Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5510 Remote Access VPN Problem

Status
Not open for further replies.
Eventius

Eventius

Vendor
May 13, 2007
7
MY
Hi There,

I recently configured ASA 5510 for VPN Remote Access. By using Cisco VPN client for the test, I used a dialup line to the ISP account for internet access.

Then I launched the Cisco VPN client and get connected to the ASA 5510 "outside" interface with the assigned private IP address which I configured in the ASA 5510.

The problem here is, after the connection successfully established, I cannot PING any host in the LAN but instead they can PING me...! Whats the problem....???? Pls advise.

Here, I attached below the configuration for your post mortem.

sh run
: Saved
:
ASA Version 7.0(6)
!
hostname MSMMASA5510
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 203.106.xx.xxx 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.254 255.0.0.0
!
interface Ethernet0/2
shutdown
nameif eth2
security-level 0
no ip address
!
interface Management0/0
nameif mgmt
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list inside_access_out extended permit tcp 10.144.88.0 255.240.255.0 any eq lotusnotes
access-list inside_access_out extended permit tcp 10.144.88.0 255.240.255.0 any eq https
access-list inside_access_out extended permit tcp 10.144.88.0 255.240.255.0 any eq ftp
access-list inside_access_out extended permit tcp 10.144.88.0 255.240.255.0 any eq pop3
access-list inside_access_out extended permit tcp 10.144.88.0 255.240.255.0 any eq sqlnet
access-list inside_access_out extended permit tcp 10.144.88.0 255.240.255.0 any eq 14506
access-list inside_access_out extended permit tcp 10.144.88.0 255.240.255.0 any eq 1503
access-list inside_access_out extended permit tcp 10.144.88.0 255.240.255.0 any eq h323
access-list inside_access_out extended permit tcp 10.144.100.0 255.240.255.0 any eq lotusnotes
access-list inside_access_out extended permit tcp host 10.157.1.7 any eq www
access-list inside_access_out extended permit tcp host 10.157.1.7 any eq domain
access-list inside_access_out extended permit udp host 10.157.1.7 any eq domain
access-list inside_access_out extended permit tcp host 10.157.1.7 any eq lotusnotes
access-list inside_access_out extended permit tcp host 10.157.1.7 any eq https
access-list inside_access_out extended permit tcp host 10.157.1.7 any eq ftp
access-list inside_access_out extended permit tcp host 10.157.1.7 any eq smtp
access-list inside_access_out extended permit tcp host 10.157.5.7 any eq sqlnet
access-list inside_access_out extended permit tcp host 10.152.88.106 any eq smtp
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit tcp 10.144.88.0 255.240.255.0 any eq www
access-list inside_access_out extended permit tcp 10.144.88.0 255.240.255.0 any eq domain
access-list inside_access_out extended permit udp 10.144.88.0 255.240.255.0 any eq domain
access-list inside_access_out extended permit tcp host 10.152.1.2 any eq www
access-list inside_access_out extended permit tcp host 10.152.1.2 any eq domain
access-list inside_access_out extended permit udp host 10.152.1.2 any eq domain
access-list inside_access_out extended permit tcp host 10.152.1.2 any eq https
access-list inside_access_out extended permit tcp host 10.152.1.2 any eq ftp
access-list inside_access_out extended permit tcp host 10.152.1.2 any eq lotusnotes
access-list inside_access_out extended permit tcp host 10.152.1.2 any eq smtp
access-list outside_access_in extended permit tcp any host 203.106.xx.xxx eq sqlnet
access-list outside_access_in extended permit tcp any host 203.106.xx.xxx eq smtp
access-list outside_access_in extended permit tcp any host 203.106.xx.xxx eq lotusnotes
access-list outside_access_in extended permit tcp any host 203.106.xx.xxx eq www
pager lines 24
logging enable
logging buffered notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu eth2 1500
mtu mgmt 1500
ip local pool vpnpool 10.152.88.9 mask 255.0.0.0
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 100 203.106.18.253
nat (inside) 100 10.152.1.2 255.255.255.255
nat (inside) 100 10.152.1.7 255.255.255.255
nat (inside) 100 10.152.5.7 255.255.255.255
nat (inside) 100 10.152.88.106 255.255.255.255
nat (inside) 100 10.144.88.0 255.240.255.0
nat (inside) 100 10.144.100.0 255.240.255.0
static (inside,outside) 203.106.xx.xxx 10.152.5.7 netmask 255.255.255.255
static (inside,outside) 203.106.xx.xxx 10.152.1.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 203.106.18.128 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy msmm_vpn internal
group-policy msmm_vpn attributes
vpn-tunnel-protocol IPSec
webvpn
username tkhong password U7yHk6oKGDkQeBR4 encrypted
http server enable
http 10.0.0.0 255.0.0.0 inside
http 192.168.1.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set esp-3des-sha
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp nat-traversal 20
tunnel-group msmm_vpn type ipsec-ra
tunnel-group msmm_vpn general-attributes
address-pool vpnpool
tunnel-group msmm_vpn ipsec-attributes
pre-shared-key *
telnet 10.8.8.8 255.255.255.255 inside
telnet 10.8.8.8 255.255.255.255 eth2
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map class_h323_ras
match port udp eq 1720
class-map class_sip_tcp
match port tcp eq sip
class-map class_http
match port tcp eq 14506
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect http
inspect rsh
inspect esmtp
inspect sqlnet
inspect skinny
inspect h323 h225
inspect icmp
class class_sip_tcp
inspect sip
class class_http
inspect http
class class_h323_ras
inspect h323 ras
!
service-policy global_policy global
Cryptochecksum:f9f99702303bfeea3fd6e9d7027fb86b
: end
MSMMASA5510#


I Attached also the Log I capture during the PING TEST :-

3|Jun 27 2007 02:51:44|305005: No translation group found for icmp src outside:10.152.88.9 dst inside:10.152.88.6 (type 8, code 0)
3|Jun 27 2007 02:51:39|305005: No translation group found for icmp src outside:10.152.88.9 dst inside:10.152.88.6 (type 8, code 0)
3|Jun 27 2007 02:51:33|305005: No translation group found for icmp src outside:10.152.88.9 dst inside:10.152.88.6 (type 8, code 0)
3|Jun 27 2007 02:51:28|305005: No translation group found for icmp src outside:10.152.88.9 dst inside:10.152.88.6 (type 8, code 0)
3|Jun 27 2007 02:51:22|305005: No translation group found for icmp src outside:10.152.88.9 dst inside:10.152.88.6 (type 8, code 0)
6|Jun 27 2007 02:51:21|302015: Built inbound UDP connection 1002 for outside:10.152.88.9/138 (10.152.88.9/138) to NP Identity Ifc:10.255.255.255/138 (10.255.255.255/138) (tkhong)
3|Jun 27 2007 02:51:17|305005: No translation group found for icmp src outside:10.152.88.9 dst inside:10.152.88.6 (type 8, code 0)
6|Jun 27 2007 02:51:14|110001: No route to 239.255.255.250 from 10.152.88.6
6|Jun 27 2007 02:51:12|302015: Built inbound UDP connection 999 for outside:10.152.88.9/137 (10.152.88.9/137) to NP Identity Ifc:10.255.255.255/137 (10.255.255.255/137) (tkhong)
3|Jun 27 2007 02:51:12|305005: No translation group found for icmp src outside:10.152.88.9 dst inside:10.152.88.6 (type 8, code 0)
6|Jun 27 2007 02:51:10|713228: Group = msmm_vpn, Username = tkhong, IP = 161.142.xx.xx, Assigned private IP address 10.152.88.6 to remote user


PLS ADVISE..! Your reply is very much appreciated. Thank you...!!

Best Regards
Eventius
 
Sort by date Sort by votes
Worked with Pix for a while but I'm no expert. I did however see you have no permit icmp inbound. Try this I think.

access-list outside_access_in extended permit tcp 10.152.88.9 255.0.0.0 any host (or the specific host or network)eq icmp

That's for ping only. Then you have to allow ip.

access-list outside_access_in extended permit ip 10.152.88.9 255.0.0.0 any host (or the specific host or network)
 
Upvote 0 Downvote
Hi .

I have this same problem with an ASA5510, did you manage to resolve it?

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
329
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
299
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
88
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
79
ITSUPPORTIT
ITSUPPORTIT
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
202
gkreg
gkreg

Part and Inventory Search

Sponsor

Back
Top