Customer remote VPN cannot ping certain IP

My Cisco VPN client can establish the tunnel with my successful ASA5505 Office vpn but cannot ping some IP such as an internal server (10.100.194.6).

FIREWALL-1 # ping 10.100.194.6
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.100.194.6, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/1 ms

Why I can't ping certain IP?

Help, please.

Thank you.

Hey Kevin,

Check out the capture, it is obvious that there is a problem of internal routing as we can see packets from the VPN client requests, but there is no response from the server package.

Please ensure that the server has pointing on the Firewall VPN subnet route.
HTH.

Kind regards

Dinesh Moudgil

PS: Please check the useful messages.

Tags: Cisco Security

Similar Questions

  • Remote VPN cannot ping any host on remote site

    Hi all!

    I tried to deploy remote vpn on my asa 5515-x. And my VPN client properly connected, but I can't ping any host on a remote network.

    Here is my configuration:

    ASA 1.0000 Version 2

    !

    names of

    !

    interface GigabitEthernet0/0

    nameif inside

    security-level 100

    IP 192.168.10.252 255.255.255.0

    !

    interface GigabitEthernet0/1

    nameif outside

    security-level 0

    IP x.x.x.x 255.255.255.252

    !

    interface GigabitEthernet0/2

    DMZ description

    nameif dmz

    security-level 50

    IP 192.168.20.252 255.255.255.0

    !

    interface GigabitEthernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/4

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/5

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    IP 192.168.2.40 255.255.255.0

    management only

    !

    boot system Disk0: / asa861-2-smp - k8.bin

    passive FTP mode

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    internal subnet object-

    192.168.10.0 subnet 255.255.255.0

    network dmz subnet object

    subnet 192.168.20.0 255.255.255.0

    Note to access-list LAN_VLAN_10 split_tunnel

    split_tunnel list standard access allowed 192.168.10.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    management of MTU 1500

    MTU 1500 dmz

    IP local pool testpool 192.168.10.240 - 192.168.10.250 mask 255.255.255.0

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ICMP allow any inside

    ASDM image disk0: / asdm - 714.bin

    don't allow no asdm history

    ARP timeout 14400

    !

    internal subnet object-

    NAT dynamic interface (indoor, outdoor)

    network dmz subnet object

    NAT (dmz, outside) dynamic interface

    Route outside 0.0.0.0 0.0.0.0 93.174.55.181 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL

    AAA authentication LOCAL telnet console

    the ssh LOCAL console AAA authentication

    Enable http server

    http 192.168.0.0 255.255.0.0 management

    http 192.168.10.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    Crypto ipsec transform-set esp - esp-md5-hmac ikev1 firstset

    Crypto-map dynamic dyn1 ikev1 transform-set firstset 1 set

    dynamic mymap 1 dyn1 ipsec-isakmp crypto map

    mymap outside crypto map interface

    Crypto ikev1 allow outside

    IKEv1 crypto policy 1

    preshared authentication

    the Encryption

    md5 hash

    Group 2

    life 43200

    Telnet 0.0.0.0 0.0.0.0 inside

    Telnet 0.0.0.0 0.0.0.0 management

    Telnet timeout 5

    SSH 0.0.0.0 0.0.0.0 management

    SSH timeout 5

    Console timeout 0

    interface ID client DHCP-client to the outside

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal group testgroup strategy

    testgroup group policy attributes

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list split_tunnel

    user1 fvosA8L1anfyxTw3 encrypted password username

    tunnel-group testgroup type remote access

    tunnel-group testgroup General attributes

    address testpool pool

    strategy-group-by default testgroup

    testgroup group tunnel ipsec-attributes

    IKEv1 pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    What's wrong?

    TNX!

    Hello

    I would like to change the current reserve of VPN to something overlapping to the LAN.

    You're also missing NAT0 for the VPN Client connection that is your problem more likely.

    You can try these changes

    mask of 192.168.100.1 - local 192.168.100.254 pool POOL VPN IP 255.255.255.0

    tunnel-group testgroup General attributes

    No address testpool pool

    address VPN-POOL pool

    no ip local pool testpool 192.168.10.240 - 192.168.10.250 mask 255.255.255.0

    the object of the LAN network

    192.168.10.0 subnet 255.255.255.0

    network of the VPN-POOL object

    255.255.255.0 subnet 192.168.100.0

    NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL

    You can also change your settings for encryption for anything other than a. You can use AES.

    Hope this helps

    Let us know if this helped.

    Don't forget to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary

    -Jouni

  • Peer AnyConnect VPN cannot ping, RDP each other

    I have an ASA5505 running ASA 8.3 (1) and ASDM 7.1 (1).  I have a remote access VPN set up and remote access users are able to connect and access to network resources.   I can ping the VPN peers between the Remote LAN.    My problem counterparts VPN cannot ping (RDP, CDR) between them.   Ping a VPN peer of reveals another the following error in the log of the SAA.

    Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp outside CBC: 10.10.10.8 outside dst: 10.10.10.9 (type 8, code 0) rejected due to the failure of reverse NAT.

    Here's my ASA running-config:

    ASA Version 8.3 (1)

    !

    ciscoasa hostname

    domain dental.local

    activate 9ddwXcOYB3k84G8Q encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.1.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address dhcp setroute

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    passive FTP mode

    clock timezone CST - 6

    clock to summer time recurring CDT

    DNS lookup field inside

    DNS server-group DefaultDNS

    192.168.1.128 server name

    domain dental.local

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    network of the RAVPN object

    10.10.10.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_10.10.10.0_28 object

    subnet 10.10.10.0 255.255.255.240

    network of the NETWORK_OBJ_192.168.1.0_24 object

    subnet 192.168.1.0 255.255.255.0

    access-list Local_LAN_Access note VPN Customer local LAN access

    Local_LAN_Access list standard access allowed host 0.0.0.0

    DefaultRAGroup_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

    Note VpnPeers access list allow peer vpn ping on the other

    permit access list extended ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28 VpnPeers

    pager lines 24

    Enable logging

    asdm of logging of information

    logging of information letter

    address record [email protected] / * /

    exploitation forest-address recipient [email protected] / * / level of information

    record level of 1 600 6 rate-limit

    Outside 1500 MTU

    Within 1500 MTU

    mask 10.10.10.5 - 10.10.10.10 255.255.255.0 IP local pool VPNPool

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 711.bin

    don't allow no asdm history

    ARP timeout 14400

    NAT (inside, all) static source all electricity static destination RAVPN RAVPN

    NAT (inside, outside) static static source NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28

    NAT (inside, outside) static source all all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination

    !

    network obj_any object

    NAT dynamic interface (indoor, outdoor)

    network of the RAVPN object

    dynamic NAT (all, outside) interface

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Community SNMP-server

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transit

    Crypto ipsec transform-set ESP-DES-SHA-TRANS esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-SHA-TRANS mode transit

    Crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transit

    Crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transit

    Crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transit

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP ESP-AES-128-SHA ESP - AES - 192 - SHA ESP - AES - 256 - SHA ESP - 3DES - SHA - OF - SHA ESP - AES - 128 - SHA - TRANS ESP - AES - 192 - SHA - TRANS ESP - AES - 256 - SHA - ESP ESP - 3DES - SHA - TRANS TRANS-DES - SHA - TRANS

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    trustpoint crypto ca-CA-SERVER ROOM

    LOCAL-CA-SERVER key pair

    Configure CRL

    Crypto ca trustpoint ASDM_TrustPoint0

    registration auto

    name of the object CN = ciscoasa

    billvpnkey key pair

    Proxy-loc-transmitter

    Configure CRL

    crypto ca server

    CDP - url http://ciscoasa/+CSCOCA+/asa_ca.crl

    name of the issuer CN = ciscoasa

    SMTP address [email protected] / * /

    crypto certificate chain ca-CA-SERVER ROOM

    certificate ca 01

    * hidden *.

    quit smoking

    string encryption ca ASDM_TrustPoint0 certificates

    certificate 10bdec50

    * hidden *.

    quit smoking

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    authentication crack

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 20

    authentication rsa - sig

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 30

    preshared authentication

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 40

    authentication crack

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 50

    authentication rsa - sig

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 60

    preshared authentication

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 70

    authentication crack

    aes encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 80

    authentication rsa - sig

    aes encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 90

    preshared authentication

    aes encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 100

    authentication crack

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 110

    authentication rsa - sig

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 120

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 130

    authentication crack

    the Encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 140

    authentication rsa - sig

    the Encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 150

    preshared authentication

    the Encryption

    sha hash

    Group 2

    life 86400

    enable client-implementation to date

    Telnet 192.168.1.1 255.255.255.255 inside

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    management-access inside

    dhcpd outside auto_config

    !

    dhcpd address 192.168.1.50 - 192.168.1.99 inside

    dhcpd allow inside

    !

    a basic threat threat detection

    threat detection statistics

    a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

    SSL-trust outside ASDM_TrustPoint0 point

    WebVPN

    allow outside

    SVC disk0:/anyconnect-win-3.1.04072-k9.pkg 1 image

    SVC profiles DellStudioClientProfile disk0: / dellstudioclientprofile.xml

    enable SVC

    tunnel-group-list activate

    internal-password enable

    chip-tunnel list SmartTunnelList RDP mstsc.exe windows platform

    internal DefaultRAGroup group strategy

    attributes of Group Policy DefaultRAGroup

    Server DNS 192.168.1.128 value

    Protocol-tunnel-VPN l2tp ipsec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl

    Dental.local value by default-field

    WebVPN

    SVC value vpngina modules

    internal DefaultRAGroup_1 group strategy

    attributes of Group Policy DefaultRAGroup_1

    Server DNS 192.168.1.128 value

    Protocol-tunnel-VPN l2tp ipsec

    Dental.local value by default-field

    attributes of Group Policy DfltGrpPolicy

    Server DNS 192.168.1.128 value

    VPN - 4 concurrent connections

    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

    value of group-lock RAVPN

    value of Split-tunnel-network-list Local_LAN_Access

    Dental.local value by default-field

    WebVPN

    the value of the URL - list DentalMarks

    SVC value vpngina modules

    SVC value dellstudio type user profiles

    SVC request to enable default webvpn

    chip-tunnel enable SmartTunnelList

    wketchel1 5c5OoeNtCiX6lGih encrypted password username

    username wketchel1 attributes

    VPN-group-policy DfltGrpPolicy

    WebVPN

    SVC value DellStudioClientProfile type user profiles

    username privilege 15 encrypted password 5c5OoeNtCiX6lGih wketchel

    username wketchel attributes

    VPN-group-policy DfltGrpPolicy

    WebVPN

    modules of SVC no

    SVC value DellStudioClientProfile type user profiles

    jenniferk 5.TcqIFN/4yw0Vq1 of encrypted password privilege 0 username

    jenniferk username attributes

    VPN-group-policy DfltGrpPolicy

    WebVPN

    SVC value DellStudioClientProfile type user profiles

    attributes global-tunnel-group DefaultRAGroup

    address pool VPNPool

    LOCAL authority-server-group

    IPSec-attributes tunnel-group DefaultRAGroup

    pre-shared key *.

    tunnel-group DefaultRAGroup ppp-attributes

    PAP Authentication

    ms-chap-v2 authentication

    eap-proxy authentication

    type tunnel-group RAVPN remote access

    attributes global-tunnel-group RAVPN

    address pool VPNPool

    LOCAL authority-server-group

    tunnel-group RAVPN webvpn-attributes

    enable RAVPN group-alias

    IPSec-attributes tunnel-group RAVPN

    pre-shared key *.

    tunnel-group RAVPN ppp-attributes

    PAP Authentication

    ms-chap-v2 authentication

    eap-proxy authentication

    type tunnel-group WebSSLVPN remote access

    tunnel-group WebSSLVPN webvpn-attributes

    enable WebSSLVPN group-alias

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    173.194.64.108 SMTP server

    context of prompt hostname

    HPM topN enable

    Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8

    : end

    Hello

    Seems to me that you can clean the current NAT configuration a bit and make it a little clearer.

    I suggest the following changes

    network of the VPN-POOL object

    10.10.10.0 subnet 255.255.255.0

    the object of the LAN network

    subnet 192.168.1.0 255.255.255.0

    PAT-SOURCE network object-group

    object-network 192.168.1.0 255.255.255.0

    object-network 10.10.10.0 255.255.255.0

    NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL

    destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL

    NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

    The above should allow

    • Dynamic PAT for LAN and VPN users
    • NAT0 for traffic between the VPN and LAN
    • NAT0 for traffic between the VPN users

    You can then delete the previous NAT configurations. Naturally, please save the configuration before you make the change, if you want to revert to the original configuration.

    no static source nat (inside, everything) all electricity static destination RAVPN RAVPN

    No source (indoor, outdoor) nat static static NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28

    No source (indoor, outdoor) nat static everything all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination

    No network obj_any object

    No network object RAVPN

    In case you do not want to change the settings a lot you might be right by adding this

    network of the VPN-POOL object

    10.10.10.0 subnet 255.255.255.0

    destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL

    But the other above configurations changes would make NAT configurations currently simpler and clearer to see every goal of "nat" configurations.

    -Jouni

  • ASA VPN cannot ping ip local pool

    Hello

    We have ASA 5510 a device be deployed for a period of time. Everything works fine except customers local VPN cannot ping local customer VPN which get their IP address to the local swimming pool. They can ping anywhere on the local network of company, but not each other. I don't know there's a logical explantion for this because of an ACL but all appreciated the advice...

    Thanks in advance

    Keith

    Hi Keith,

    I think that, in order to allow a customer VPN reach another VPN client, the SAA should turn the VPN traffic (because it will receive the traffic of a VPN tunnel and re - again to send another tunnel.)

    Can you add "same-security-traffic intra-interface permits" and try again?

    Federico.

  • Site to Site VPN - cannot ping remote subnet

    Hi all.

    I have a site to site VPN IPSEC between a 5510 (HQ) and 5505 (Remote). Everything works on the tunnel. Crypto cards and ACL is symmetrical. I see that the tunnel is in place for the required subnets. However, I can not ping of internal subnets inside 5510 to Remote LAN inside 5505 and vice versa. I have other rays VPN 5510 where I can ping within remote LAN successfully x.x.x.x. Can figure out what I'm missing. I can ping internet points, but cannot ping HQ.

    Any suggestions?

    I'm also an instant learn the ASAs, so I'm not an expert.  I know that I encouraged outside ICMP. My statement SHEEP and crypto are running off of the same group of objects that lists subnets of HQ.

    Thanks in advance.

    5505 lack the command:

    management-access inside

    Federico.

  • VPN - cannot ping the next hop

    Then some advice... I have configured a server VPN - pptp on my router, create a vpn for the customer at the site. For the moment, the client computer can connect and a connection to the router. I can ping from client to the router (192.168.5.1) but cannot ping 192.168.5.2 (switch) or 192.168.10.X (workstations)

    What I try to achieve is to access the internal network (192.168.10.X), which is the end of the layer 3 switch. Any help/extra eyes would be good.

    Here is my design of the network and the config below:

    Client computer---> Internet---> (1.1.1.1) Cisco router (192.168.5.1) 881---> switch Dell Powerconnect 6248 (192.168.5.2)--> Workstation (192.168.10.x)

    Router Cisco 881

    AAA new-model

    !

    AAA of authentication ppp default local

    !

    VPDN enable

    !

    !

    VPDN-group VPDN PPTP

    !

    accept-dialin

    Pptp Protocol

    virtual-model 1

    !

    interface FastEthernet0

    Description link to switch

    switchport access vlan 5

    !

    interface FastEthernet1

    no ip address

    !

    interface FastEthernet2

    no ip address

    !

    interface FastEthernet3

    switchport access vlan 70

    no ip address

    !

    interface FastEthernet4

    Description INTERNET WAN PORT

    IP [IP EXTERNAL address]

    NAT outside IP

    IP virtual-reassembly in

    full duplex

    Speed 100

    card crypto VPN1

    !

    interface Vlan1

    no ip address

    !

    interface Vlan5

    Description $ES_LAN$

    IP 192.168.5.1 255.255.255.248

    no ip redirection

    no ip unreachable

    IP nat inside

    IP virtual-reassembly in

    !

    interface Vlan70

    IP [IP EXTERNAL address]

    IP virtual-reassembly in

    IP tcp adjust-mss 1452

    !

    !

    !

    interface virtual-Template1

    IP unnumbered FastEthernet4

    encapsulation ppp

    peer default ip address pool defaultpool

    Ms-chap PPP chap authentication protocol

    !

    IP local pool defaultpool 192.168.10.200 192.168.10.210

    IP forward-Protocol ND

    IP http server

    23 class IP http access

    local IP http authentication

    IP http secure server

    IP http timeout policy inactive 600 life 86400 request 10000

    !

    overload of IP nat inside source list no. - NAT interface FastEthernet4

    IP route 0.0.0.0 0.0.0.0 [address IP EXTERNAL]

    Route IP 192.168.0.0 255.255.0.0 192.168.5.2

    !

    No. - NAT extended IP access list

    deny ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.255.255

    IP 192.168.0.0 allow 0.0.255.255 everything

    VLAN70 extended IP access list

    ip [IP EXTERNAL] 0.0.0.15 permit 192.168.10.0 0.0.1.255

    permit tcp [IP EXTERNAL] 0.0.0.15 any eq smtp

    permit tcp [IP EXTERNAL] 0.0.0.15 any eq www

    permit any eq 443 tcp [IP EXTERNAL] 0.0.0.15

    permit tcp [IP EXTERNAL] 0.0.0.15 any eq field

    permits any udp [IP EXTERNAL] 0.0.0.15 eq field

    list of IP - VPN access scope

    IP 192.168.10.0 allow 0.0.1.255 10.1.0.0 0.0.1.255

    Licensing ip [IP EXTERNAL] 0.0.0.15 10.1.0.0 0.0.1.255

    WAN extended IP access list

    !

    Layer 3 switch - Dell Powerconnect 6224

    !

    IP routing

    IP route 0.0.0.0 0.0.0.0 192.168.5.1

    interface vlan 5

    name "to connect to the Cisco router.

    Routing

    IP 192.168.5.2 255.255.255.248

    output

    !

    interface vlan 10

    "internal network" name

    Routing

    IP 192.168.10.1 255.255.255.0

    output

    !

    interface ethernet 1/g12

    switchport mode acesss vlan 5

    output

    !

    interface ethernet 1/g29

    switchport mode access vlan 10

    output

    !

    Hi Samuel,.

    I went through your configuration and picked up a few problematic lines...

    First of all, you can't have your vpn-pool to be in the range of 192.168.10.x/24, because you already have this subnet used behind the switch (this would be possible if you had 192.168.10.x range connected directly to the router). In addition, you may not link your virtual model to the WAN ip address, it must be bound to an interface with a subnet that includes your IP vpn-pool range.

    The cleaner for this is,

    Create a new interface of back of loop with a new subnet

    !

    loopback interface 0

    192.168.99.1 IP address 255.255.255.0

    !

    New vpn set up, pool

    !

    IP local pool defaultpool 192.168.99.200 192.168.99.210

    !

    Change your template to point the new loopback interface,

    !

    interface virtual-Template1

    IP unnumbered loopback0

    encapsulation ppp

    peer default ip address pool defaultpool

    Ms-chap PPP chap authentication protocol

    !

    All vpn clients will get an IP address of 192.168.99.200 192.168.99.210 range. And they will be able to get the router and up to the desired range 192.168.10.x/24 behind the router. Packages get the switch, then to the host. Host will respond through the gateway (switch)-> router-> Client.

    PS: Sooner, even if your packages arrive at the host, the host will never try to send the response back through the gateway (switch) packets because STI (hosts) point of view, the package came from the same local network, so the host will simply try to "arp" for shippers MAC and eventually will expire)

    I hope this helps.

    Please don't forget to rate/brand of useful messages

    Shamal

  • Site to site between ASA 8.2 VPN, cannot ping

    Two 8.2 ASA is configured with a VPN tunnel from site to site, as shown in the diagram:

    Here is my setup for both.

    Clients on the inside network to the ASA cannot ping inside, network clients, else the ASA. Why not?

    When the rattling from inside network SALMONARM inside network of KAMLOOPS, the following debug logs can be seen on SALMONARM:

    %ASA-7-609001: Built local-host outside:10.30.7.2

    %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

    %ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

    %ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02

    %ASA-7-609001: Built local-host outside:10.30.7.2

    %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

    %ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

    %ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02

    %ASA-7-609001: Built local-host outside:10.30.7.2

    %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

    ...

    Each attempt to ping responds with "Request timed out" on the computer of ping.

    Why clients cannot mutually ping on the VPN tunnel?

    Hello

    Create a NAT0 ACL at both ends.

    ex: 10.30.0.0 ip access-list extended SHEEP 255.255.0.0 allow 10.45.0.0 255.255.0.0

    NAT (inside) 0 access-list SHEEP

    THX

    MS

    Edit: at the beginning, I mentioned ACL #, it may not work.

  • Customer quick RV042 VPN cannot ping lan network

    Hi guys,.

    I just created a client2gateway on RV042 IPSec tunnel and use the remote PC quick VPN client tries to connect to this router.

    Fast VPN showed that the tunnel has been established. But I couldn't ping the LAN behind the router RV042.

    Can someone help me?

    Thank you.

    Hello

    Yes, you are right. To use the fast with RV042 VPN, it is necessary to configure the user name and a password for access to the VPN Client page. As this router does not support VLANs, you can only connect the VPN client to the LAN subnet (you cannot connect the client to any beach IP configured with multiple subnets)

    Kind regards

    Bismuth

  • Remote VPN cannot access devices LAN or internet

    So I have a server and a computer inside that I can access through an ASA 5505 with ASA 9.2 (1) and ASDM 7.2 (1)

    The computer on 192.168.1.110 via port 8080 can show me a demo site.

    The server on 192.168.1.222 got my DNS, HTTP, FTP, mail and more about it.

    Outside, I got a computer (by outside, I hear from the firewall and the cable directly into the computer) on 192.168.20.2 and firewall outside being 192.168.20.1

    From the outside I can access the 8080 without problem (and I guess as well with the server, but it is on another default gateway and are not accessible right now). -When I connect through my VPN I am assigned 192.168.30.5 but unable to connect inside the computer through 192.168.1.110:8080.

    This will return the error: asymmetrical NAT rules matched for before and back flow; Connection for udp src outdoors: 192.168.30.5/49608 (...) dst inside: 192.168.1.222/53 refused because of the failure of the path reverse NAT.

    Somewhere, I had a conflict or a non-created access rule. Anyone who wants to take a shot?

    I marked with "BOLD" for what I thought that may be the cause.

    ciscoasa (config) # sh running-config
    : Saved
    :
    ASA Version 9.2 (1)
    !
    ciscoasa hostname
    activate 8Ry2YjIyt7RRXU24 encrypted password
    volatile xlate deny tcp any4 any4
    volatile xlate deny tcp any4 any6
    volatile xlate deny tcp any6 any4
    volatile xlate deny tcp any6 any6
    volatile xlate deny udp any4 any4 eq field
    volatile xlate deny udp any4 any6 eq field
    volatile xlate deny udp any6 any4 eq field
    volatile xlate deny udp any6 any6 eq field
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    192.168.30.5 mask - 192.168.30.200 local pool Pool of IP IP 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 192.168.1.254 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    address 192.168.20.1 255.255.255.0
    !
    boot system Disk0: / asa921 - k8.bin
    passive FTP mode
    permit same-security-traffic intra-interface
    network obj_any object
    subnet 0.0.0.0 0.0.0.0
    object network testServer-8080
    host 192.168.1.110
    Description of the test server
    network of the object server-21
    Home 192.168.1.222
    Description of the test server
    network of the object Server-25
    Home 192.168.1.222
    Description of the test server
    network of the object Server-53
    Home 192.168.1.222
    Description of the test server
    network of the object server-80
    Home 192.168.1.222
    Description of the test server
    network of the object server-443
    Home 192.168.1.222
    Description of the test server
    network of the object server-2525
    Home 192.168.1.222
    Description of the test server
    network of the object server-993
    Home 192.168.1.222
    Description of the test server
    network of the object server-6001
    Home 192.168.1.222
    Description of the test server
    network of the object server-6002
    Home 192.168.1.222
    Description of the test server
    network of the object server-6003
    Home 192.168.1.222
    Description of the test server
    network of the object server-6004
    Home 192.168.1.222
    Description of the test server
    network of the VPN HOST object
    192.168.30.0 subnet 255.255.255.0
    network of the object inside
    host 192.168.1.0
    the vpn server object network
    Home 192.168.1.222
    outside_access_in list extended access permit tcp any object testServer-8080 eq 8080
    outside_access_in list extended access permit tcp any object server-21 eq ftp
    outside_access_in list extended access permit tcp any object Server-25 eq smtp
    outside_access_in list extended access permit tcp any object server-2525 2525 eq
    outside_access_in list extended access permit udp any object server-53 eq inactive field
    outside_access_in list extended access permit tcp any object server-80 eq www
    outside_access_in list extended access permit tcp any object server-443 https eq
    outside_access_in list extended access permit tcp any object server-993 993 eq
    outside_access_in list extended access permit tcp any object server-6001 eq 6001
    outside_access_in list extended access permit tcp any object server-6002 6002 eq
    outside_access_in list extended access permit tcp any object server-6003 eq 6003
    outside_access_in list extended access permit tcp any object server-6004 eq 6004
    outside_access_in to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.30.0 255.255.255.0
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 721.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) VPN-dynamic HOSTS within static destination to source Server VPN - vpn server
    !
    network obj_any object
    NAT dynamic interface (indoor, outdoor)
    object network testServer-8080
    NAT (inside, outside) interface static 8080 8080 tcp service
    network of the object server-21
    NAT static (inside, inside) of the service ftp ftp tcp interface
    network of the object Server-25
    NAT (inside, outside) interface static tcp smtp smtp service
    network of the object Server-53
    NAT static (inside, inside) interface tcp service area
    network of the object server-80
    NAT (inside, outside) interface static tcp www www service
    network of the object server-443
    NAT (inside, outside) interface static tcp https https service
    network of the object server-2525
    NAT (inside, outside) interface static 2525 2525 tcp service
    network of the object server-993
    NAT (inside, outside) interface static tcp 993 993 service
    network of the object server-6001
    NAT (inside, outside) interface static tcp 6001 6001 service
    network of the object server-6002
    NAT (inside, outside) interface static tcp 6002 6002 service
    network of the object server-6003
    NAT (inside, outside) interface static 6003 6003 tcp service
    network of the object server-6004
    NAT (inside, outside) interface static service tcp 6004 6004
    Access-group outside_access_in in interface outside
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    RADIUS AAA server HSS-auth-server protocol
    allow only
    AAA-server HSS-auth-server (inside) host 192.168.1.222
    Timeout 5
    key *.
    identity of the user by default-domain LOCAL
    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec pmtu aging infinite - the security association
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    outside_map interface card crypto outside
    trustpool crypto ca policy
    Crypto isakmp nat-traversal 30
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH stricthostkeycheck
    SSH timeout 5
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0

    dhcpd outside auto_config
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    internal HSSvpn group strategy
    attributes of Group Policy HSSvpn
    value of server DNS 192.168.1.222
    Ikev1 VPN-tunnel-Protocol
    Split-tunnel-policy tunnelspecified
    Split-tunnel-network-list value outside_access_in ! This value was its own name earlier
    HSS.dk value by default-field
    type tunnel-group HSSvpn remote access
    attributes global-tunnel-group HSSvpn
    address IP-pool pool
    HSS-auth-server authentication-server-group
    Group Policy - by default-HSSvpn
    password-management
    IPSec-attributes tunnel-group HSSvpn
    IKEv1 pre-shared-key *.
    tunnel-group HSSvpn ppp-attributes
    No chap authentication
    no authentication ms-chap-v1
    ms-chap-v2 authentication
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:9859258e11364180cf9b3e21173b3f2f
    : end

    Hello

    "Nat" bold configuration is incorrect, as you would expect.

    Replace it with something like this

    the object of the LAN network
    subnet 192.168.1.0 255.255.255.0

    NAT (inside, outside) 1 static source LAN LAN to static destination HOST-VPN-VPN-HOST

    I also suggest using a separate access the ACL of the Tunnel from Split 'standard' list.

    For example

    standard SPLIT-TUNNEL access list permit 192.168.1.0 255.255.255.0

    Naturally, you must pass the ACL above to used "group policy" .

    In addition, if you want to control the incoming connections to VPN users in 'outside_access_in' ACL, then you could change the default settings on the SAA by running the command

    No vpn sysopt connection permit

    If you need to return back then just to deliver without 'no' in front. Then back to its default value. This does not show in the running configuration by the way.

    With this setting all connections from VPN connections should be allowed on the interface ACL interface that ends the VPN connection. If in your case that would be the ACL attached to the 'outside' interface.

    Hope this helps :)

    -Jouni

  • remote VPN cannot access mail server of asa

    Hi dear.

    I have the router that connect to the asa.

    Internet line to connect to the router so all the nat translation is made to the router.

    router outside the ip:x.x.xx

    router inside the ip:10.0.0.1 interface that is connect to asa outside interface (asa outside ip address: 10.0.0.2)

    my mail server to connect to the DMZ asa.

    DMZ interface ip address:172.16.10.0./24

    mail server IP:172.16.10.10

    I'm twice nat for the ip address of the mail server.

    1.i do to asa.

    static (DMZ, Outside) 10.0.0.10 172.16.10.10

    in this mail server ip 172.16.10.10 translation translating 10.0.0.10(10.0.0.10 ip est un sous-réseau de la plage de connexion routeur et asa).

    second nat to router.

    IP nat inside source static tcp 10.0.0.10 25 25 ext x.x.x.x public ip x.x.x.x

    I have no problem with my nat translation to my e-mail server.

    I have set up remote client vpn to asa and apply crypto map ASA outside interface which is 10.0.0.2

    I do THE static nat router for asa outside ip address.

    IP nat inside source static udp 10.0.0.2 x.x.x.x extensible 500 500

    IP nat inside source static udp 10.0.0.2 4500 4500 extensible x.x.x.x

    I have no problem with the vpn connection. I can connect vpn connection. but I can't access mail server. 172.16.10.10

    What can I do in this situation?

    I should be writing sheep-access list?

    If Yes, how can I write this access list?

    Yes, you must configure access on your ASA sheep-list as follows:

    IP 172.16.10.0 allow Access-list sheep-dmz 255.255.255.0

    NAT 0 access-list sheep-dmz (dmz)

  • Cannot ping computers on the subnet remote site vpn while to set up

    Hi all

    I encountered a problem of site to site vpn for ping answered nothing of machines of remote subnet.

    the ipsec tunnel is ok but I can ping the ASA distance inside the interface ip

    Here is my scenario:

    LAN1 - ASA5510 - ASA5505 - LAN2 - ordinateur_distant

    LAN1: 192.168.x.0/24

    LAN2: 172.25.88.0/24

    remote_machine_ip: 172.25.87.30

    LAN1 can ping to ASA5505 inside interface (172.25.88.1)

    but cannot ping ordinateur_distant (172.25.87.30)

    Inside of the interface ASA5505 can ping ordinateur_distant

    LAN2 can ASA5510 ping inside the machines on LAN1 and interface

    Is there something I missed?

    Thanks much for the reply

    I don't think it's something you really want to do.

    If you PAT the whole subnet to LAN1 ip (192.168.1.0/24) to 172.25.249.1, then LAN2, will not be able to reach the specific host on LAN1, cause now, you represent the LAN1 network, with a single ip address.

    So traffic will become a way from LAN1 can reach LAN2 and get the response of LAN2 through the PAT on 172.25.249.1

    But LAN2, is no longer specific hosts LAN1 ip traffic, since you only have 172.25.249.1, to represent the subnet to LAN1.

    If you still want to PAT the whole subnet to LAN1 (192.168.1.0/24) ip to 172.25.249.1, then you have to do outside the NAT.

    http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/command/reference/no.html#wp1737858

    Kind regards

  • cannot ping remote ip on ASA no firewall (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

    some help me

    (Q) ping remote ip unable on ASA is not Firewall not on pc (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

    Note - I can ping PC but not the same subnet ip on ASA2 L3

    PC---> > ASA1 - ASA2<>

    Hi Matt,

    Let me answer your question in two points:

    • You cannot ping an ASA on another interface other than the one where you are connected to the ASA of.

    For example, ASA1 and ASA2 are connected through their interfaces 'outside '. ASA1 (or any other device on the external interface) can not ping/access ASA2 on his (ASA2) within the interface. The only time wherever this can be substituted is a tunnel VPN with the command "access management" configured for other interface, for example management-access inside

    • Traffic ASA1 ping to a remote client behind ASA2 won't over the VPN tunnel and as such is not encrypted. That's because ASA1 will forward traffic based on its routing table that probably this way through its 'outside' interface Except that traffic is allowed with the ASA2 (using the ACL), it will fail.

    We can do on the routers of sourcing our ping to another interface, but it will not work on the SAA.

  • cannot ping between remote vpn site?

    vpn l2l site A, site B is extension vpn network, connect to the same vpn device 5510 to the central office and work well.  I can ping from central office for two remote sites, but I cannot ping between these two vpn sites?  Tried to debug icmp, I can see the icmp side did reach central office but then disappeared! do not send B next?  Help, please...

    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    !
    object-group network SITE-a.
    object-network 192.168.42.0 255.255.255.0
    !
    object-group network SITE-B
    object-network 192.168.46.0 255.255.255.0
    !
    extended OUTSIDE allowed a whole icmp access list
    HOLT-VPN-ACL extended access-list allow ip object-CBO-NET object group SITE-a.
    !
    destination SITE-a NAT (outside, outside) static source SITE - a static SITE to SITE-B-B
    !
    address for correspondence card crypto VPN-card 50 HOLT-VPN-ACL
    card crypto VPN-card 50 peers set *. *.56.250
    card crypto VPN-card 50 set transform-set AES-256-SHA ikev1
    VPN-card interface card crypto outside
    !
    internal strategy group to DISTANCE-NETEXTENSION
    Remote CONTROL-NETEXTENSION group policy attributes
    value of DNS server *. *. *. *
    VPN-idle-timeout no
    Ikev1 VPN-tunnel-Protocol
    Split-tunnel-policy tunnelspecified
    Split-tunnel-network-list value REMOTE-NET2
    value by default-field *.org
    allow to NEM
    !
    remote access of type tunnel-group to DISTANCE-NETEXTENSION
    Global DISTANCE-NETEXTENSION-attributes tunnel-group
    authentication-server-group (inside) LOCAL
    Group Policy - by default-remote CONTROL-NETEXTENSION
    IPSec-attributes tunnel-group to DISTANCE-NETEXTENSION
    IKEv1 pre-shared-key *.
    tunnel-group *. *.56.250 type ipsec-l2l
    tunnel-group *. *.56.250 ipsec-attributes
    IKEv1 pre-shared-key *.
    !

    !

    ASA - 5510 # display route. include the 192.168.42
    S 192.168.42.0 255.255.255.0 [1/0] via *. *. 80.1, outside
    ASA - 5510 # display route. include the 192.168.46
    S 192.168.46.0 255.255.255.0 [1/0] via *. *. 80.1, outside
    ASA-5510.

    !
    Username: Laporte-don't Index: 10
    Assigned IP: 192.168.46.0 public IP address: *. *.65.201
    Protocol: IKEv1 IPsecOverNatT
    License: Another VPN
    Encryption: 3DES hash: SHA1
    TX Bytes: bytes 11667685 Rx: 1604235
    Group Policy: Group remote CONTROL-NETEXTENSION Tunnel: remote CONTROL-NETEXTENSION
    Opening time: 08:19:12 IS Thursday, February 12, 2015
    Duration: 6 h: 53 m: 29 s
    Inactivity: 0 h: 00 m: 00s
    Result of the NAC: unknown
    Map VLANS: VLAN n/a: no
    !
    ASA - 5510 # display l2l vpn-sessiondb

    Session type: LAN-to-LAN

    Connection: *. *.56.250
    Index: 6 IP Addr: *. *.56.250
    Protocol: IPsec IKEv1
    Encryption: AES256 3DES hash: SHA1
    TX Bytes: bytes 2931026707 Rx: 256715895
    Connect time: 02:00:41 GMT Thursday, February 12, 2015
    Duration: 13: 00: 10:00

    Hi Rico,

    You need dynamic nat (for available IP addresses) for the two side to every subset of remote access to the other side remote subnet and so they can access every other subnet as if both from the traffic from your central location.

    example:

    Say, this IP (10.10.10.254) is unused IP to the central office, allowed to access remote tunnel 'A' and 'B' of the site.

    object-group network SITE-a.
    object-network 192.168.42.0 255.255.255.0
    !
    object-group network SITE-B
    object-network 192.168.46.0 255.255.255.0

    dynamic source destination SITE-a. 10.10.10.254 NAT (outdoors, outdoor)
    public static SITE SITE-B-B

    destination NAT (outdoors, outdoor) SITE-B 10.10.10.254 dynamic source
    SITE static-SITE a

    Hope this helps

    Thank you

    Rizwan James

  • Cannot ping via remote VPN

    Hi all

    I have a client who uses a 506e with the cleint 4.02 for the remote VPN Cisco. The pix is multiple inside roads. The first network inside is 192.168.1.X and E1 of the 506 is 192.168.1.1. The second network is 10.71.56.X.

    The problem is as soon as the VPN is connected I can ping any host on the 192.168.1.X, but not anything on the 10.71.56.X network. Without netbios or the other. From the PIX, I can ping hosts on two internal networks.

    Here is the config below. Thank you!

    6.2 (2) version PIX

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    activate the password xxxxx

    passwd xxxxxxx

    hostname GNB - PIX

    cisco.com-domain name

    fixup protocol ftp 21

    fixup protocol http 80

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol they 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol sip 5060

    fixup protocol 2000 skinny

    names of

    QUBEADMIN tcp service object-group

    Beach of port-object 444 444

    outside_access_in list access permit tcp any host 12.X.X.X eq pop3

    outside_access_in list access permit tcp any host 12.X.X.X eq smtp

    outside_access_in list access permit tcp any host 12.X.X.X EQ field

    outside_access_in list access permit tcp any host 12.X.X.X eq www

    outside_access_in list access permit tcp any host 12.X.X.X QUBEADMIN object-group

    outside_access_in list access permit icmp any any echo response

    access-list outside_access_in allow icmp all once exceed

    outside_access_in list access permit tcp any host 12.169.2.21 eq ssh

    GNB_splitTunnelAcl ip 10.71.56.0 access list allow 255.255.255.0 any

    outside_cryptomap_dyn_20 ip access list allow any 10.71.56.32 255.255.255.224

    pager lines 24

    opening of session

    timestamp of the record

    logging paused

    logging buffered stored notifications

    Logging trap errors

    notifications to the history of logging

    the logging queue 0

    host of logging inside the 10.71.55.10

    logging out of the 192.104.109.91 host

    interface ethernet0 car

    Auto interface ethernet1

    ICMP allow any inside

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside 12.X.X.X 255.255.254.0

    IP address inside 192.168.1.254 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    local IP VPNPOOL 10.71.56.40 pool - 10.71.56.50

    history of PDM activate

    ARP timeout 14400

    Global interface 10 (external)

    NAT (inside) 0-list of access inside_outbound_nat0_acl

    NAT (inside) 10 0.0.0.0 0.0.0.0 0 0

    public static 12.X.X.X (Interior, exterior) 192.168.1.1 mask subnet 255.255.255.255 0 0

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 12.X.X.X 1

    Route inside 10.71.55.0 255.255.255.0 192.168.1.1 1

    Route inside 10.71.56.0 255.255.255.0 192.168.1.1 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    AAA-server local LOCAL Protocol

    the ssh LOCAL console AAA authentication

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    Permitted connection ipsec sysopt

    Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20

    Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map interface card crypto outside

    ISAKMP allows outside

    part of pre authentication ISAKMP policy 20

    ISAKMP policy 20 3des encryption

    ISAKMP policy 20 chopping sha

    20 2 ISAKMP policy group

    ISAKMP duration strategy of life 20 86400

    vpngroup address VPNPOOL pool GUARD

    vpngroup dns-server 10.71.56.10 GNB 10.71.56.10

    GNB GNB_splitTunnelAcl vpngroup split tunnel

    vpngroup GNB 1800 idle time

    GNB vpngroup password *.

    Telnet timeout 5

    SSH timeout 60

    Terminal width 80

    Cryptochecksum:XXXXX

    : end

    [OK]

    GNB - PIX #.

    You use 10.71.56.0 255.255.255.0 in two places

    you route to it via 192.168.1.1, but you're also allocation of addresses for vpn clients. Guests who are on the segment 10.71.56.0/24, if they manage to get the connected vpn client package (which is assigned a 10.71.56.x) address, would not send the response packet to this request on the local subnet, the router that has the 192.168.1.1 interface, which is what would be needed to make it work.

    You must use a different network for your vpn clients block - you cannot use the same ip through two different networks space.

  • Cannot ping sub interface from my remote site VPN gateways

    I can't ping my gateways to interface my remote vpn connection sub

    I can ping 192.6.1.0 network, but can't ping network 192.6.2.0 or 192.6.3.0

    When I remote desktop in 192.6.1.20 I can ping all the networks, including gateways to interface sub.

    I think that something in my asa is misconfigured or not added

    ASA NAT rules:

    Exempt NAT Interface: inside

    Source 192.6.0.0/16

    Destination 192.6.10.96/27

    Static NAT interface: inside (it's for the local NAT of E0/0 out)

    Source 192.6.1.1/16

    Interface translated outside the Destination: 172.35.221.200

    Dynamic NAT interface: inside

    Source: no

    Destination: outside

    ASA access rules:

    Permit outside

    Source: no

    Destination: out

    Services: udp, tcp, tcp/http

    Static routes:

    Interface: Outside > network: all outdoors DSL (shows no DSL in the graph)

    Some incorrect configuration:

    On the ASA:

    (1) directions are incorrect, the default should point to the next hop route, that is to say: the internet router: 172.35.221.x, as follows:

    Route outside 0.0.0.0 0.0.0.0 172.35.221.x

    ---> where x must be the router internet ip address.

    existing routes need to be removed:

    No route outside 0.0.0.0 0.0.0.0 192.298.47.182 255

    No route outside 0.0.0.0 0.0.0.0 172.35.209.81 in tunnel

    (2) the following declaration of the static NAT is incorrect too and should be removed:

    static (inside, outside) USSLTA01_External USSLTA01 netmask 255.255.255.255

    --> You can not NAT interface on the SAA itself.

    (3) for the SAA within the interface's subnet mask should be 255.255.255.0, no 255.255.0.0. It should be the same as the router interface subnet mask:

    interface Ethernet0/1

    nameif inside

    security-level 100

    IP 192.6.1.254 255.255.255.0

    (4) on the way to access these sub interfaces subnet on the SAA as follows:

    Route inside 192.6.2.0 255.255.255.0 192.6.1.235

    Route inside 192.6.3.0 255.255.255.0 192.6.1.235

    Route inside 192.6.4.0 255.255.255.0 192.6.1.235

    On the router, configure it by default route as follows:

    IP route 0.0.0.0 0.0.0.0 192.6.1.254

Maybe you are looking for

  • How to you turn off the viewer of diacritical characters

    Whenever you type, prolonged pressure on a letter allows a pop menu to display diacritic versions of this letter. However, in my experience, when you type fast, the menu of diacritical characters custody arise unexpectedly (unexpectedly which means I

  • Need serious help with FPS on COD4

    Here's my situation.  I have two PC that I built and played COD4 for a year.  The only main I have on average 250 fps in multiplayer mode and the other 130 fps.  I got an internet problem with my modem which is triggered my whole system.  My ESET Sma

  • dealer file corruption

    our computer suddenly fell for no reason.according of acer, it's a windows file corruption.is dealer it anyway we can fix ourselves.i have no idea how it happened.

  • Assault of video card

    HelloI'm in a virtual world called secondlife and have all the protection I thought I needed. Recently there has been times where my computer froze suddenly and then crashed. I was told by a Tech in SL, it happens to as many people as whatever it tak

  • When you ask the ORA-24247 utl_http package: access denied by access control (ACL) of network list

    Dear all,Need your help please.Do in the face of ora 24247 network denial of access (ACL) even after following the procedure below. It was working fine until today where I did just drop and recreate again.BANNEROracle Database 11 g Enterprise Edition