ASA - upgrade to 8.4, impossible to ping inside the interface via IPSec VPN

We have configured a site 5, site to site VPN scenario. Last week, we have upgraded 2 devices ASA 5505 to 8.4.2. Before the upgrade, our monitoring software would ping the inside interface from remote devices to confirm VPN tunnels were established, as well as the addresses of remote devices and the outside of the ASA. While we were on 8.2, remote equipment successfully ping the inside interface. After that we went to 8.4.2 we can do a ping to this interface. We looked at the newspapers and we see the ICMP traffic that is listed in the newspaper, but the remote equipment does not receive back icmp traffic. We can ping successfully from local hardware interface inside and the external interface of remote devices successfully. In addition, we can ping material behind the two devices in both directions successfully.

We are unable to remotely manage the device through the VPN tunnel

Net is:

ASA #1 inside 10.168.107.1 (running ASA 8.2)

ASA #2 inside 10.168.101.1 (running ASA 8,4)

Server 1 (behind the ASA #1) 10.168.107.34

Server 2 (behind the ASA #2) 10.168.101.14

Can ping server 1 Server 2

Can ping server 1 to 1 of the SAA

Can ping server 2-ASA 2

Can ping server 2 to server 1

Can ping server 2 ASA 1

Can ping ASA 2 ASA 1

can not ping ASA 1 and 2 of the ASA

can not ping server 1 and 2 of the ASA

cannot access the ASA 2 https for management interface, nor can the ASDM software

Here is the config on ASA (attached) 2.

Any thoughts would be appreciated.

Hey Joseph,.

Most likely, you hit this bug:

CSCtr16184 Details of bug

To-the-box traffic switches vpn hosts after upgrade to 8.4.2.

Symptom:
After the upgrade of the ASA to 8.4.2 all management traffic to employment (including the)
ICMP/telnet/ssh/ASDM) hosts via the VPN (L2L or remote access VPN) can
fail the IP access address to the administration. Conditionsof :
1. the problem occurs if ASA is on 8.4.2. Not been seen on 8.4.1.
2. the user directly logged in the face of internal interfaces no problem with
ICMP/telnet/ssh/AMPS in their respective interfaces. Workaround:
The problem goes back to a Manual NAT statement that straddles the
address IP-access to the administration. The NAT must have both the
source areas and destination. Add the keyword "research route" at the end of
the statement by NAT solves the problem. Ex:
IP address access to the administration Interface of the ASA is 192.168.1.1. ! Statement by NAT overlapping:
NAT obj destination - 192.168.1.0 obj - 192.168.1.0 Shared source (indoor, outdoor)
VPN-vpn-obj static obj! New declaration:
NAT obj destination - 192.168.1.0 obj - 192.168.1.0 Shared source (indoor, outdoor)
public static obj - vpn vpn-obj-research route

http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

HTH,

Raga

Tags: Cisco Security

Similar Questions

ASA 5540 - cannot ping inside the interface

Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.

In the ASDM, I see messages like this:

ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.

This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.

interface Vlanx

IP x.x.x.x 255.255.255.0

IP broadcast directed to 199

IP accounting output-packets

IP pim sparse - dense mode

route IP cache flow

load-interval 30

Has anyone experiences the problem like this before? Thanks in advance for any help.

Can you post the output of the following on the ASA:-

display the route

And the output of your base layer diverter: -.

show ip route<>

HTH >

Cannot ping ASA inside the interface via VPN

Hello

I have a scenario with tunel VPN between a router and ASA and can ping subnet behind ASA subnet behind the router (and), but I cannot ping the ASA inside the interface on the VPN tunnel. I need to access the remote location ASDM. How can it be done?

Thanks for your suggestions.

Remi

Hello

You must have the 'inside access management' command configured on the SAA.

If you run a 8.3 software or newer on the SAA, should also look at the configuration 'nat' IF the above command solves your problem

-Jouni

Not able to ping inside the interface from outside

Hello

I'm trying to stimulate a new network like the diagram of the topology below:

Topology

However, I have a problem:

ASA:

I can ping to:

192.168.200.1 (Site_RTR IP, int fa0/1)

192.168.200.2 (ASA vlan interface IP, outside interface)

10.133.95.12 (DC_RTR, int fa0/1)

10.133.200.1 (ASA vlan interface IP, inside the interface)

10.133.200.23 (machine)

The RTR website, I can do a ping to:

10.133.95.12

192.168.200.1

192.168.200.2

10.133.200.23 (machine)

but not

10.133.200.1 (ASA vlan interface IP, inside the interface)

Question 1:

It is possible to access / ping back to this address within the IP Interface from outside?

Question 2:

As all subnets 10.0.0.0/8 will go through the interface on the outside, however for the internet traffic, out thru interfacera outside 2.

I haven't set up any nat, is correct to nat all out for outside2?

NAT (inside outside2) source Dynamics one interface

Configuration

Thanks for the help.

JJ

Hi JJ,

If you plan doing a ping within the IP address of the interface, while the traffic is coming from any interface other than inside, you won't able to ping inside the IP address of the interface.

This is by design, and you cannot change it by any ACL or other settings.

Thank you
Ishan
Please do not forget to select a correct answer and rate useful posts

Ping inside the interface on a Pix 501 from outside the network

All the

I have a Pix 501 firewall at a remote site with an IPSEC tunnel established at HQ. We have an analysis tool which remote sites for us let proactively pings know when a site crashes. I want to set up this ping the inside interface of the Pix tool as I can with 871 routers; However I can't configure the Pix to allow ICMP inside interface. I know by default that the Pix does not allow ICMP to the opposite interface and I was wondering if someone could help me with a configuration that will allow this? I enclose my configuration of the pix!

Thank you

Brian

Hello

By raising the ordering tool, it seems that the 'management-access' command was introduced in version 6.3

I recommend spending at 6.3 If you can.

Federico.

Can not handle the ASA inside the interface of Site to Site VPN

Hi all

I was deploying new site to site between ASA 8.0 (HQ) and ASA 8.4 (branch). Everything works fine but I have a problem on the ASA-reach remote that I can't manage branch ASA with inside the interface IP address.

My setup on remote ASA

management-access inside

ICMP allow any inside

SSH 0.0.0.0 0.0.0.0 inside

SNMP-server host inside 10.0.1.101 communitry test-snmp version 2 c

My Test

-ping of the AC for inside the interface of remote ASA
- Client time-out see demand
- When debug icmp on ASA remote then ASA show only ICMP request to HQ no response back from remote ASA
I'm not sure whether it's a bug on ASA 8.4 or not because I can manage a remote other ASA what version 8.0 software HQ

Thanks in advance

Do not know what 8.4 version you use, but it is broken in the 8.4 (2), I stumbled upon the upgrade from same problem. SSH and ASDM will not connect through a VPN L2L interface inside. This worked well in 8.4 (1).

CSCtr16184

http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

[email protected] / * /.

Cannot ping inside the ASA from the inside interface

Don't know what I did wrong... appreciate any help

Here is the page layout

laptop--> cisco 3750 switch--> ASA5505 firewall--> future VPN tunnel

Laptop, switch interface VLAN and inside the ASA are all in the same subnet

Switch and ASA have all interfaces local network VIRTUAL 52 (the subnet in question), except for the external interface

-----------------

This is the problem

laptop getting ip addressing and def GW via DHCP from the firewall

switch and FW can ping each other without problem

FW can't ping, still gets the DHCP scope.

Thank you

Dave

Hello

How did you setup?

The laptop is connected to a port of the 3750 (VLAN 52).

The connection between the 3750 and the SAA is a chest or a link L3?

If the 3750 has a SVI belonging to VLAN52, you can ping from the correct PC? As well as the ASA?

Federico.

ASA 5505 9.1 Unable to ping inside the IPSec VPN network

To give some background that the asa has been reloaded and upgranded from 8.2 to 9.1. I am able to connect to vpn, but unable to reach anything inside, including of the asa. I didn't unfortunately not much experience with 8.3 +, but I thought that I had nat made appropriately. Nothing else is currently configured for the asa, as it's just an asa test currently, so I could of just missed something odvious.

ASA Version 9.1 (3)

!

hostname testasa

activate the encrypted password of Ry5/Pmodu2QL1Xe3

volatile xlate deny tcp any4 any4

volatile xlate deny tcp any4 any6

volatile xlate deny tcp any6 any4

volatile xlate deny tcp any6 any6

volatile xlate deny udp any4 any4 eq field

volatile xlate deny udp any4 any6 eq field

volatile xlate deny udp any6 any4 eq field

volatile xlate deny udp any6 any6 eq field

names of

mask 192.168.3.1 - 192.168.3.200 255.255.255.0 IP local pool VPNPool

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

switchport access vlan 2

!

interface Ethernet0/5

switchport access vlan 2

!

interface Ethernet0/6

switchport access vlan 2

!

interface Ethernet0/7

switchport access vlan 2

!

interface Vlan1

nameif outside

security-level 0

IP address dhcp setroute

!

interface Vlan2

nameif inside

security-level 100

IP 192.168.2.252 255.255.255.0

!

passive FTP mode

network of the NETWORK_OBJ_192.168.2.0_24 object

Subnet 192.168.2.0 255.255.255.0

network of the NETWORK_OBJ_192.168.3.0_24 object

subnet 192.168.3.0 255.255.255.0

network of object obj-Interior

Subnet 192.168.2.0 255.255.255.0

object obj - vpn network

subnet 192.168.3.0 255.255.255.0

VPNGroup_splitTunnelAcl list standard access allowed 192.168.2.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (inside, outside) static source inside obj obj-indoor destination static obj - vpn obj - vpn

!

NAT source auto after (indoor, outdoor) dynamic one interface

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.2.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec pmtu aging infinite - the security association

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

trustpool crypto ca policy

Crypto ikev1 allow outside

IKEv1 crypto policy 10

authentication crack

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 120

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 65535

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

SSH group dh-Group1-sha1 key exchange

Console timeout 0

interface ID client DHCP-client to the outside

dhcpd address 192.168.2.50 - 192.168.2.100 inside

dhcpd dns 208.67.222.222 198.153.192.40 interface inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

AnyConnect essentials

internal VPNGroup group strategy

Group Policy attributes VPNGroup

value of server DNS 208.67.222.222 198.153.192.40

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPNGroup_splitTunnelAcl

disable the split-tunnel-all dns

no method of MSIE-proxy-proxy

VLAN no

NAC settings no

test I9znLlryc6yq.BN4 encrypted privilege 15 password username

tunnel-group VPNGroup type remote access

attributes global-tunnel-group VPNGroup

address pool VPNPool

Group Policy - by default-VPNGroup

IPSec-attributes tunnel-group VPNGroup

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

Review the ip options

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

inspect the icmp

inspect the icmp error

!

global service-policy global_policy

context of prompt hostname

Hello

To be honest, I can't see anything in the configuration that should be a problem.

Your NAT settings seem to be correct.

You have the global setting of "sysopt connection permit - vpn" who does not appear in this form in the CLI configuration. This configuration means essentially that the SAA would allow traffic from a VPN connection to work around interface ACL of the interface when the VPN connection is completed (outside)

Your ACL Split Tunnel is also correct.

You might connect with VPN Client and run a continuous ICMP to a host of LAN and provide an output of the following command after a the ICMP has run a few seconds

Crypto ipsec to show his

Should see the counters of VPN.

You can also try adding

management-access inside

This should allowed you to the 'internal' to the ASA IP ICMP and also manage ASA through the VPN connection by using the 'internal' the IP address provided you have enabled it. But for this you need to change the configuration of "nat" in this

NAT (inside, outside) static source inside obj obj-indoor destination static obj - vpn vpn-obj-research route

Hope this helps

-Jouni

Administration of the ASA via IPSec VPN

Recently, I upgraded my ASA5505 8.2.1 7.2 and curiously lost the ability to manage a VPN (via ASDM or SSH) unit. Before the upgrade, I was able to connect via a method without problem through the VPN. Internally, I still have no problem.

The fault on the ASDM client message when I try to connect to remote is "Impossible to launch the 10.x.x.x:4444 Device Manager." If I look at the output of the console mode of information, I see later that there is a "completed by interception TCP Flow' regarding the conversation between ASA and my system remotely.

The config lines are (I've got running on 443 webvpn):

http server enable 4444

255.x.x.x http inside 10.x.x.x

http 192.x.x.x outside 255.x.x.x

The 192 is located the beach DHCP VPN that get VPN clients (and I checked) such that these systems are able to connect to the ASDM or SSH management interface.

Is there another ACL I need to make this work? Not sure why it worked without problem on 7.2 and as soon as I upgraded to 8.2.1, he stopped, without changing the config (manual).

Thanks in advance for the help!

Point VPN network ssh interface inside rather than the outside, should work, while vpn - ssh to the asa inside the ip address of the interface.

without ssh 192.x.x.x 255.x.x.x outdoors.

SSH 192.x.x.x 255.x.x.x inside.

Concerning

Remote access VPN client to connect but cannot ping inside the host, after that split tunnel is activated (config-joint)

Hello

I don't know what could be held, vpn users can ping to the outside and inside of the Cisco ASA interface but can not connect to servers or servers within the LAN ping.

is hell config please kindly and I would like to know what might happen.

hostname horse

domain evergreen.com

activate 2KFQnbNIdI.2KYOU encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

ins-guard

!

interface GigabitEthernet0/0

LAN description

nameif inside

security-level 100

192.168.200.1 IP address 255.255.255.0

!

interface GigabitEthernet0/1

Description CONNECTION_TO_FREEMAN

nameif outside

security-level 0

IP 196.1.1.1 255.255.255.248

!

interface GigabitEthernet0/2

Description CONNECTION_TO_TIGHTMAN

nameif backup

security-level 0

IP 197.1.1.1 255.255.255.248

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

Shutdown

No nameif

no level of security

no ip address

management only

!

boot system Disk0: / asa844-1 - k8.bin

boot system Disk0: / asa707 - k8.bin

passive FTP mode

clock timezone WAT 1

DNS server-group DefaultDNS

domain green.com

network of the NETWORK_OBJ_192.168.2.0_25 object

Subnet 192.168.2.0 255.255.255.128

network of the NETWORK_OBJ_192.168.202.0_24 object

192.168.202.0 subnet 255.255.255.0

network obj_any object

subnet 0.0.0.0 0.0.0.0

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.200.0 255.255.255.0

object-network 192.168.202.0 255.255.255.0

the DM_INLINE_NETWORK_2 object-group network

object-network 192.168.200.0 255.255.255.0

object-network 192.168.202.0 255.255.255.0

access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any

access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any

Access extensive list permits all ip a OUTSIDE_IN

gbnlvpntunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

standard access list gbnlvpntunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0

gbnlvpntunnell_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

standard access list gbnlvpntunnell_splitTunnelAcl allow 192.168.202.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

backup of MTU 1500

mask of local pool VPNPOOL 192.168.2.0 - 192.168.2.100 IP 255.255.255.0

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-645 - 206.bin

don't allow no asdm history

ARP timeout 14400

NAT (inside, outside) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, backup) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, backup) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

!

network obj_any object

dynamic NAT interface (inside, backup)

Access-group interface inside INSIDE_OUT

Access-group OUTSIDE_IN in interface outside

Route outside 0.0.0.0 0.0.0.0 196.1.1.2 1 track 10

Route outside 0.0.0.0 0.0.0.0 197.1.1.2 254

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.200.0 255.255.255.0 inside

http 192.168.202.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

monitor SLA 100

type echo protocol ipIcmpEcho 212.58.244.71 interface outside

Timeout 3000

frequency 5

monitor als 100 calendar life never start-time now

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

backup_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

backup of crypto backup_map interface card

Crypto ikev1 allow outside

Crypto ikev1 enable backup

IKEv1 crypto policy 10

authentication crack

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 120

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

!

track 10 rtr 100 accessibility

Telnet 192.168.200.0 255.255.255.0 inside

Telnet 192.168.202.0 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.202.0 255.255.255.0 inside

SSH 192.168.200.0 255.255.255.0 inside

SSH 0.0.0.0 0.0.0.0 outdoors

SSH timeout 15

SSH group dh-Group1-sha1 key exchange

Console timeout 0

management-access inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal group vpntunnel strategy

Group vpntunnel policy attributes

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list vpntunnel_splitTunnelAcl

field default value green.com

internal vpntunnell group policy

attributes of the strategy of group vpntunnell

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list gbnlvpntunnell_splitTunnelAcl

field default value green.com

Green user name encrypted BoEFKkDtbnX5Uy1Q privilege 15 password

attributes of user name THE

VPN-group-policy gbnlvpn

tunnel-group vpntunnel type remote access

tunnel-group vpntunnel General attributes

address VPNPOOL pool

strategy-group-by default vpntunnel

tunnel-group vpntunnel ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group vpntunnell remote access

tunnel-group vpntunnell General-attributes

address VPNPOOL2 pool

Group Policy - by default-vpntunnell

vpntunnell group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns migrated_dns_map_1

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the migrated_dns_map_1 dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:7c1b1373bf2e2c56289b51b8dccaa565

Hello

1 - Please run these commands:

"crypto isakmp nat-traversal 30.

"crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 Road opposite value.

The main issue here is that you have two roads floating and outside it has a better than backup metric, that's why I added the command 'reverse-road '.

Please let me know.

Thank you.

try VPN remote ping inside the network

I use this Setup

http://www.Cisco.com/image/gif/en/us/guest/tech/TK372/c1492/ccmigration_09186a008009442e.gif

I cannot ping inside user from the remote client?

do you know why?

Add...

management-access inside

Please evaluate the useful messages.

Cisco ASA 5515 - Anyconnect users can connect to ASA, but cannot ping inside the local IP address

Hello!

I have a 5515 ASA with the configuration below. I have configure the ASA as remote access with anyconnect VPN server, now my problem is that I can connect but I can not ping.

ASA Version 9.1 (1)

!

ASA host name

domain xxx.xx

names of

local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask

!

interface GigabitEthernet0/0

nameif inside

security-level 100

192.168.11.1 IP address 255.255.255.0

!

interface GigabitEthernet0/1

Description Interface_to_VPN

nameif outside

security-level 0

IP 111.222.333.444 255.255.255.240

!

interface GigabitEthernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/4

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/5

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

management only

nameif management

security-level 100

192.168.5.1 IP address 255.255.255.0

!

passive FTP mode

DNS server-group DefaultDNS

www.ww domain name

permit same-security-traffic intra-interface

the object of the LAN network

subnet 192.168.11.0 255.255.255.0

LAN description

network of the SSLVPN_POOL object

255.255.255.0 subnet 192.168.12.0

VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

management of MTU 1500

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 711.bin

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN

Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

WebVPN

list of URLS no

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

AAA authentication http LOCAL console

LOCAL AAA authorization exec

Enable http server

http 192.168.5.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec pmtu aging infinite - the security association

Crypto ca trustpoint ASDM_TrustPoint5

Terminal registration

E-mail [email protected] / * /

name of the object CN = ASA

address-IP 111.222.333.444

Configure CRL

Crypto ca trustpoint ASDM_TrustPoint6

Terminal registration

domain name full vpn.domain.com

E-mail [email protected] / * /

name of the object CN = vpn.domain.com

address-IP 111.222.333.444

pair of keys sslvpn

Configure CRL

trustpool crypto ca policy

string encryption ca ASDM_TrustPoint6 certificates

Telnet timeout 5

SSH 192.168.11.0 255.255.255.0 inside

SSH timeout 30

Console timeout 0

No ipv6-vpn-addr-assign aaa

no local ipv6-vpn-addr-assign

192.168.5.2 management - dhcpd addresses 192.168.5.254

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

SSL-trust outside ASDM_TrustPoint6 point

WebVPN

allow outside

CSD image disk0:/csd_3.5.2008-k9.pkg

AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1

AnyConnect enable

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client

internal VPN_CLIENT_POLICY group policy

VPN_CLIENT_POLICY group policy attributes

WINS server no

value of server DNS 192.168.11.198

VPN - 5 concurrent connections

VPN-session-timeout 480

client ssl-VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPN_CLIENT_ACL

myComp.local value by default-field

the address value VPN_CLIENT_POOL pools

WebVPN

activate AnyConnect ssl dtls

AnyConnect Dungeon-Installer installed

AnyConnect ssl keepalive 20

time to generate a new key 30 AnyConnect ssl

AnyConnect ssl generate a new method ssl key

AnyConnect client of dpd-interval 30

dpd-interval gateway AnyConnect 30

AnyConnect dtls lzs compression

AnyConnect modules value vpngina

value of customization DfltCustomization

internal IT_POLICY group policy

IT_POLICY group policy attributes

WINS server no

value of server DNS 192.168.11.198

VPN - connections 3

VPN-session-timeout 120

Protocol-tunnel-VPN-client ssl clientless ssl

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPN_CLIENT_ACL

field default value societe.com

the address value VPN_CLIENT_POOL pools

WebVPN

activate AnyConnect ssl dtls

AnyConnect Dungeon-Installer installed

AnyConnect ssl keepalive 20

AnyConnect dtls lzs compression

value of customization DfltCustomization

username vpnuser password PA$ encrypted $WORD

vpnuser username attributes

VPN-group-policy VPN_CLIENT_POLICY

type of remote access service

Username vpnuser2 password PA$ encrypted $W

username vpnuser2 attributes

type of remote access service

username admin password ADMINPA$ $ encrypted privilege 15

VPN Tunnel-group type remote access

General-attributes of VPN Tunnel-group

address VPN_CLIENT_POOL pool

Group Policy - by default-VPN_CLIENT_POLICY

VPN Tunnel-group webvpn-attributes

the aaa authentication certificate

enable VPN_to_R group-alias

type tunnel-group IT_PROFILE remote access

attributes global-tunnel-group IT_PROFILE

address VPN_CLIENT_POOL pool

Group Policy - by default-IT_POLICY

tunnel-group IT_PROFILE webvpn-attributes

the aaa authentication certificate

enable IT Group-alias

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

inspect the icmp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

: end

Help me please! Thank you!

Hello

Please set ACLs to allow ICMP between these two subnets (192.168.11.0 and 192.168.12.0) and check. It should ping. Let me know if it does not work.

Thank you

swap

Cannot ping inside the vpn client hosts. It's a NAT problem

Hello everyone, I'm running into what seems to be a cause of exclusion with an IOS IPSEC VPN NAT/nat. I can connect to the VPN with cisco IPSEC VPN client, and I am able to authenticate. Once I have authenticate, I'm not able to reach one of the guests inside. Below is my relevant config. Any help would be greatly appreciated.

AAA new-model

!

!

AAA authentication login default local

radius of group AAA authentication login userauthen

AAA authorization exec default local

AAA authorization groupauthor LAN

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group businessVPN

key xxxxxx

DNS 192.168.10.2

business.local field

pool vpnpool

ACL 108

Crypto isakmp VPNclient profile

businessVPN group identity match

client authentication list userauthen

ISAKMP authorization list groupauthor

client configuration address respond

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

Define VPNclient isakmp-profile

market arriere-route

!

!

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

interface Loopback0

IP 10.1.10.2 255.255.255.252

no ip redirection

no ip unreachable

no ip proxy-arp

IP virtual-reassembly

!

Null0 interface

no ip unreachable

!

interface FastEthernet0/0

IP 111.111.111.138 255.255.255.252

IP access-group outside_in in

no ip redirection

no ip unreachable

no ip proxy-arp

NAT outside IP

inspect the outgoing IP outside

IP virtual-reassembly

automatic duplex

automatic speed

clientmap card crypto

!

the integrated-Service-Engine0/0 interface

description Locator is initialized with default IMAP group

IP unnumbered Loopback0

no ip redirection

no ip unreachable

no ip proxy-arp

IP virtual-reassembly

ip address of service-module 10.1.10.1 255.255.255.252

Service-module ip default gateway - 10.1.10.2

interface BVI1

IP 192.168.10.1 255.255.255.0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

IP virtual-reassembly

IP nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25

IP nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443

IP nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389

IP nat inside source map route nat interface FastEthernet0/0 overload

nat extended IP access list

deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

refuse the 10.1.1.0 ip 0.0.0.255 192.168.109.0 0.0.0.255

ip licensing 10.1.1.0 0.0.0.255 any

permit ip 192.168.10.0 0.0.0.255 any

sheep extended IP access list

permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

ip permit 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255

ip licensing 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255

outside_in extended IP access list

permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp

permit any any eq 443 tcp

permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389

permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22

allow any host 111.111.111.138 esp

allow any host 111.111.111.138 eq isakmp udp

allow any host 111.111.111.138 eq non500-isakmp udp

allow any host 111.111.111.138 ahp

allow accord any host 111.111.111.138

access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255

!

!

!

!

route nat allowed 10 map

match ip address nat

1 channel ip bridge

In my view, the acl applied to customer is back. It must allow traffic from the internal network to the pool of customers.

To confirm, you can open the Cisco VPN client statistics (after login) then go in the route Details tab. We should see the networks you should be able to reach the customer. Make sure that the good ones are here.

Kind regards

I can't ping the interface inside of asa or telnet, when I came across the anyconnect vpn

Hey Cisco net guys pro

When I connect via anyconnect VPN to ASA 9.x, OS, I cannot ping inside
the interface of asa or telnet, but I could ping at the interface of the router address
ASA, the same two subnet

Telnet 0.0.0.0 0.0.0.0 inside

ICMP allow any insid

Hi Ibrahim.

Try 'inside access management' and let us know how it rates.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

Impossible to ping anyconnect Client IP de ASA

Hello world

I can't connect to cisco anyconenct fine no problem.

When connected I ping the SAA in interface and other subnets that are behind the ASA inside the interface from the PC connected through the VPN.

My only problem is that of ASA, I cannot ping IP of 10.0.0.5.

ASA1 # sh anyconnect vpn-sessiondb

Session type: AnyConnect

User name: anyconnect_user index: 54

Assigned IP: 10.0.0.5 Public IP address: 192.168.98.2

Protocol: AnyConnect-Parent-Tunnel SSL DTLS-Tunnel
License: AnyConnect Essentials
Encryption: AnyConnect-Parent: (1) no SSL Tunnel: (1) AES128 DTLS-Tunnel: (1) AES128
Hash: AnyConnect-Parent: (1) no SSL Tunnel: (1) SHA1 DTLS-Tunnel: SHA1 (1)
TX Bytes: 12318 bytes Rx: 73502
Group Policy: anyconnect_group
Tunnel of Group: anyconnect_connection_profile
Connect time: 23:21:28 MST Friday, March 7, 2014
Duration: 0 h: 34 m: 33 s
Inactivity: 0 h: 00 m: 00s
Result of the NAC: unknown
Map VLANS: VLAN n/a: no

I ping the switch connected to ASA inside interface

ASA1 # ping 10.0.0.2

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 10.0.0.2, time-out is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = ms 04/01/10

I can ping from the ASA inside interface

ASA1 # ping 10.0.0.1 - ASA inside interface

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 10.0.0.1, time-out is 2 seconds:

!!!!!

Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA1 # ping 10.0.0.5

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 10.0.0.5, time-out is 2 seconds:

?????

Success rate is 0% (0/5)

ASA1 #.

Journal of the shows

March 7, 2014 23:00:52: % ASA-6-302020: built outgoing ICMP connection for 10.0.0.5/0(LOCAL\anyconnect_user faddr) gaddr laddr 192.168.1.171/1168 192.168.1.171/1168

March 7, 2014 23:01:02: % ASA-6-302021: connection of disassembly ICMP for faddr 10.0.0.5/0(LOCAL\anyconnect_user) gaddr laddr 192.168.1.171/1168 192.168.1.171/1168

Where IP 192.168.1.171 is ASA outside interface

Concerning

MAhesh

Hello Manu,

Have you tried to ping the network interior? Or the package from inside the source interface of the ASA? Remember, you should have some rules exemption nat for packets going through the VPN connection. That's how specify us which networks are allowed to join the VPN clients. If you ping without specify any interface the packet is going to come from the external interface, and probably this interface/subnet is not allowed through the VPN connection. Using split tunnel or tunnelall?

You can try to activate the management of access to the inside interface and the ping from the inside. These packages should hit the exemption nat rule and will be sent through the tunnel instead of the Internet.

These are the necessary commands:

To specify an interface as an interface of management only, enter the following command:
```
 hostname(config)# management access inside
```
Then, you could do an inside 10.0.0.5 ping to ping the ASA AnyConnect client.

Notes on the access management command:

If your VPN tunnel ends on an interface, but you want to manage the ASA by accessing a different interface, you can identify this interface as an interface for management access. For example, if you enter the ASA of the external interface, this feature allows you to connect inside the interface by using ASDM, SSH, Telnet or SNMP. or you can test inside the interface at the entrance to the external interface. Management is accessible by the following VPN tunnels types: client IPsec, the client AnyConnect SSL VPN and IPsec LAN-to-LAN.

Hope this helps,

Luis

ASA - upgrade to 8.4, impossible to ping inside the interface via IPSec VPN

CSCtr16184 Details of bug

Similar Questions

Maybe you are looking for