ASA 5505 Client VPN not able to ping inside network

Dear Experts, I just finished configuring the VPN client tunnel and it connects me except that I can't ping or connect to the internal network resources.What am I missing?

Here is the config:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(5)
!
hostname DSS-SA-ASA-01
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
 
name 172.16.0.0 SA_Tunnel_Network
name 172.16.100.0 HOU-100.0-24
name 172.16.17.0 HOU-17.0-24
 
name 172.16.11.100 VPN_POOL_ADDRESS description DHCP
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.19.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxxxxxxxxxx 255.255.255.240
!
ftp mode passive
 
access-list SA-CLIENTVPN_splitTunnelAcl standard permit HOU-17.0-24 255.255.255.0
access-list inside_nat0_outbound extended permit ip HOU-17.0-24 255.255.255.0 172.16.11.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_DHCP VPN_POOL_ADDRESS-172.16.11.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!

!
route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxxxxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
 
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=DSS-SA-ASA-01
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 1364704f
    308201e3 3082014c a0030201 02020413 64704f30 0d06092a 864886f7 0d010105
    05003036 31163014 06035504 03130d44 53532d53 412d4153 412d3031 311c301a
    06092a86 4886f70d 01090216 0d445353 2d53412d 4153412d 3031301e 170d3132
    30333237 31373330 32325a17 0d323230 33323531 37333032 325a3036 31163014
    06035504 03130d44 53532d53 412d4153 412d3031 311c301a 06092a86 4886f70d
    01090216 0d445353 2d53412d 4153412d 30313081 9f300d06 092a8648 86f70d01
    01010500 03818d00 30818902 818100a2 11bac1f8 f0990b9c 3d5d2059 0bb474ad
    ea61c64e 3c1e2a8a 30b0c5bb ed88711a 5e8e8ac7 f119d6d4 c31b987c a62a4aed
    ac2b7718 b0d45242 3cf4cd28 f0636ad4 c4ec5dc5 393e0490 459b0800 ea8095ab
    9517a682 741d918a c8de990a 1fb22989 83e0820e d195e743 0088500c 5afb67c5
    e5ee5351 1513773d 4066846d 2f903702 03010001 300d0609 2a864886 f70d0101
    05050003 8181005f 27ac9e53 2d4b47f2 cd33a8b1 94ed1850 f2217714 5ee6e6c7
    79f93c1b a6bc9c2c 64e058d1 a61b41be c80b327d 75e17ee5 6549b405 5f2e0c58
    cbbae9b2 a09b9d6e 5bfe5e31 f702a9ce e8e7b13b a2c5a49f bb198767 3eb0ce48
    0738a5ad bab036ed 9a75b449 5bddef65 220ec8e7 87bc6caf 9d6cd848 110092f5
    adaf3d4f 64e96d
  quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
 
ssh timeout 5
console timeout 0
dhcpd dns xxxxxxxxxxxxxxxxxxxx
dhcpd domain is.ad
!
dhcpd address 172.16.19.100-172.16.19.150 inside
dhcpd dns xxxxxxxxxxxxxxxxxx interface inside
dhcpd lease 3000 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy SA-CLIENTVPN internal
group-policy SA-CLIENTVPN attributes
 dns-server value xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 vpn-tunnel-protocol IPSec svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SA-CLIENTVPN_splitTunnelAcl
 default-domain value is.ad
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 
tunnel-group SA-CLIENTVPN type remote-access
tunnel-group SA-CLIENTVPN general-attributes
 address-pool VPN_DHCP
 default-group-policy SA-CLIENTVPN
tunnel-group SA-CLIENTVPN ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:02163c4a316a4350b4e55d036a120bd7
: end
marceloNYCMiddle-Tier AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pclinuxguruCommented:
Only thing you have different than mine is no routes to the inside of your network.

For instance lets say you had a subnet 192.168.88.0/24 and you needed to access 192.168.88.35

On the asa you would need a
route inside 192.168.88.0 255.255.255.0 192.168.88.1 1
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
so is like:
                route inside {address of VPN pool 172.16.11.0} mask {172.16.19.1}

Like this is not working.
0
pclinuxguruCommented:
The only other thing I am not seeing actually are usernames.... did you remove them or do not have any?
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

marceloNYCMiddle-Tier AdministratorAuthor Commented:
I remove the user names.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
The internal network is 172.16.19.0 and the VPN network address is 172.16.11.0
0
pclinuxguruCommented:
The only other thing missing is a nat for your vpn IP.

nat (inside,outside) source static any any destination static 172.16.11.0/24  172.16.11.0/24 no-proxy-arp route-lookup
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
That nat line is not working...
0
lruiz52Commented:
Try this;

access-list inside_nat0_outbound extended permit ip 172.16.11.0 255.255.255.0 HOU-17.0-24 255.255.255.0
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
for access list trying to fix this, I have this now:

access-list SA-CLIENTVPN_splitTunnelAcl standard permit HOU-17.0-24 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.19.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.11.0 255.255.255.0 HOU-17.0-24 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.11.0 255.255.255.0 172.16.19.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any

for NAT:

global (inside) 2 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 2 VPN_POOL_ADDRESS 255.255.255.255 outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
0
pclinuxguruCommented:
I would imagine the issue is there are no NAT translations from your inside to your vpn.

When you say it is not working what does it say (the error)?
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
I just can't ping or connect to any of the internal network resources. I ping I get a time out with what I have configure.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
okay you guys still the same i have tried a lot of changes in the config. here is where I am so far:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(5)
!
hostname xxxxxxxxxxxxxxx
enable password oQzrB18a5Qw/Vt1V encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name xxxxxxxxxxxxxxxx Outside_Address

name 172.16.11.0 VPN_POOL
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.19.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxxxxxxxx 255.255.255.240
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server xxxxxxxxxxxxxxxxxxxxxxx
access-list inside_nat0_outbound extended permit ip any VPN_POOL 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list DSS-SA-VPN_splitTunnelAcl standard permit 172.16.19.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_DHCP VPN_POOL_ADDRESS-172.16.11.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
 
!
route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxxxxx1
route inside VPN_POOL 255.255.255.0 172.16.19.1 1 <-- is this correct?
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
 
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=xxxxxxxxxxxxxxxxx
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 1364704f
    308201e3 3082014c a0030201 02020413 64704f30 0d06092a 864886f7 0d010105
    05003036 31163014 06035504 03130d44 53532d53 412d4153 412d3031 311c301a
    06092a86 4886f70d 01090216 0d445353 2d53412d 4153412d 3031301e 170d3132
    30333237 31373330 32325a17 0d323230 33323531 37333032 325a3036 31163014
    06035504 03130d44 53532d53 412d4153 412d3031 311c301a 06092a86 4886f70d
    01090216 0d445353 2d53412d 4153412d 30313081 9f300d06 092a8648 86f70d01
    01010500 03818d00 30818902 818100a2 11bac1f8 f0990b9c 3d5d2059 0bb474ad
    ea61c64e 3c1e2a8a 30b0c5bb ed88711a 5e8e8ac7 f119d6d4 c31b987c a62a4aed
    ac2b7718 b0d45242 3cf4cd28 f0636ad4 c4ec5dc5 393e0490 459b0800 ea8095ab
    9517a682 741d918a c8de990a 1fb22989 83e0820e d195e743 0088500c 5afb67c5
    e5ee5351 1513773d 4066846d 2f903702 03010001 300d0609 2a864886 f70d0101
    05050003 8181005f 27ac9e53 2d4b47f2 cd33a8b1 94ed1850 f2217714 5ee6e6c7
    79f93c1b a6bc9c2c 64e058d1 a61b41be c80b327d 75e17ee5 6549b405 5f2e0c58
    cbbae9b2 a09b9d6e 5bfe5e31 f702a9ce e8e7b13b a2c5a49f bb198767 3eb0ce48
    0738a5ad bab036ed 9a75b449 5bddef65 220ec8e7 87bc6caf 9d6cd848 110092f5
    adaf3d4f 64e96d
  quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
console timeout 0
dhcpd dns xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
dhcpd domain is.ad
!
dhcpd address 172.16.19.100-172.16.19.150 inside
dhcpd dns xxxxxxxxxxxxxxxxxxx interface inside
dhcpd lease 3000 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 dns-server value xxxxxxxxxxx
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DSS-SA-VPN_splitTunnelAcl
 webvpn
  svc ask enable
group-policy DSS-SA-VPN internal
group-policy DSS-SA-VPN attributes
 dns-server value xxxxxxxxxxxxxxxxxxx
 vpn-tunnel-protocol IPSec webvpn
username test password P4ttSyrm33SV8TYp encrypted privilege 7
 
tunnel-group DSS-SA-VPN type remote-access
tunnel-group DSS-SA-VPN general-attributes
 address-pool VPN_DHCP
 default-group-policy DSS-SA-VPN
tunnel-group DSS-SA-VPN ipsec-attributes
 pre-shared-key *****
!
!
 
: end
0
pclinuxguruCommented:
Before you do what I posted... make a backup of your config. I basically compared what you posted to a 5505 that we use in a remote location. There are some things I am seeing you posted that looks more like a pix command rather an asa command (just means it has been that long since I seen it). Also note that my ASA is ver 8.4(2) if need be I can update it to match yours. After you make the changes see what IP the ASA handed you. The other difference is I do not use the asa for dhcp on the network so mine is off.

Remove
ip local pool VPN_DHCP VPN_POOL_ADDRESS-172.16.11.150 mask 255.255.255.0
access-list inside_nat0_outbound extended permit ip any VPN_POOL 255.255.255.0
route inside VPN_POOL 255.255.255.0 172.16.19.1 1
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0


Add
nat (inside,outside) after-auto source dynamic any interface

object network MyVPN
 subnet 172.16.11.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip  172.16.19.0 255.255.255.0 172.16.11.0 255.255.255.0 log

ip local pool VPN_DHCP  172.16.11.10-172.16.11.254 mask 255.255.255.0

nat (inside,outside) source static any any destination static MyVPN MyVPN no-proxy-arp route-lookup

group-policy DSS-SA-VPN internal
group-policy DSS-SA-VPN attributes
 dns-server value (Ip Addresses of your internal DNS Servers)
 vpn-tunnel-protocol webvpn
 default-domain value (DOMAIN NAME)

tunnel-group DSS-SA-VPN type remote-access
tunnel-group DSS-SA-VPN general-attributes
 address-pool VPN_DHCP
 default-group-policy DSS-SA-VPN

In your users they should look something like this:
username USER attributes
 vpn-group-policy DSS-SA-VPN
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Sorry it didn't work...
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Thank you!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.