Cannot ping inside the ASA from the inside interface

Don't know what I did wrong... appreciate any help

Here is the page layout

laptop--> cisco 3750 switch--> ASA5505 firewall--> future VPN tunnel

Laptop, switch interface VLAN and inside the ASA are all in the same subnet

Switch and ASA have all interfaces local network VIRTUAL 52 (the subnet in question), except for the external interface

-----------------

This is the problem

laptop getting ip addressing and def GW via DHCP from the firewall

switch and FW can ping each other without problem

FW can't ping, still gets the DHCP scope.

Thank you

Dave

Hello

How did you setup?

The laptop is connected to a port of the 3750 (VLAN 52).

The connection between the 3750 and the SAA is a chest or a link L3?

If the 3750 has a SVI belonging to VLAN52, you can ping from the correct PC? As well as the ASA?

Federico.

Tags: Cisco Security

Similar Questions

ASA 5540 - cannot ping inside the interface

Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.

In the ASDM, I see messages like this:

ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.

This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.

interface Vlanx

IP x.x.x.x 255.255.255.0

IP broadcast directed to 199

IP accounting output-packets

IP pim sparse - dense mode

route IP cache flow

load-interval 30

Has anyone experiences the problem like this before? Thanks in advance for any help.

Can you post the output of the following on the ASA:-

display the route

And the output of your base layer diverter: -.

show ip route<>

HTH >

Cannot ping via the VPN client host when static NAT translations are used

Hello, I have a SRI 3825 configured for Cisco VPN client access.

There are also several hosts on the internal network of the static NAT translations have a services facing outwards.

Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.

For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.

Any help would be appreciated.

Concerning

!

session of crypto consignment

!

crypto ISAKMP policy 10

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group vpnclient

key S3Cu4Ke!

DNS 192.168.1.1 192.168.1.2

domain domain.com

pool dhcppool

ACL 198

Save-password

PFS

netmask 255.255.255.0

!

!

Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac

!

Crypto-map dynamic dynmap 10

86400 seconds, life of security association set

game of transformation-3DES-SECURE

market arriere-route

!

card crypto client cryptomap of authentication list drauthen

card crypto isakmp authorization list drauthor cryptomap

client configuration address card crypto cryptomap answer

map cryptomap 65535-isakmp ipsec crypto dynamic dynmap

!

interface GigabitEthernet0/0

NAT outside IP

IP 1.2.3.4 255.255.255.240

cryptomap card crypto

!

interface GigabitEthernet0/1

IP 192.168.1.254 255.255.255.0

IP nat inside

!

IP local pool dhcppool 192.168.2.50 192.168.2.100

!

Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any

!

Sheep allowed 10 route map
corresponds to the IP 199

!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload

!

IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6

The problem seems to be that static NAT take your nat exemption.

The solution would be:

IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map route

HTH

Herbert

Cisco ASA 5515 - Anyconnect users can connect to ASA, but cannot ping inside the local IP address

Hello!

I have a 5515 ASA with the configuration below. I have configure the ASA as remote access with anyconnect VPN server, now my problem is that I can connect but I can not ping.

ASA Version 9.1 (1)

!

ASA host name

domain xxx.xx

names of

local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask

!

interface GigabitEthernet0/0

nameif inside

security-level 100

192.168.11.1 IP address 255.255.255.0

!

interface GigabitEthernet0/1

Description Interface_to_VPN

nameif outside

security-level 0

IP 111.222.333.444 255.255.255.240

!

interface GigabitEthernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/4

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/5

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

management only

nameif management

security-level 100

192.168.5.1 IP address 255.255.255.0

!

passive FTP mode

DNS server-group DefaultDNS

www.ww domain name

permit same-security-traffic intra-interface

the object of the LAN network

subnet 192.168.11.0 255.255.255.0

LAN description

network of the SSLVPN_POOL object

255.255.255.0 subnet 192.168.12.0

VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

management of MTU 1500

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 711.bin

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN

Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

WebVPN

list of URLS no

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

AAA authentication http LOCAL console

LOCAL AAA authorization exec

Enable http server

http 192.168.5.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec pmtu aging infinite - the security association

Crypto ca trustpoint ASDM_TrustPoint5

Terminal registration

E-mail [email protected] / * /

name of the object CN = ASA

address-IP 111.222.333.444

Configure CRL

Crypto ca trustpoint ASDM_TrustPoint6

Terminal registration

domain name full vpn.domain.com

E-mail [email protected] / * /

name of the object CN = vpn.domain.com

address-IP 111.222.333.444

pair of keys sslvpn

Configure CRL

trustpool crypto ca policy

string encryption ca ASDM_TrustPoint6 certificates

Telnet timeout 5

SSH 192.168.11.0 255.255.255.0 inside

SSH timeout 30

Console timeout 0

No ipv6-vpn-addr-assign aaa

no local ipv6-vpn-addr-assign

192.168.5.2 management - dhcpd addresses 192.168.5.254

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

SSL-trust outside ASDM_TrustPoint6 point

WebVPN

allow outside

CSD image disk0:/csd_3.5.2008-k9.pkg

AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1

AnyConnect enable

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client

internal VPN_CLIENT_POLICY group policy

VPN_CLIENT_POLICY group policy attributes

WINS server no

value of server DNS 192.168.11.198

VPN - 5 concurrent connections

VPN-session-timeout 480

client ssl-VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPN_CLIENT_ACL

myComp.local value by default-field

the address value VPN_CLIENT_POOL pools

WebVPN

activate AnyConnect ssl dtls

AnyConnect Dungeon-Installer installed

AnyConnect ssl keepalive 20

time to generate a new key 30 AnyConnect ssl

AnyConnect ssl generate a new method ssl key

AnyConnect client of dpd-interval 30

dpd-interval gateway AnyConnect 30

AnyConnect dtls lzs compression

AnyConnect modules value vpngina

value of customization DfltCustomization

internal IT_POLICY group policy

IT_POLICY group policy attributes

WINS server no

value of server DNS 192.168.11.198

VPN - connections 3

VPN-session-timeout 120

Protocol-tunnel-VPN-client ssl clientless ssl

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPN_CLIENT_ACL

field default value societe.com

the address value VPN_CLIENT_POOL pools

WebVPN

activate AnyConnect ssl dtls

AnyConnect Dungeon-Installer installed

AnyConnect ssl keepalive 20

AnyConnect dtls lzs compression

value of customization DfltCustomization

username vpnuser password PA$ encrypted $WORD

vpnuser username attributes

VPN-group-policy VPN_CLIENT_POLICY

type of remote access service

Username vpnuser2 password PA$ encrypted $W

username vpnuser2 attributes

type of remote access service

username admin password ADMINPA$ $ encrypted privilege 15

VPN Tunnel-group type remote access

General-attributes of VPN Tunnel-group

address VPN_CLIENT_POOL pool

Group Policy - by default-VPN_CLIENT_POLICY

VPN Tunnel-group webvpn-attributes

the aaa authentication certificate

enable VPN_to_R group-alias

type tunnel-group IT_PROFILE remote access

attributes global-tunnel-group IT_PROFILE

address VPN_CLIENT_POOL pool

Group Policy - by default-IT_POLICY

tunnel-group IT_PROFILE webvpn-attributes

the aaa authentication certificate

enable IT Group-alias

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

inspect the icmp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

: end

Help me please! Thank you!

Hello

Please set ACLs to allow ICMP between these two subnets (192.168.11.0 and 192.168.12.0) and check. It should ping. Let me know if it does not work.

Thank you

swap

cannot ping in dmz subnet from inside the subnet

Hey guys

can someone pls take a look at this config in my 515 and tell me why I can't ping from host 10.2.1.20 (connected inside interface) to host (connected to the dmx interface) 10.3.1.20...

Thanks ;)

6.3 (3) version PIX

interface ethernet0 car

interface ethernet1 100full

stop 100full interface ethernet2

interface ethernet3 100full

stop 100full interface ethernet4

interface ethernet5 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

ethernet2 intf2 security2 nameif

nameif ethernet3 intf3 interieure4

nameif ethernet4 intf4 securite6

nameif dmz security50 ethernet5

enable password xxxx

passwd xxxx

hostname MYHOSTNAME

domain MYDOMAINNAME.local

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

inside_access_in ip access list allow a whole

pager lines 24

Outside 1500 MTU

Within 1500 MTU

intf2 MTU 1500

intf3 MTU 1500

intf4 MTU 1500

MTU 1500 dmz

IP address outside 61.29.xxx.xxx 255.255.255.248

IP address inside 10.2.1.11 255.255.255.0

No intf2 ip address

No intf3 ip address

No intf4 ip address

10.3.1.11 dmz IP address 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

no failover

failover timeout 0:00:00

failover poll 15

No IP failover outdoors

No IP failover inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address dmz

history of PDM activate

ARP timeout 14400

Global interface 10 (external)

NAT (inside) 10 0.0.0.0 0.0.0.0 0 0

NAT (dmz) 10 10.3.1.0 255.255.255.0 0 0

static (inside, dmz) 10.2.1.0 10.2.1.0 netmask 255.255.255.0 0 0

inside_access_in access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 61.29.xxx.xxx 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 10.2.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

SNMP-Server enable traps

enable floodguard

Telnet timeout 5

SSH timeout 5

Console timeout 0

Terminal width 80

Thanks again

Rob

ICMP is not a stateful Protocol, so you must explicitly allow ICMP traffic on the DMZ interface. Try adding the following:

access-list dmz_access_in allow icmp a whole

Access-group dmz_access_in in dmz interface

I hope this helps.

Scott

Remote access VPN client to connect but cannot ping inside the host, after that split tunnel is activated (config-joint)

Hello

I don't know what could be held, vpn users can ping to the outside and inside of the Cisco ASA interface but can not connect to servers or servers within the LAN ping.

is hell config please kindly and I would like to know what might happen.

hostname horse

domain evergreen.com

activate 2KFQnbNIdI.2KYOU encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

ins-guard

!

interface GigabitEthernet0/0

LAN description

nameif inside

security-level 100

192.168.200.1 IP address 255.255.255.0

!

interface GigabitEthernet0/1

Description CONNECTION_TO_FREEMAN

nameif outside

security-level 0

IP 196.1.1.1 255.255.255.248

!

interface GigabitEthernet0/2

Description CONNECTION_TO_TIGHTMAN

nameif backup

security-level 0

IP 197.1.1.1 255.255.255.248

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

Shutdown

No nameif

no level of security

no ip address

management only

!

boot system Disk0: / asa844-1 - k8.bin

boot system Disk0: / asa707 - k8.bin

passive FTP mode

clock timezone WAT 1

DNS server-group DefaultDNS

domain green.com

network of the NETWORK_OBJ_192.168.2.0_25 object

Subnet 192.168.2.0 255.255.255.128

network of the NETWORK_OBJ_192.168.202.0_24 object

192.168.202.0 subnet 255.255.255.0

network obj_any object

subnet 0.0.0.0 0.0.0.0

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.200.0 255.255.255.0

object-network 192.168.202.0 255.255.255.0

the DM_INLINE_NETWORK_2 object-group network

object-network 192.168.200.0 255.255.255.0

object-network 192.168.202.0 255.255.255.0

access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any

access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any

Access extensive list permits all ip a OUTSIDE_IN

gbnlvpntunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

standard access list gbnlvpntunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0

gbnlvpntunnell_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

standard access list gbnlvpntunnell_splitTunnelAcl allow 192.168.202.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

backup of MTU 1500

mask of local pool VPNPOOL 192.168.2.0 - 192.168.2.100 IP 255.255.255.0

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-645 - 206.bin

don't allow no asdm history

ARP timeout 14400

NAT (inside, outside) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, backup) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, backup) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

!

network obj_any object

dynamic NAT interface (inside, backup)

Access-group interface inside INSIDE_OUT

Access-group OUTSIDE_IN in interface outside

Route outside 0.0.0.0 0.0.0.0 196.1.1.2 1 track 10

Route outside 0.0.0.0 0.0.0.0 197.1.1.2 254

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.200.0 255.255.255.0 inside

http 192.168.202.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

monitor SLA 100

type echo protocol ipIcmpEcho 212.58.244.71 interface outside

Timeout 3000

frequency 5

monitor als 100 calendar life never start-time now

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

backup_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

backup of crypto backup_map interface card

Crypto ikev1 allow outside

Crypto ikev1 enable backup

IKEv1 crypto policy 10

authentication crack

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 120

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

!

track 10 rtr 100 accessibility

Telnet 192.168.200.0 255.255.255.0 inside

Telnet 192.168.202.0 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.202.0 255.255.255.0 inside

SSH 192.168.200.0 255.255.255.0 inside

SSH 0.0.0.0 0.0.0.0 outdoors

SSH timeout 15

SSH group dh-Group1-sha1 key exchange

Console timeout 0

management-access inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal group vpntunnel strategy

Group vpntunnel policy attributes

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list vpntunnel_splitTunnelAcl

field default value green.com

internal vpntunnell group policy

attributes of the strategy of group vpntunnell

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list gbnlvpntunnell_splitTunnelAcl

field default value green.com

Green user name encrypted BoEFKkDtbnX5Uy1Q privilege 15 password

attributes of user name THE

VPN-group-policy gbnlvpn

tunnel-group vpntunnel type remote access

tunnel-group vpntunnel General attributes

address VPNPOOL pool

strategy-group-by default vpntunnel

tunnel-group vpntunnel ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group vpntunnell remote access

tunnel-group vpntunnell General-attributes

address VPNPOOL2 pool

Group Policy - by default-vpntunnell

vpntunnell group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns migrated_dns_map_1

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the migrated_dns_map_1 dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:7c1b1373bf2e2c56289b51b8dccaa565

Hello

1 - Please run these commands:

"crypto isakmp nat-traversal 30.

"crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 Road opposite value.

The main issue here is that you have two roads floating and outside it has a better than backup metric, that's why I added the command 'reverse-road '.

Please let me know.

Thank you.

Cannot ping across the firewall

I'll put up the asa in GNS3 lab, but I can't do a ping through the firewall to the inside of the interface for the external interface. Here's my running-config... I don't know that miss me some I don't know what. If anyone can find out what it is, that would be nice.

See the race
: Saved
:
ASA Version 8.4 (2)
!
ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0
nameif inside
security-level 100
the IP 10.0.0.2 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
4.2.2.2 IP address 255.255.255.0
!
interface GigabitEthernet2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet3
Shutdown
No nameif
no level of security
no ip address
!
passive FTP mode
pager lines 24
Enable logging
timestamp of the record
logging buffered information
logging trap information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 10.0.1.2 1
Route inside 172.16.0.0 255.255.254.0 10.0.0.1 1
outdoor 172.16.2.0 255.255.254.0 10.0.1.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
crashinfo record disable
Cryptochecksum:d6838a5cc1c3620ba830e7d745eaf9a1
: end

After having thought about it twice, it's clear. I wrote to change because it is a good practice, but with the ASA on the other side, it is necessary.

If you use the output as the destination of a route interface, the router must be able to arp for the IP of destination (for each that is used) L2 address of next hop. The other side (the ASA in your scenario) must have a proxy-arp enabled for this because demand is not a configured address.

If you configure an IP address as the next hop, the router must only address L2 a jump next-address IP used in the static route.

Router cannot ping off the grid

The situation:

Router (ip 192.168.16.1) is the default gateway for the whole of the company

Anyone in the company is able to go on the internet and ping 8.8.8.8 (google DNS) of the PC it is

I have myself my laptop have IP 192.168.16.170 and I can ping 8.8.8.8 my default gw is 192.168.16.1

I set up a lab with router B 1841 with NAT router

On the router B FastEth 0/0 is faced with A router

On the router B FastEth 0/1 is in the front of my lab

The problem:

Router B, the two interfaces can ping 192.168.16.1 (router, the default gateway)

Router B, I am unable to ping 8.8.8.8 or any other address outside the 192.168.16.0 network

I do not understand how I am able to ping my default gateway and yet not be able to ping outside my network.

Keep in mind, it works on my laptop or any other PC in the building.

Thanks for the idea

**********************************************************************************

Router #sh ip int br

Interface IP-Address OK? Method State Protocol

FastEthernet0/0 192.168.16.137 YES DHCP upward upwards

FastEthernet0/1 192.168.55.11 YES manual up up

NVI0 unassigned don't unset upward upwards

Router #.

***********************************************************************************

Router #sh run

Building configuration...

Current configuration: 712 bytes

!

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

router host name

!

boot-start-marker

boot-end-marker

!

!

No aaa new-model

IP cef

!

!

!

!

!

!

!

-More-

!

interface FastEthernet0/0

DHCP IP address

NAT outside IP

automatic duplex

automatic speed

!

interface FastEthernet0/1

IP 192.168.55.11 255.255.255.0

IP nat inside

automatic duplex

automatic speed

!

IP forward-Protocol ND

IP route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

no ip address of the http server

IP nat inside source static 192.168.55.170 192.168.16.10

IP nat inside source static 192.168.55.11 192.168.16.11

!

!

control plan

!

!

Line con 0

line to 0

line vty 0 4

opening of session

!

Scheduler allocate 20000 1000

end

Router #.

*************************************************************************

Router #sh worm

Cisco IOS Software, 1841 (C1841-IPBASE-M), Version 12.4(17a), VERSION of the SOFTWARE (fc2)

Technical support: http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Updated Thursday, November 7 07 11:21 by prod_rel_team

ROM: System Bootstrap, Version 12.4 (13r) T, RELEASE SOFTWARE (fc1)

The availability of router is 4 hours, 34 minutes

System to regain the power ROM

System image file is "flash: c1841-ipbase - mz.124 - 17A .bin.

Cisco 1841 (revision 7.0) with 114688K / 16384K bytes of memory.

Card processor ID FTX1153W03K

2 FastEthernet interfaces

Configuration of DRAM is 64 bits wide with disabled parity.

191K bytes of NVRAM memory.

31360K bytes of ATA CompactFlash (read/write)

Configuration register is 0 x 2142

Router #.

***********************************************************************

Router #ping 192.168.16.1

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 192.168.16.1, time-out is 2 seconds:

!!!!!

Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/4 ms

*******************************************************************

Router #ping 8.8.8.8

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 8.8.8.8, time-out is 2 seconds:

.....

Success rate is 0% (0/5)

Try to change your route by default of ' 0.0.0.0 0.0.0.0 fa0/0 "to" 0.0.0.0 0.0.0.0 192.168.16.1.

Can you ping 192.168.16.1 to RouterB?

HTH,
John

Please note all useful messages *.

Cannot Ping across the VPN remote access

Hello world

I hope I posted this in the right place!

I'm a bit new to Cisco IOS, so please forgive me if I ask a stupid question!

We have a firewall of 515E PIX 6.3 (4) on which I used the VPN Wizard to set up a remote access VPN the Cisco VPN client on the external interface.

When I connect to home on my laptop Windows XP Pro SP2 running Cisco VPN Client 4.0.5(C) I seem to be able to connect to most of the network resources (IE file shares, I can RDP into servers, etc.) but I can't seem to be able to ping anything : I just request times out.

I'm sure it's something stupid I've done (or not done).

I have attached my config and would be grateful if someone could take a look and point me in the right direction.

Thanks in advance for your help,

Peter.

Hi Peter,.

You must add a line to the inside_access_in access list:

Enable

conf t

access-list inside_access_in allow icmp a whole

output

write members

Kind regards

Cathy

WRT160NL cannot connect to the web interface after firmware update

I've updated the firmware to unofficial http://mirwifi.org/download/fw/WRT160NL/wrt160nl-0.1.3-pre5.bin and since then I can not connect to the router through the web interface. What can I do? Is it possible to update the firmware to the official without web interface? Thanks in advance for any help.

The router's default IP address is 192.168.1.1. Try to ping the IP address of the router and check if you get answers from the router.

Open the Internet browser and in the address bar type http://192.168.1.1. See if you can open the router configuration page.

If this does not work then you can try to update the official firmware on the router using the TFTP.exe file.

Disable the firewall on your computer. Connect the computer to the router with the Ethernet cable.

(1) download the official firmware file from the site Web of Linksys router. Save it to your computer.

(2) download the tftp site Web of Linksys. Follow this link to search for the file tftp. You'll find downloads for router BEFW11S4. Select the version 3.2 hardware and download the installation wizard. Save it to your computer.

(3) run the installation wizard. In the server box, type the IP address of your router. In the password box, type the password of the router. Default password for the router is admin. Find the file of the official firmware you have already downloaded and click on upgrade.

See if it works.

After upgrading the Firmware on the router, it is recommended that you must reset the router and reconfigure.

Press and hold the reset button on the router for 30 seconds. Release the reset button and wait 10 seconds. Power cycle the router and reconfigure.

PowerConnect 2824 cannot enter in the web interface

My company bought a powerconnect 2824, in any case this is the 1st time, I configure the Dell switch. I managed to Setup using cli mode, but after anyway I can't config interface only able to display information and also cannot enter the web interface with the default setting, or after.

What I did wrong?

Have you tried to connect to the web gui via different ports? you mentioned port 1 light does not, which is the port you are trying to access the switch through?

When you are connected to the CLI, which is the result of show # configuration interfaces?

What are the customers IP settings to?

Cannot ping inside the vpn client hosts. It's a NAT problem

Hello everyone, I'm running into what seems to be a cause of exclusion with an IOS IPSEC VPN NAT/nat. I can connect to the VPN with cisco IPSEC VPN client, and I am able to authenticate. Once I have authenticate, I'm not able to reach one of the guests inside. Below is my relevant config. Any help would be greatly appreciated.

AAA new-model

!

!

AAA authentication login default local

radius of group AAA authentication login userauthen

AAA authorization exec default local

AAA authorization groupauthor LAN

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group businessVPN

key xxxxxx

DNS 192.168.10.2

business.local field

pool vpnpool

ACL 108

Crypto isakmp VPNclient profile

businessVPN group identity match

client authentication list userauthen

ISAKMP authorization list groupauthor

client configuration address respond

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

Define VPNclient isakmp-profile

market arriere-route

!

!

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

interface Loopback0

IP 10.1.10.2 255.255.255.252

no ip redirection

no ip unreachable

no ip proxy-arp

IP virtual-reassembly

!

Null0 interface

no ip unreachable

!

interface FastEthernet0/0

IP 111.111.111.138 255.255.255.252

IP access-group outside_in in

no ip redirection

no ip unreachable

no ip proxy-arp

NAT outside IP

inspect the outgoing IP outside

IP virtual-reassembly

automatic duplex

automatic speed

clientmap card crypto

!

the integrated-Service-Engine0/0 interface

description Locator is initialized with default IMAP group

IP unnumbered Loopback0

no ip redirection

no ip unreachable

no ip proxy-arp

IP virtual-reassembly

ip address of service-module 10.1.10.1 255.255.255.252

Service-module ip default gateway - 10.1.10.2

interface BVI1

IP 192.168.10.1 255.255.255.0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

IP virtual-reassembly

IP nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25

IP nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443

IP nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389

IP nat inside source map route nat interface FastEthernet0/0 overload

nat extended IP access list

deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

refuse the 10.1.1.0 ip 0.0.0.255 192.168.109.0 0.0.0.255

ip licensing 10.1.1.0 0.0.0.255 any

permit ip 192.168.10.0 0.0.0.255 any

sheep extended IP access list

permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

ip permit 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255

ip licensing 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255

outside_in extended IP access list

permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp

permit any any eq 443 tcp

permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389

permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22

allow any host 111.111.111.138 esp

allow any host 111.111.111.138 eq isakmp udp

allow any host 111.111.111.138 eq non500-isakmp udp

allow any host 111.111.111.138 ahp

allow accord any host 111.111.111.138

access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255

!

!

!

!

route nat allowed 10 map

match ip address nat

1 channel ip bridge

In my view, the acl applied to customer is back. It must allow traffic from the internal network to the pool of customers.

To confirm, you can open the Cisco VPN client statistics (after login) then go in the route Details tab. We should see the networks you should be able to reach the customer. Make sure that the good ones are here.

Kind regards

cannot ping within the host only vmnet0

I created my own guest only (vmnet0) network without DHCP (192.168.1.0/255.255.255.0). I run several linux guests in this network. One of them, that I call the "headnode", assigns a static IP 192.168.1.1 and runs a DHCP server. The other guests, now referred to as "nodes", use DHCP to obtain their IP addresses of the headnode. During the process of starting the backend nodes, they communicate correctly with the DHCP server on the headnode and receive an IP address. After their NIC is however in place, the main nodes cannot exceed the headnode. A ping from a backend node is unable to reach the headnode. If I ping a backend of the headnode else node hand, it takes about 6 ping probes before the ping starts to work and after that, I can also ping the headnode leave this backend node. It seems that my network setup, i.e. firewall, routing, etc., in the guest linux is correct, but that the vmnet0 switch is not working properly. Is this a known issue with a guest only network?
Thanks already,
Nick

I'm not sure on a Linux host, but on Windows the XXX1 IP address is assigned to the virtual host adapter, if this option is checked! You may have a problem with an IP address in this case duplicate. Also, make sure that the IP address range does not correspond to the physical network.

Anyway, as mentioned by continuum, you can't redefine vmnet0 (filled by default), but use instead an additional vmnet for a virtual network additional.

André

VMmachine cannot ping to the gateway

VMWare Workstation 7.1.3 build-324285
Host: win7 64-bit
Guests: 3 x Red Hat Linux 32-bit, network: filled
VMMachines (VMM) can connect to each other with success, but non of them can ping the gateway, then they have no connection to the host, or other physical machines, neither the army nor other physical machines can connect to the VMMs.
Any idea what to do?

you have disabled auto fill in the virtual network Editor?
If this is not the case-how now

the new can begin troubleshooting

Cannot ping machine Windows 7 from XP machine - timeout

New Windows 7 Home Premium machine... in the group to work with XP Pro machines... I can connect to folders shared between and, any machine 7 & XP. Connections network and Internet are all very well; Win7 & XP. The Windows 7 machine I ping successfully all XP machines. I can't ping Win 7 machine name or IP address, of a XP machine on the network. Ping simply timesout.

I'm stumped... Network discovery is turned on.

I find it weird that I can't ping the 7 machine, but I can connect actions and see the machine on the network and with the NET VIEW command.

Any idea is appreciated.

In fact, I had the exact problem. But since I'm in an area I used one under domain profile and that worked. -- Control Panel > Windows Firewall > Advanced settings > inbound rules and enable file and printer (echo - ICMPv4-In request) sharing in the domain profile.

Gurulite if you are in an area, then it should work for you.

Cannot ping inside the ASA from the inside interface

Similar Questions

Maybe you are looking for