Solved

ASA 5505 Client VPN not able to ping inside network

Posted on 2012-03-30
15
1,477 Views
Last Modified: 2012-05-03
Dear Experts, I just finished configuring the VPN client tunnel and it connects me except that I can't ping or connect to the internal network resources.What am I missing?

Here is the config:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(5)
!
hostname DSS-SA-ASA-01
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
 
name 172.16.0.0 SA_Tunnel_Network
name 172.16.100.0 HOU-100.0-24
name 172.16.17.0 HOU-17.0-24
 
name 172.16.11.100 VPN_POOL_ADDRESS description DHCP
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.19.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxxxxxxxxxx 255.255.255.240
!
ftp mode passive
 
access-list SA-CLIENTVPN_splitTunnelAcl standard permit HOU-17.0-24 255.255.255.0
access-list inside_nat0_outbound extended permit ip HOU-17.0-24 255.255.255.0 172.16.11.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_DHCP VPN_POOL_ADDRESS-172.16.11.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!

!
route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxxxxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
 
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=DSS-SA-ASA-01
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 1364704f
    308201e3 3082014c a0030201 02020413 64704f30 0d06092a 864886f7 0d010105
    05003036 31163014 06035504 03130d44 53532d53 412d4153 412d3031 311c301a
    06092a86 4886f70d 01090216 0d445353 2d53412d 4153412d 3031301e 170d3132
    30333237 31373330 32325a17 0d323230 33323531 37333032 325a3036 31163014
    06035504 03130d44 53532d53 412d4153 412d3031 311c301a 06092a86 4886f70d
    01090216 0d445353 2d53412d 4153412d 30313081 9f300d06 092a8648 86f70d01
    01010500 03818d00 30818902 818100a2 11bac1f8 f0990b9c 3d5d2059 0bb474ad
    ea61c64e 3c1e2a8a 30b0c5bb ed88711a 5e8e8ac7 f119d6d4 c31b987c a62a4aed
    ac2b7718 b0d45242 3cf4cd28 f0636ad4 c4ec5dc5 393e0490 459b0800 ea8095ab
    9517a682 741d918a c8de990a 1fb22989 83e0820e d195e743 0088500c 5afb67c5
    e5ee5351 1513773d 4066846d 2f903702 03010001 300d0609 2a864886 f70d0101
    05050003 8181005f 27ac9e53 2d4b47f2 cd33a8b1 94ed1850 f2217714 5ee6e6c7
    79f93c1b a6bc9c2c 64e058d1 a61b41be c80b327d 75e17ee5 6549b405 5f2e0c58
    cbbae9b2 a09b9d6e 5bfe5e31 f702a9ce e8e7b13b a2c5a49f bb198767 3eb0ce48
    0738a5ad bab036ed 9a75b449 5bddef65 220ec8e7 87bc6caf 9d6cd848 110092f5
    adaf3d4f 64e96d
  quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
 
ssh timeout 5
console timeout 0
dhcpd dns xxxxxxxxxxxxxxxxxxxx
dhcpd domain is.ad
!
dhcpd address 172.16.19.100-172.16.19.150 inside
dhcpd dns xxxxxxxxxxxxxxxxxx interface inside
dhcpd lease 3000 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy SA-CLIENTVPN internal
group-policy SA-CLIENTVPN attributes
 dns-server value xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 vpn-tunnel-protocol IPSec svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SA-CLIENTVPN_splitTunnelAcl
 default-domain value is.ad
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 
tunnel-group SA-CLIENTVPN type remote-access
tunnel-group SA-CLIENTVPN general-attributes
 address-pool VPN_DHCP
 default-group-policy SA-CLIENTVPN
tunnel-group SA-CLIENTVPN ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:02163c4a316a4350b4e55d036a120bd7
: end
0
Comment
Question by:marceloNYC
  • 9
  • 5
15 Comments
 
LVL 10

Expert Comment

by:pclinuxguru
ID: 37789173
Only thing you have different than mine is no routes to the inside of your network.

For instance lets say you had a subnet 192.168.88.0/24 and you needed to access 192.168.88.35

On the asa you would need a
route inside 192.168.88.0 255.255.255.0 192.168.88.1 1
0
 

Author Comment

by:marceloNYC
ID: 37789222
so is like:
                route inside {address of VPN pool 172.16.11.0} mask {172.16.19.1}

Like this is not working.
0
 
LVL 10

Expert Comment

by:pclinuxguru
ID: 37789269
The only other thing I am not seeing actually are usernames.... did you remove them or do not have any?
0
 

Author Comment

by:marceloNYC
ID: 37789276
I remove the user names.
0
 

Author Comment

by:marceloNYC
ID: 37789300
The internal network is 172.16.19.0 and the VPN network address is 172.16.11.0
0
 
LVL 10

Expert Comment

by:pclinuxguru
ID: 37789328
The only other thing missing is a nat for your vpn IP.

nat (inside,outside) source static any any destination static 172.16.11.0/24  172.16.11.0/24 no-proxy-arp route-lookup
0
 

Author Comment

by:marceloNYC
ID: 37789393
That nat line is not working...
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 17

Expert Comment

by:lruiz52
ID: 37791380
Try this;

access-list inside_nat0_outbound extended permit ip 172.16.11.0 255.255.255.0 HOU-17.0-24 255.255.255.0
0
 

Author Comment

by:marceloNYC
ID: 37791434
for access list trying to fix this, I have this now:

access-list SA-CLIENTVPN_splitTunnelAcl standard permit HOU-17.0-24 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.19.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.11.0 255.255.255.0 HOU-17.0-24 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.11.0 255.255.255.0 172.16.19.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any

for NAT:

global (inside) 2 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 2 VPN_POOL_ADDRESS 255.255.255.255 outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
0
 
LVL 10

Expert Comment

by:pclinuxguru
ID: 37797964
I would imagine the issue is there are no NAT translations from your inside to your vpn.

When you say it is not working what does it say (the error)?
0
 

Author Comment

by:marceloNYC
ID: 37798844
I just can't ping or connect to any of the internal network resources. I ping I get a time out with what I have configure.
0
 

Author Comment

by:marceloNYC
ID: 37807893
okay you guys still the same i have tried a lot of changes in the config. here is where I am so far:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(5)
!
hostname xxxxxxxxxxxxxxx
enable password oQzrB18a5Qw/Vt1V encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name xxxxxxxxxxxxxxxx Outside_Address

name 172.16.11.0 VPN_POOL
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.19.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxxxxxxxx 255.255.255.240
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server xxxxxxxxxxxxxxxxxxxxxxx
access-list inside_nat0_outbound extended permit ip any VPN_POOL 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list DSS-SA-VPN_splitTunnelAcl standard permit 172.16.19.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_DHCP VPN_POOL_ADDRESS-172.16.11.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
 
!
route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxxxxx1
route inside VPN_POOL 255.255.255.0 172.16.19.1 1 <-- is this correct?
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
 
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=xxxxxxxxxxxxxxxxx
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 1364704f
    308201e3 3082014c a0030201 02020413 64704f30 0d06092a 864886f7 0d010105
    05003036 31163014 06035504 03130d44 53532d53 412d4153 412d3031 311c301a
    06092a86 4886f70d 01090216 0d445353 2d53412d 4153412d 3031301e 170d3132
    30333237 31373330 32325a17 0d323230 33323531 37333032 325a3036 31163014
    06035504 03130d44 53532d53 412d4153 412d3031 311c301a 06092a86 4886f70d
    01090216 0d445353 2d53412d 4153412d 30313081 9f300d06 092a8648 86f70d01
    01010500 03818d00 30818902 818100a2 11bac1f8 f0990b9c 3d5d2059 0bb474ad
    ea61c64e 3c1e2a8a 30b0c5bb ed88711a 5e8e8ac7 f119d6d4 c31b987c a62a4aed
    ac2b7718 b0d45242 3cf4cd28 f0636ad4 c4ec5dc5 393e0490 459b0800 ea8095ab
    9517a682 741d918a c8de990a 1fb22989 83e0820e d195e743 0088500c 5afb67c5
    e5ee5351 1513773d 4066846d 2f903702 03010001 300d0609 2a864886 f70d0101
    05050003 8181005f 27ac9e53 2d4b47f2 cd33a8b1 94ed1850 f2217714 5ee6e6c7
    79f93c1b a6bc9c2c 64e058d1 a61b41be c80b327d 75e17ee5 6549b405 5f2e0c58
    cbbae9b2 a09b9d6e 5bfe5e31 f702a9ce e8e7b13b a2c5a49f bb198767 3eb0ce48
    0738a5ad bab036ed 9a75b449 5bddef65 220ec8e7 87bc6caf 9d6cd848 110092f5
    adaf3d4f 64e96d
  quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
console timeout 0
dhcpd dns xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
dhcpd domain is.ad
!
dhcpd address 172.16.19.100-172.16.19.150 inside
dhcpd dns xxxxxxxxxxxxxxxxxxx interface inside
dhcpd lease 3000 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 dns-server value xxxxxxxxxxx
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DSS-SA-VPN_splitTunnelAcl
 webvpn
  svc ask enable
group-policy DSS-SA-VPN internal
group-policy DSS-SA-VPN attributes
 dns-server value xxxxxxxxxxxxxxxxxxx
 vpn-tunnel-protocol IPSec webvpn
username test password P4ttSyrm33SV8TYp encrypted privilege 7
 
tunnel-group DSS-SA-VPN type remote-access
tunnel-group DSS-SA-VPN general-attributes
 address-pool VPN_DHCP
 default-group-policy DSS-SA-VPN
tunnel-group DSS-SA-VPN ipsec-attributes
 pre-shared-key *****
!
!
 
: end
0
 
LVL 10

Accepted Solution

by:
pclinuxguru earned 500 total points
ID: 37833007
Before you do what I posted... make a backup of your config. I basically compared what you posted to a 5505 that we use in a remote location. There are some things I am seeing you posted that looks more like a pix command rather an asa command (just means it has been that long since I seen it). Also note that my ASA is ver 8.4(2) if need be I can update it to match yours. After you make the changes see what IP the ASA handed you. The other difference is I do not use the asa for dhcp on the network so mine is off.

Remove
ip local pool VPN_DHCP VPN_POOL_ADDRESS-172.16.11.150 mask 255.255.255.0
access-list inside_nat0_outbound extended permit ip any VPN_POOL 255.255.255.0
route inside VPN_POOL 255.255.255.0 172.16.19.1 1
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0


Add
nat (inside,outside) after-auto source dynamic any interface

object network MyVPN
 subnet 172.16.11.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip  172.16.19.0 255.255.255.0 172.16.11.0 255.255.255.0 log

ip local pool VPN_DHCP  172.16.11.10-172.16.11.254 mask 255.255.255.0

nat (inside,outside) source static any any destination static MyVPN MyVPN no-proxy-arp route-lookup

group-policy DSS-SA-VPN internal
group-policy DSS-SA-VPN attributes
 dns-server value (Ip Addresses of your internal DNS Servers)
 vpn-tunnel-protocol webvpn
 default-domain value (DOMAIN NAME)

tunnel-group DSS-SA-VPN type remote-access
tunnel-group DSS-SA-VPN general-attributes
 address-pool VPN_DHCP
 default-group-policy DSS-SA-VPN

In your users they should look something like this:
username USER attributes
 vpn-group-policy DSS-SA-VPN
0
 

Author Comment

by:marceloNYC
ID: 37886809
Sorry it didn't work...
0
 

Author Closing Comment

by:marceloNYC
ID: 37926498
Thank you!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now