Cannot Ping Internal Network

[spyke01]

Hi Guys,
I have an ASA 5520 that is having issues. I have a 871 router connected to it successfully and the inside network can ping the network of that router, however it does not work vice-versa. I ran packet tracer and it looks like its failing at NAT Lookup.

The inside IP for the test is 10.80.139.1 (main inside router) and the router's IP is 10.80.75.1 .

Any ideas whats causing this?

Heres my ASA config:

!--- Use newest IOS and ASDM
boot system disk0:/asa821-k8.bin
asdm image disk0:/asdm-621.bin

!--- Local VPN Accounts
username test1 password Kg/Rgy23do7gPGTv encrypted
!
hostname MDCASA-CLLSeaChangeASA
domain-name suddenlink.cequel3.com
same-security-traffic permit intra-interface
sysopt connection permit-ipsec
crypto isakmp nat-traversal 30
!
names
name 10.80.64.0 RemoteSCSubnets
name 10.80.139.0 LocalSCSubnets
name 10.80.103.96 LocalEngSubnets

!--- Generate RSA Key
crypto key generate rsa modulus 1024
write mem
!
!
!
!
interface GigabitEthernet0/0
description Outside
nameif outside
ip address 208.180.78.15 255.255.255.0
no shut
!
interface GigabitEthernet0/1
description Inside
nameif inside
ip address 10.80.139.16 255.255.255.0
no shut
!
interface GigabitEthernet0/2
no shut
!
interface GigabitEthernet0/3
no shut
!
interface GigabitEthernet1/0
no shut
!
interface GigabitEthernet1/1
no shut
!
interface GigabitEthernet1/2
no shut
!
interface GigabitEthernet1/3
no shut
!
interface Management0/0
description Management
nameif management
ip address 10.80.111.90 255.255.252.0
no shut
!
webvpn
port 444
enable outside
!

!--- Allow Access to Web Interface
http server enable
http 10.80.100.0 255.255.252.0 management
http 10.80.139.0 255.255.255.0 inside
!

!--- Default Route
route outside 0.0.0.0 0.0.0.0 208.180.78.1 1

!--- Auto IP Pool for VPN Connections
ip local pool SC_RA_Pool 10.80.200.2-10.80.200.254 mask 255.255.255.0

!--- NAT
! These groups are used for a NAT translation exemption to allow the interal network to be able to communicate with the VPN Router subnets
! Even though they are the same we have to have 2 differently named groups otherwise the system will throw a warning and not allow the NAT exclusion
object-group network OGN_WAN_1
network-object LocalSCSubnets 255.255.255.0
network-object LocalEngSubnets 255.255.255.240
network-object RemoteSCSubnets 255.255.240.0
object-group network OGN_WAN_2
network-object LocalSCSubnets 255.255.255.0
network-object LocalEngSubnets 255.255.255.240
network-object RemoteSCSubnets 255.255.240.0
!
access-list inside_accessVPNSubnet extended permit ip object-group OGN_WAN_1 object-group OGN_WAN_2
!
global (outside) 1 interface
nat (inside) 0 access-list inside_accessVPNSubnet outside
nat (inside) 1 0.0.0.0 0.0.0.0

!--- Access Lists
access-list outside_allowIncomingTrafficFromVPNSubnet remark Allow traffic to come in from our remote VPN routers
access-list outside_allowIncomingTrafficFromVPNSubnet extended permit ip object-group OGN_WAN_1 object-group OGN_WAN_2
access-list outside_allowIncomingTrafficFromVPNSubnet remark Allow ICMP
access-list outside_allowIncomingTrafficFromVPNSubnet extended permit icmp any any echo-reply
access-list outside_allowIncomingTrafficFromVPNSubnet extended permit icmp any any time-exceeded
access-list outside_allowIncomingTrafficFromVPNSubnet extended permit icmp any any echo

access-list Split_Tunnel_List remark The corporate network behind the ASA.
access-list Split_Tunnel_List standard permit 10.80.139.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.80.103.64 255.255.255.240

access-group outside_allowIncomingTrafficFromVPNSubnet in interface outside

!--- VPN Server Items
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

group-policy DfltGrpPolicy attributes
password-storage enable
nem enable
group-policy SDLCLL-VPN831 internal
group-policy SDLCLL-VPN831 attributes
wins-server value 10.80.100.11
dns-server value 10.80.100.11 10.50.101.12
vpn-tunnel-protocol IPSec
default-domain value suddenlink.cequel3.com
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
tunnel-group SDLCLL-VPN831 type remote-access
tunnel-group SDLCLL-VPN831 general-attributes
address-pool SC_RA_Pool
default-group-policy SDLCLL-VPN831
tunnel-group SDLCLL-VPN831 ipsec-attributes
pre-shared-key PASSWORD
!

 

[unclerico]

so this 871 is on the inside of the ASA??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[spyke01]

no sorry the lab setup is this

871 -> 3750 (simulating internet cloud) -> outside port of ASA

inside port of ASA -> 3750 (handling inside network 10.80.139.1 ip address)

 

[Supergrrover]

You need to fix your groups. Take the remote out of wan1 and the locals out of wan2.
Also take off the outside acl. It isn't doing anything. Your Asa will automatically accept the VPN. You can limit traffic so only certain parts are accessed but it doesn't look like you are doing that.

If the router side of the VPN isn't working we wil need to see that config as well.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[spyke01]

Thanks, this is my first ASA so it's a little different to me. I have made the changes you requested and here is the template i created for use on my lab 871 (few modifications for security of course). The connection is up between the two but like i said traffic from the inside makes it to the remote, however traffic from remote doesn't make it to the inside.

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SC-Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.80.75.1
!
no ip dhcp pool ccp-pool
ip dhcp pool sdm-pool
import all
default-router 10.80.75.1
network 10.80.75.0 255.255.255.240
lease 0 2
!
!
no ip domain lookup
!
!
no username cisco
username xadminx privilege 15 password 0 PASSWORD
no aaa new-model
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
crypto ipsec client ezvpn ASAConnection
connect auto
group SDLCLL-VPN831 key PASSWORD
mode network-extension
peer 208.180.78.15
username test1 password test1
!
!
!
!
!
interface FastEthernet0
no shut
!
interface FastEthernet1
no shut
!
interface FastEthernet2
no shut
!
interface FastEthernet3
!
interface FastEthernet4
description ** Public Port
ip address 208.180.78.230 255.255.255.0
crypto ipsec client ezvpn ASAConnection
ip mtu 1450
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no shut
!
interface Vlan1
description ** Private Side VLAN
ip address 10.80.75.1 255.255.255.240
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASAConnection inside
hold-queue 32 in
ip mtu 1450
no autostate
no shut
!
!
ip classless
ip http server
ip http authentication local
ip http secure-server
no ip http access-class 23
no ip http max-connections 4
no ip http timeout-policy idle 600 life 86400 requests 10000
!
no access-list 23
snmp-server community cmiwan RW 7
no cdp run
!
control-plane
!
no banner exec
no banner login
!
line con 0
no modem enable
no login local
no exec-timeout 120 0
transport output all
line aux 0
transport output all
line vty 0 4
exec-timeout 120 0
privilege level 15
login local
length 0
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end

 

[unclerico]

you don't have a route back to the inside network on the 871

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[spyke01]

we usually just use a default route to the default gateway of the router and the router knows to send packets for the 10.80.x.x network back over the VPN tunnel. the current setup works on a VPN concentrator, is there any reason why this would have changed?

 

[unclerico]

do a show ip route on the 871 with the vpn established and post the output here.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[spyke01]

Gateway of last resort is not set

C 208.180.78.0/24 is directly connected, FastEthernet4
10.0.0.0/28 is subnetted, 1 subnets
C 10.80.75.0 is directly connected, Vlan1

 

[spyke01]

bump