Unable to gateway ping after the connection to the VPN
I've implemented a ASA 5505 with virtually any configuration. I changed the interface of the 192.168.168.250 inside and set up DSL PPPoE for the external interface.
The ASA works perfectly for all my Internet needs so I set up a VPN using Ipsec VPN Wizard. This also works perfectly, except that I noticed a thing. Once I connect to the VPN, I'm not able to ping from the inside address of the ASA at the 192.168.168.250. When I ping or manage the ASA using this IP address, while I work on the site it works fine. Why is this and is there a way that I can change?
Thank you!
-Pete
peterdallas wrote:
I've set up an ASA 5505 with hardly any configuration. I changed the Inside interface to 192.168.168.250 and configured PPPoE DSL for the outside interface.
The ASA is working perfectly for all of my Internet needs so I set up a VPN using the Ipsec VPN wizard. That also works perfectly, except I noticed one thing. Once I connect to the VPN, I'm not able to ping the inside address of the ASA at 192.168.168.250. When I ping or manage the ASA using that IP address while I'm working on site it works fine. Why is that and is there a way I can change it?
Thanks!
-Pete
Pete
Add this to your config file-
ASA (config) # management - access inside
all the details-
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/m.html#wp1987122
Jon
Tags: Cisco Security
Similar Questions
-
Cannot ping inside the vpn client hosts. It's a NAT problem
Hello everyone, I'm running into what seems to be a cause of exclusion with an IOS IPSEC VPN NAT/nat. I can connect to the VPN with cisco IPSEC VPN client, and I am able to authenticate. Once I have authenticate, I'm not able to reach one of the guests inside. Below is my relevant config. Any help would be greatly appreciated.
AAA new-model
!
!
AAA authentication login default local
radius of group AAA authentication login userauthen
AAA authorization exec default local
AAA authorization groupauthor LAN
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group businessVPN
key xxxxxx
DNS 192.168.10.2
business.local field
pool vpnpool
ACL 108
Crypto isakmp VPNclient profile
businessVPN group identity match
client authentication list userauthen
ISAKMP authorization list groupauthor
client configuration address respond
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Define VPNclient isakmp-profile
market arriere-route
!
!
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
interface Loopback0
IP 10.1.10.2 255.255.255.252
no ip redirection
no ip unreachable
no ip proxy-arp
IP virtual-reassembly
!
Null0 interface
no ip unreachable
!
interface FastEthernet0/0
IP 111.111.111.138 255.255.255.252
IP access-group outside_in in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the outgoing IP outside
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
the integrated-Service-Engine0/0 interface
description Locator is initialized with default IMAP group
IP unnumbered Loopback0
no ip redirection
no ip unreachable
no ip proxy-arp
IP virtual-reassembly
ip address of service-module 10.1.10.1 255.255.255.252
Service-module ip default gateway - 10.1.10.2
interface BVI1
IP 192.168.10.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
IP nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25
IP nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443
IP nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389
IP nat inside source map route nat interface FastEthernet0/0 overload
nat extended IP access list
deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
refuse the 10.1.1.0 ip 0.0.0.255 192.168.109.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
sheep extended IP access list
permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
ip permit 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
outside_in extended IP access list
permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp
permit any any eq 443 tcp
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22
allow any host 111.111.111.138 esp
allow any host 111.111.111.138 eq isakmp udp
allow any host 111.111.111.138 eq non500-isakmp udp
allow any host 111.111.111.138 ahp
allow accord any host 111.111.111.138
access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255
!
!
!
!
route nat allowed 10 map
match ip address nat
1 channel ip bridge
In my view, the acl applied to customer is back. It must allow traffic from the internal network to the pool of customers.
To confirm, you can open the Cisco VPN client statistics (after login) then go in the route Details tab. We should see the networks you should be able to reach the customer. Make sure that the good ones are here.
Kind regards
-
Cannot ping via the VPN client host when static NAT translations are used
Hello, I have a SRI 3825 configured for Cisco VPN client access.
There are also several hosts on the internal network of the static NAT translations have a services facing outwards.
Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.
For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.
Any help would be appreciated.
Concerning
!
session of crypto consignment
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group vpnclient
key S3Cu4Ke!
DNS 192.168.1.1 192.168.1.2
domain domain.com
pool dhcppool
ACL 198
Save-password
PFS
netmask 255.255.255.0
!
!
Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac
!
Crypto-map dynamic dynmap 10
86400 seconds, life of security association set
game of transformation-3DES-SECURE
market arriere-route
!
card crypto client cryptomap of authentication list drauthen
card crypto isakmp authorization list drauthor cryptomap
client configuration address card crypto cryptomap answer
map cryptomap 65535-isakmp ipsec crypto dynamic dynmap
!
interface GigabitEthernet0/0
NAT outside IP
IP 1.2.3.4 255.255.255.240
cryptomap card crypto
!
interface GigabitEthernet0/1
IP 192.168.1.254 255.255.255.0
IP nat inside
!
IP local pool dhcppool 192.168.2.50 192.168.2.100
!
Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any!
Sheep allowed 10 route map
corresponds to the IP 199!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload!
IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6The problem seems to be that static NAT take your nat exemption.
The solution would be:
IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map routeHTH
Herbert
-
Œuvres ping for the VPN ASA5505 RDP does not work?
I have an ASA5505 VPN remote access facility
I have a server connected directly behind the ASA and I can ping the server without problem.
The reports being encrypted and decrypted packets VPN client
However when I try to RDP to the server packages encyrpted keep incrementing but the decrypted packets are not.
I also do not see all RDP traffic hit the server (checked by ethereal)
I did a packet trace and it succeeds, but ends with a parody of IP which I believe is correct as is the vpn traffic and not actually be encrypted.
This is the correction of the RDP session, I'm confused by one ICMP denied on line 2 that I am able to ping the server?
% ASA-6-302013: built of TCP connections incoming 88193 for external:172.16.24.4/50984 (172.16.24.4/50984) at internal:192.168.100.146/3389 (192.168.100.146/3389) (roger_ssl)
% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.146: no matching session
% ASA-609001 7: built internal local-host: 192.168.100.37
% ASA-6-302015: built connection UDP incoming 88194 for external:172.16.24.4/50620 (172.16.24.4/50620) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)
% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session
% ASA-6-302015: built connection UDP incoming 88195 for external:172.16.24.4/64598 (172.16.24.4/64598) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)
% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session
% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session
% 302014-6-ASA: disassembly of the TCP connection 88193 for external:172.16.24.4/50984 to internal:192.168.100.146/3389 duration 0: bytes of 00:00 0 flow closed by inspection (roger_ssl)
I have that configured NAT
NAT (internal, external) static source 192.168.100.0 192.168.100.0 static destination VPN_172 VPN_172
The only logical bit that is closed by the inspection flow? Is this to say that the server has not responded?
And decrypt packets increase not when trying to RDP
Does this mean anyting to anyone that I have arrived at the end of my knowledge of the SAA on this one!
Thank you
Roger
Answer is based on your other thread:
-
Cannot Ping across the VPN remote access
Hello world
I hope I posted this in the right place!
I'm a bit new to Cisco IOS, so please forgive me if I ask a stupid question!
We have a firewall of 515E PIX 6.3 (4) on which I used the VPN Wizard to set up a remote access VPN the Cisco VPN client on the external interface.
When I connect to home on my laptop Windows XP Pro SP2 running Cisco VPN Client 4.0.5(C) I seem to be able to connect to most of the network resources (IE file shares, I can RDP into servers, etc.) but I can't seem to be able to ping anything : I just request times out.
I'm sure it's something stupid I've done (or not done).
I have attached my config and would be grateful if someone could take a look and point me in the right direction.
Thanks in advance for your help,
Peter.
Hi Peter,.
You must add a line to the inside_access_in access list:
Enable
conf t
access-list inside_access_in allow icmp a whole
output
write members
Kind regards
Cathy
-
After the VPN Tunnel access problem is in place.
Could someone please take a look at this config and tell me why, once I have the VPN tunnel to the top, I can't access all hosts on the 192.168.41.0 network? (The x are inserted for privacy). Thank you.
Try...
ISAKMP nat-traversal
-
DSC-WX350 shows 'unable to display' remains after the withdrawal of the card photos
I'm having a problem with the DSC-WX350 seeing "ghosts" of the pictures after having been withdrawn to a computer.
If I pop the camera card, stick it in a card reader and move photos the camera on my computer, as soon as I put the card in the WX350 seem to see fake photos files moved: it acts as if they were still there (info, date taken, keeps in the County of photo, etc.) but only shows an error "Unable to display" gray.
I then manually delete each erroneous entry manually. As you can imagine, making whenever I have move photos from your camera is a pain in the *. I've looked through all the folders on the card and see anywhere that would be markers of remains of file or something else because of this problem. Any ideas why this happens?
(FYI, the card has been formatted freshly correctly before using it in the camera.)
Thanks advance.
Can anyone offer help?
Per this message on the card need to be formatted, I made several times now to try to circumvent the problem: formatting through the camera, formatting through the computer, formatting the computer, then the camera... After each time the test photo, I take and then remove while the card is located on the computer returns an error "Unable to display the image" ghost once the card in the camera.
This is ridiculous. I will not be manually re-deletion of photos I moved your device every single timejust to avoid this * error. What happens here?
-
Unable to send messages after the accident, the solutions proposed did not.
Tuesday (April 7), there was an update to 31.6. Thursday, there was an accident. Since that time cannot send messages. The proposed solutions did not work.
I get the message that the SMTP server does not support the selected authentication.
I tried the solution mentioned. But nothing helped. I configured the server out on the different types and remove the password as shown. After that, I did the configuration with different types of Setup again. No solution.
There is not a possibility of webmail. So I'm stuck now.There is no problem with incoming messages, they come. This password should be deleted also?
Any help would be greatly appreciated.
Greetings,
AZ58.Good. You can then mark the thread as "Solved" Please?
Thank you. -
BDE is unable to add resources after the new installation
Hey guys,.
Having trouble with BDE 2.1 and get working serengeti. Looks like VHM is having problems connecting to vcenter. Here's the exact error.
Location : /Opt/Serengeti/logs/VHM.log
Message : 18:24:21.671 April 21, 2015 * VHM: failed to connect to vCenter (class java.io.FileNotFoundException): / tmp/keyStore (no such file or directory)
18:24:21.672 April 21, 2015 * VHM: couldn't get vCenter connection through any protocol
18:24:21.672 April 21, 2015 VHM: temporarily lost connection to vCenter
Location : /Opt/Serengeti/logs/Serengeti-boot.log
Message: E, [2015-04 - 21 T 18: 22:39.991825 #8536] ERROR -: Serengeti Web Service didn't generate the uuid in the file serengeti.properties in 5 minutes. This is probably a VC connection problem, please consult /opt/serengeti/logs/serengeti.log
Serengeti.log is not something useful spit.
Anyone seen this before?
Thank you!
BDE VAPP must be deployed in the resource pool of top level under a pile of vCenter, otherwise, you will see the error log. Please kindly check it out.
Thank you.
-
Unable to access applications after the installation of CC2015.
I installed CC 2015 and when you access applications, the right spinning wheel will not stop. Help?
https://helpx.Adobe.com/creative-cloud/KB/creative-cloud-app-doesn ' t - open.html
Mylenium
-
No Internet access after the connection of the cisco vpn client
Hi Experts,
Please check below config.the problem is vpn is connected but no internet access
on the computer after the vpn connection
ASA Version 8.0 (2)
!
ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 192.168.10.10 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.14.12 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
standard access list dubai_splitTunnelAcl allow 192.168.14.0 255.255.255.0
INSIDE_nat0_outbound list of allowed ip extended access all 192.168.14.240 255.255.2
55.240
pager lines 24
Within 1500 MTU
Outside 1500 MTU
IP local pool testpool 192.168.14.240 - 192.168.14.250
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access INSIDE_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.14.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac setFirstSet
Crypto-map dynamic dyn1 1 set transform-set setFirstSet
Crypto-map dynamic dyn1 1jeu reverse-road
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
password encrypted user testuser IqY6lTColo8VIF24 name
username password khans X5bLOVudYKsK1JS / encrypted privilege 15
tunnel-group mphone type remote access
tunnel-group mphone General attributes
address testpool pool
tunnel-group ipsec-attributes mphone
pre-shared-key *.
context of prompt hostname
Cryptochecksum:059363cdf78583da4e3324e8dfcefbf0
: end
ciscoasa #.Hello
Large. Try adding the below to make it work
vpn-sheep access list extended permits all ip 192.168.15.0 255.255.255.0
NAT (inside) 0-list of access vpn-sheep
Harish
-
No visible responsibilities by the user after the cloning of the Production instance
Hello
In my environment, a user is disabled in Production, but he has access in the DEV instance. When I clone the production on the DEV instance and allow this user, he is not able to see the responisbilities which it is supposed to see.
I ran the "Synchronize WF LOCAL tables, but the user is not able to see the responsibility."
Am I missing something?
Thank youHello
Have you tried to bounce Apache and see if it helps?
Please see the solutions suggested in the thread following/docs.
Responsibility are not
Re: Responsibility is notAssignment of responsibility not Visible when connecting through AppsLocalLogin.jsp
Re: Assignment of responsibilities not Visible when connecting through AppsLocalLogin.jspNote: 388018.1 - Unable to see a responsibility in the navigation after the end Date has been removed
Note: 727638.1 - Unable to see responsibilities after the end Date is deleted on ATG RUP6
Note: 406892,1 - missing or corrupt user role responsibilities
Note: 429852.1 - reactivated the user does not see responsibilitiesKind regards
Hussein -
Cisco ASA, connect an IP address on the OUTSIDE of the VPN remote access
Hello
I tried to find resources on the net but could not find a solution, then post it here. Maybe someone can help.
So the problem is that I'm trying to access a server on the cloud for remote VPN access (cisco asa 5510).
The server on the cloud (54.54.54.54) is only accessible from the outside interface (192.168.11.2) NY Firewall (cisco asa 5510)
I added some ACE for this in the ACL of VPN tunnel to divide.
NY-standard host allowed fw # access - list vpn_remote-customer 54.54.54.54
And I see the road added to my cliet machine after the VPN connection, but still it cannot connect to this server.
The network INTERIOR, I can connect to the server.
Thanks in advance.
Hello
This is most likely a problem with NAT hair/U-turn hairpin.
Will need to see the configurations or you would need to check yourself
I don't know what your version of the Software ASA is to be like who determines what is the format of NAT configuration.
So far, you have confirmed that the ASA VPN configuration provides the VPN Client with the route to the remote server. Then in circulation should be tunnel to the ASA.
Then, you will need to check the output of this command
See the race same-security-traffic
You should see the command in the output below
permit same-security-traffic intra-interface
If you do not, you will need to add it. This effect of controls is to allow traffic to enter an interface and exit through the same interface. In your case this applies to Internet VPN Client traffic to the remote server as it between ' outside ' and spell through the 'outside'.
Then, should ensure that dynamic PAT is configured for the VPN Clients.
8.2 software (and below)
You most likely have a dynamic configuration PAT like that on the firewall, if levels of above running software version
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
In this situation if we wanted to add dynamic PAT for a pool of VPN, we would add
NAT (outside) 1
This would allow users to use the same public IP address as LAN users, when accessing the remote VPN server
Software 8.3 (and above)
Because the NAT configuration format is completely different in the latest software, you could probably just add a new configuration of NAT completely without adding a
network of the VPN-PAT object
subnet
dynamic NAT interface (outdoors, outdoor)
Of course, its possible that there could be some configuration NAT already on the device which could cause problems for this configuration. If this does not work then that we would have to look at the actual configurations on the ASA.
Hope this helps
Let me know how it goes
-Jouni
-
Dear All/Admin/Tech,
After the upgrade to Firefox 10.0 staff of my company in Indonesia can not rained access gateway SSL for the web of our company and therefore cannot log on to our web database program.In my tests, in Singapore (with the same ISP fiber broadband), I have the same problem.
Both Chrome and IE have no problem, but Firefox stops on error "the connection was reset".
Firefox is now super sensitive to the shift of site Web, allows no ports or y at - there some problem in which Firefox to reject Web page or program?
So far, that seems to happen on Firefox 10.0 and our SSL https web portal. What is good on all other browsers.
Help, please.
Thank you and best regards,
Joel LiI also have problems with 10 FF and Fortinet VPN.
It helped me a little... http://social.technet.Microsoft.com/forums/en-us/w7itprosecurity/thread/e6e8ada8-BC12-4f6f-8de3-1d3fd2ff4931
The problems seems to be in the Microsoft Security Update KB2585542, that TLS and SSL fixes. Apparently some websites that use SSL do not work properly because of this.
I had to disable the update of security KB2585542, then downgrade to FF 9.0.1.
BUT I don't want to remain unpatched and with an older version of FF. A way around this problem without downgrading?
EDIT: Just to be clear, even after I disabled the patch MS that I kept getting "the connection was reset" in FF10. Everything worked great until I upgraded to FF10 even with the patch on.
-
I'm unable to install Adobe software licenses after the connection. It is said that it does not recognize my username after login.
Yes. and?
Maybe you are looking for
-
Why does one of my email accounts stopped storage of messages in the "sent" folder?
I have an iMac Apple OS x 10.8.5 and Thunderbird 24.5.0. The computer is configured for users of 2 - my wife and myself. I've set up for me with 3 e-mail accounts in Thunderbird, and my wife has 1 e-mail account. We use Thunderbird for several months
-
Portege 7020CT: battery is dead
HelloI have an CT 7020 and my battery is dead, it works 2 min. - does anyone know if there is any way to repair a battery or sell everything for this place... cheapper!
-
I use Microsoft Outlook 2003 and when I try to remove items in the Outbox which, for one reason or another, has not sent my computer keeps trying to send them. I send 1 of 4 at the bottom of my screen. How can I get rid of emails so that my compute
-
It'll be great if sony adds display lyrics on their walkman application option in their next update where we can download, save the lyrics and he discovers that we listen to the song as the music TTpod player.
-
I'm having a problem with my F9 AND F10 KEYS TO CONTROL sound
I think my f9 and f10 keys do not work properly...