Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Basic remote VPN client setup cannot ping internal hosts

Status
Not open for further replies.
mingtmak

mingtmak

Technical User
Apr 5, 2006
101
CA
ASA has multiple site-to-site tunnels that can communicate to each other.
Setup a basic vpn client set up so that remote hosts can connect into networking using the Remote VPN Client SW.
Unable to ping internal network local to the ASA, but I can ping every site connected by a site-to-site tunnel.
Can also ping the internal interface of the ASA that the hosts are connected to.

Here is the config below...


: Saved
:
ASA Version 7.0(4)
!
hostname TestAsa
domain-name
enable password XXXXX encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address X.X.X.X 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 90
ip address 172.17.16.2 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 90
ip address 172.17.17.2 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd AuktubEUZPg0RqiA encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Inside_nat0_outbound extended permit ip 172.17.16.0 255.255.255.0 10.100.101.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 172.17.16.0 255.255.255.0 10.100.102.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.100.101.0 255.255.255.0 10.100.102.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.100.102.0 255.255.255.0 10.100.101.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 172.17.16.0 255.255.255.0 10.100.103.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.100.101.0 255.255.255.0 10.100.103.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.100.103.0 255.255.255.0 10.100.101.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 172.17.16.0 255.255.255.0 172.20.200.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 172.17.16.0 255.255.255.0 10.100.104.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.100.101.0 255.255.255.0 10.100.104.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.100.104.0 255.255.255.0 10.100.101.0 255.255.255.0
access-list Outside_cryptomap_20_1 extended permit ip 172.17.16.0 255.255.255.0 10.100.102.0 255.255.255.0
access-list Outside_cryptomap_20_1 extended permit ip 10.100.101.0 255.255.255.0 10.100.102.0 255.255.255.0
access-list Outside_cryptomap_20_1 extended permit ip 10.100.103.0 255.255.255.0 10.100.102.0 255.255.255.0
access-list Outside_cryptomap_20_1 extended permit ip 10.100.104.0 255.255.255.0 10.100.102.0 255.255.255.0
access-list Outside_cryptomap_40_1 extended permit ip 172.17.16.0 255.255.255.0 10.100.101.0 255.255.255.0
access-list Outside_cryptomap_40_1 extended permit ip 10.100.102.0 255.255.255.0 10.100.101.0 255.255.255.0
access-list Outside_cryptomap_40_1 extended permit ip 10.100.103.0 255.255.255.0 10.100.101.0 255.255.255.0
access-list Outside_cryptomap_40_1 extended permit ip 10.100.104.0 255.255.255.0 10.100.101.0 255.255.255.0
access-list Outside_cryptomap_60_1 extended permit ip 172.17.16.0 255.255.255.0 10.100.103.0 255.255.255.0
access-list Outside_cryptomap_60_1 extended permit ip 10.100.102.0 255.255.255.0 10.100.103.0 255.255.255.0
access-list Outside_cryptomap_60_1 extended permit ip 10.100.101.0 255.255.255.0 10.100.103.0 255.255.255.0
access-list Outside_cryptomap_60_1 extended permit ip 10.100.104.0 255.255.255.0 10.100.103.0 255.255.255.0
access-list spoke_to_spoke extended permit ip 10.100.101.0 255.255.255.0 10.100.102.0 255.255.255.0
access-list spoke_to_spoke extended permit ip 10.100.103.0 255.255.255.0 10.100.102.0 255.255.255.0
access-list spoke_to_spoke extended permit ip 10.100.103.0 255.255.255.0 10.100.101.0 255.255.255.0
access-list spoke_to_spoke extended permit ip 10.100.101.0 255.255.255.0 10.100.103.0 255.255.255.0
access-list spoke_to_spoke extended permit ip 10.100.104.0 255.255.255.0 10.100.101.0 255.255.255.0
access-list spoke_to_spoke extended permit ip 10.100.101.0 255.255.255.0 10.100.104.0 255.255.255.0
access-list Outside_cryptomap_80_1 extended permit ip 172.17.16.0 255.255.255.0 172.20.200.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface Outside eq https
access-list outside_access_in extended permit icmp any interface Outside echo-reply
access-list outside_access_in extended permit icmp any interface Outside unreachable
access-list outside_access_in extended permit icmp any interface Outside time-exceeded
access-list outside_access_in extended permit tcp any interface Outside eq 3389
access-list outside_access_in extended permit tcp any interface Outside eq www
access-list DMZ_access_in extended permit ip any any
access-list Outside_cryptomap_100_1 extended permit ip any 10.100.104.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool vpnpool 172.17.16.226-172.17.16.254 mask 255.255.255.0
ERROR: Command requires failover license
ERROR: Command requires failover license
icmp permit any Outside
icmp permit any echo-reply Outside
icmp permit any Inside
asdm image disk0:/asdm-504.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 10 interface
nat (Outside) 0 access-list spoke_to_spoke
nat (Outside) 10 10.100.103.0 255.255.255.0
nat (Outside) 10 10.100.104.0 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 172.17.16.0 255.255.255.0
static (Inside,Outside) tcp interface https 172.17.16.6 https netmask 255.255.255.255
static (Inside,Outside) tcp interface 3389 172.17.16.6 3389 netmask 255.255.255.255
static (Inside,Outside) tcp interface 255.255.255.255
static (Inside,DMZ) 172.17.16.0 172.17.16.0 netmask 255.255.255.0
access-group outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 69.36.107.46 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ***** internal
group-policy ***** attributes
dns-server value 172.17.16.2
vpn-tunnel-protocol IPSec
default-domain value *****
webvpn
username ***** password XXXXX encrypted
username ***** password XXXXX encrypted privilege 15
username ***** password XXXXX encrypted
aaa authorization command LOCAL
http server enable
http 172.17.16.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map Outside_map 20 match address Outside_cryptomap_20_1
crypto map Outside_map 20 set peer X.X.X.X
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 40 match address Outside_cryptomap_40_1
crypto map Outside_map 40 set peer X.X.X.X
crypto map Outside_map 40 set transform-set ESP-3DES-SHA
crypto map Outside_map 60 match address Outside_cryptomap_60_1
crypto map Outside_map 60 set peer X.X.X.X
crypto map Outside_map 60 set transform-set ESP-3DES-SHA
crypto map Outside_map 80 match address Outside_cryptomap_80_1
crypto map Outside_map 80 set peer X.X.X.X
crypto map Outside_map 80 set transform-set ESP-3DES-MD5
crypto map Outside_map 90 ipsec-isakmp dynamic outside_dyn_map
crypto map Outside_map 100 match address Outside_cryptomap_100_1
crypto map Outside_map 100 set peer X.X.X.X
crypto map Outside_map 100 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
isakmp identity address
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 43200
isakmp nat-traversal 20
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group ***** type ipsec-ra
tunnel-group ***** general-attributes
address-pool vpnpool
tunnel-group ***** ipsec-attributes
pre-shared-key *
telnet 172.17.16.0 255.255.255.0 Inside
telnet timeout 5
ssh X.X.X.X 255.255.255.255 Outside
ssh X.X.X.X 255.255.255.255 Outside
ssh X.X.X.X 255.255.255.255 Outside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 172.17.16.175-172.17.16.225 Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns X.X.X.X X.X.X.X
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config Inside
dhcpd enable Inside
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:833ae480748c40be954c0ead2735e4bf
: end

I based this off the link below:

Could it be that the vpnpool addresses should be in a different subnet than the internal ASA network?

Thanks!


- Jon
 
Sort by date Sort by votes
Yes, you are suppose to use a different subnet for your vpn pool.
 
Upvote 0 Downvote
Funny enough, it doesn't show in the example config. Thanks for your response brianinms. I'll give it a go.

- Jon
 
Upvote 0 Downvote
And you need split-tunneling enabled for the clients or they will route all traffic down the VPN tunnel while connected.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
717
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
270
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
854
Shmid
Shmid
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
174
Garbear
Garbear
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
212
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top