Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cannot ping internal network behind Cisco ASA 5505 using VPN client

Status
Not open for further replies.
Chiefttimby

Chiefttimby

IS-IT--Management
Mar 23, 2004
4
0
0
CA
Hola.

Current situation:
- Cisco VPN client connects to ASA outside interface (public IP) and authenticates via Kerberos/LDAP to an internal Windows AD server.
- VPN client PC obtains address from ASA locally defined IP pool, on subnet 172.16.1.0/28.
- VPN client PC cannot ping ANY internal network host on 10.0.0.0/16, not even ASA inside int at 10.0.0.2.

Other device config:
- Internal test host PC 10.0.0.3/16 default GW = 10.0.0.1
- Cisco 2600 route back to VPN client subnet = 172.16.1.0 255.255.255.240 10.0.0.2

The question is, do I need NAT-T if I'm not using the ASA as the Internet gateway? For that purpose I am using a PIX, with the 10.0.0.1 Cisco 2600 as the internal gateway. My ASA config is:

ASA Version 7.2(3)
!
hostname ciscoasa
domain-name domain.com
enable password QrxI7T2E6JEytHJp encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd jaIk.zJh96M5BUFH encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name domain.com
object-group network LAN
description Inside subnet
network-object 10.0.0.0 255.255.255.0
object-group network VPNGroup
description VPN Client Network
network-object 172.16.1.0 255.255.255.240
access-list Remote_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list Remote_splitTunnelAcl standard permit 172.16.1.0 255.255.255.240
access-list Remote extended permit esp object-group VPNGroup object-group LAN
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool =VPNClients 172.16.1.1-172.16.1.7 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Authent protocol kerberos
aaa-server Authent host 10.0.0.15
kerberos-realm DOMAIN.COM
aaa-server Author protocol ldap
aaa-server Author host 10.0.0.15
ldap-base-dn ou=TO-Users
ldap-scope onelevel
ldap-naming-attribute uid
server-type microsoft
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no vpn-addr-assign aaa
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 1440
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy T-Remotes internal
group-policy T-Remotes attributes
wins-server value 10.0.0.15
dns-server value 10.0.0.15
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value T-Remotes
default-domain value sub.domain.com
address-pools value VPNClients
tunnel-group T-Remotes type ipsec-ra
tunnel-group T-Remotes general-attributes
address-pool VPNClients
authentication-server-group Authent
authorization-server-group TAuthor
default-group-policy T-Remotes
tunnel-group T-Remotes ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:02cb73b98d6c07d219e86bd9082ee56e
: end


Gracias!
 
Sort by date Sort by votes
Does any traffic work from the VPN client to the internal network?

Also you have this in your group policy:

authorization-server-group TAuthor

I dont see the TAuthor defined.

aaa-server Authent protocol kerberos
aaa-server Authent host 10.0.0.15
kerberos-realm DOMAIN.COM
aaa-server Author protocol ldap
aaa-server Author host 10.0.0.15
ldap-base-dn ou=TO-Users
ldap-scope onelevel
ldap-naming-attribute uid
server-type microsoft

 
Upvote 0 Downvote
Thanks so much for the reply, Ghost!

I apologize, I slightly edited my actual ASA config for security reasons. I guess I missed changing the authorization AAA group name. Below is an updated config.

In regards to your question about whether any traffic gets from the VPN client to the internal network, that's a big no. From other posts I have seen online with this similar problem, usually the VPN client can ping the inside interface of the ASA but nothing else. In my case, I cannot ping ANY internal address, including the ASA inside interface.

One thing that keeps bugging me is whether to use a portion of the existing internal network's subnet addresses (in this case 10.0.0.0/24), or a completely different private IP scheme (172.16.0.0/28 as my config is currently using) for the VPN client address pool. You can see in my config I have actually tried both since there is an access-list for each of these networks. Regardless of which address the VPN client gets, I am still unable to ping to the internal network from the client.

Updated ASA config including TAuthor AAA group:

ASA Version 7.2(3)
!
hostname ciscoasa
domain-name domain.com
enable password QrxI7T2E6JEytHJp encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd jaIk.zJh96M5BUFH encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name domain.com
object-group network LAN
description Inside subnet
network-object 10.0.0.0 255.255.255.0
object-group network VPNGroup
description VPN Client Network
network-object 172.16.1.0 255.255.255.240
access-list Remote_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list Remote_splitTunnelAcl standard permit 172.16.1.0 255.255.255.240
access-list Remote extended permit esp object-group VPNGroup object-group LAN
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool =VPNClients 172.16.1.1-172.16.1.7 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Authent protocol kerberos
aaa-server Authent host 10.0.0.15
kerberos-realm DOMAIN.COM
aaa-server TAuthor protocol ldap
aaa-server TAuthor host 10.0.0.15
ldap-base-dn ou=TO-Users
ldap-scope onelevel
ldap-naming-attribute uid
server-type microsoft
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no vpn-addr-assign aaa
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 1440
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy T-Remotes internal
group-policy T-Remotes attributes
wins-server value 10.0.0.15
dns-server value 10.0.0.15
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value T-Remotes
default-domain value sub.domain.com
address-pools value VPNClients
tunnel-group T-Remotes type ipsec-ra
tunnel-group T-Remotes general-attributes
address-pool VPNClients
authentication-server-group Authent
authorization-server-group TAuthor
default-group-policy T-Remotes
tunnel-group T-Remotes ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:02cb73b98d6c07d219e86bd9082ee56e
: end
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
129
AllenH12
AllenH12
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
152
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
163
intel233
intel233
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
56
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top