console timeout 0
management-access management
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
anyconnect profiles mineClientProfile disk0:/mineclientprofile.xml
anyconnect enable
group-policy mineGrpPolicy internal
group-policy mineGrpPolicy attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl_split-tunnel
default-domain value mine.pvt
split-dns value 8.8.8.8
split-tunnel-all-dns disable
address-pools value mine_vpn-pool
ipv6-address-pools none
webvpn
url-list none
anyconnect firewall-rule client-interface public value outside_access_in
anyconnect firewall-rule client-interface private value outside_access_in
anyconnect ask enable default webvpn
username root password adsadasdadsadasdasdasdasdasdasd encrypted privilege 15
username mine password asdasdasdasdasdasdasdasdasdasdasd encrypted privilege 0
username mine attributes
vpn-group-policy mineGrpPolicy
tunnel-group mine_vpn type remote-access
tunnel-group mine_vpn general-attributes
address-pool (outside) mine_vpn-pool
address-pool mine_vpn-pool
default-group-policy mineGrpPolicy
!
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match access-list outside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map outside-policy
class outside-class
ips inline fail-open sensor vs0
!
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:62d80f164641579fd81c7acd9a7887c1
: end
asdm image disk0:/asdm-645-106.bin
no asdm history enable
mlchelp
are you using cmd line or asdm, run a constant ping and look at the log and see why it is being blocked.
ASKER
ASDM, and not much to go on using debug logging:
Teardown ICMP connection for faddr 172.25.111.10/24589 gaddr 10.20.50.1/0 laddr 10.20.80.1/0
I might need to explain a little more. 10.20.50.31 is a VM guest on an ESXi host. The ESXi server is using the management interface of 172.25.111.10. That is running on an IBM Bladecenter chassis. So here goes the layout.
VM Guest 10.20.50.31 <- vswitch VLAN 30 -> ESXI 172.25.111.10 <- BNT L2 INT1 VLAN 20 trunk -> DELL PowerConnect port5 VLAN20 trunk -> ASA mgmt 0/0 172.25.111.1
I have the same setup for the 'inside' network expect the vlan trunk is set to 30, with the 10.20.50 IP subnet. So the BNT switch that's connected on the backplane of the IBM chassis has Layer2 functionality.
I guess I'm confused why I'm able to ping from the L2 switch to the ASA. I can ping the L2 switch from the ESXi host but I can't ping the ASA.
Am I severely confused?
Teardown ICMP connection for faddr 172.25.111.10/24589 gaddr 10.20.50.1/0 laddr 10.20.80.1/0
I might need to explain a little more. 10.20.50.31 is a VM guest on an ESXi host. The ESXi server is using the management interface of 172.25.111.10. That is running on an IBM Bladecenter chassis. So here goes the layout.
VM Guest 10.20.50.31 <- vswitch VLAN 30 -> ESXI 172.25.111.10 <- BNT L2 INT1 VLAN 20 trunk -> DELL PowerConnect port5 VLAN20 trunk -> ASA mgmt 0/0 172.25.111.1
I have the same setup for the 'inside' network expect the vlan trunk is set to 30, with the 10.20.50 IP subnet. So the BNT switch that's connected on the backplane of the IBM chassis has Layer2 functionality.
I guess I'm confused why I'm able to ping from the L2 switch to the ASA. I can ping the L2 switch from the ESXi host but I can't ping the ASA.
Am I severely confused?
By the design of the ASA you can not ping another interface on the ASA than the interface you connect in to. So if you come into the firewall on the outside interface and is pinging the inside interface it will not work.
ASKER
Right, but, I'm pinging the 10.20.50.1 from 10.20.50.2, which is an L2 switch. If I'm doing VLAN tagging, do I need to specify the VLAN on the ASA inside interface?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ah, sometimes putting it in print helps. I need to trunk the ports before I can ping... duh.
ASKER
Walking me through what I was doing wrong. Not necessarily a 100% solution.