VPN - cannot ping the next hop
Then some advice... I have configured a server VPN - pptp on my router, create a vpn for the customer at the site. For the moment, the client computer can connect and a connection to the router. I can ping from client to the router (192.168.5.1) but cannot ping 192.168.5.2 (switch) or 192.168.10.X (workstations)
What I try to achieve is to access the internal network (192.168.10.X), which is the end of the layer 3 switch. Any help/extra eyes would be good.
Here is my design of the network and the config below:
Client computer---> Internet---> (1.1.1.1) Cisco router (192.168.5.1) 881---> switch Dell Powerconnect 6248 (192.168.5.2)--> Workstation (192.168.10.x)
Router Cisco 881
AAA new-model
!
AAA of authentication ppp default local
!
VPDN enable
!
!
VPDN-group VPDN PPTP
!
accept-dialin
Pptp Protocol
virtual-model 1
!
interface FastEthernet0
Description link to switch
switchport access vlan 5
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 70
no ip address
!
interface FastEthernet4
Description INTERNET WAN PORT
IP [IP EXTERNAL address]
NAT outside IP
IP virtual-reassembly in
full duplex
Speed 100
card crypto VPN1
!
interface Vlan1
no ip address
!
interface Vlan5
Description $ES_LAN$
IP 192.168.5.1 255.255.255.248
no ip redirection
no ip unreachable
IP nat inside
IP virtual-reassembly in
!
interface Vlan70
IP [IP EXTERNAL address]
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
!
!
interface virtual-Template1
IP unnumbered FastEthernet4
encapsulation ppp
peer default ip address pool defaultpool
Ms-chap PPP chap authentication protocol
!
IP local pool defaultpool 192.168.10.200 192.168.10.210
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy inactive 600 life 86400 request 10000
!
overload of IP nat inside source list no. - NAT interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 [address IP EXTERNAL]
Route IP 192.168.0.0 255.255.0.0 192.168.5.2
!
No. - NAT extended IP access list
deny ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.255.255
IP 192.168.0.0 allow 0.0.255.255 everything
VLAN70 extended IP access list
ip [IP EXTERNAL] 0.0.0.15 permit 192.168.10.0 0.0.1.255
permit tcp [IP EXTERNAL] 0.0.0.15 any eq smtp
permit tcp [IP EXTERNAL] 0.0.0.15 any eq www
permit any eq 443 tcp [IP EXTERNAL] 0.0.0.15
permit tcp [IP EXTERNAL] 0.0.0.15 any eq field
permits any udp [IP EXTERNAL] 0.0.0.15 eq field
list of IP - VPN access scope
IP 192.168.10.0 allow 0.0.1.255 10.1.0.0 0.0.1.255
Licensing ip [IP EXTERNAL] 0.0.0.15 10.1.0.0 0.0.1.255
WAN extended IP access list
!
Layer 3 switch - Dell Powerconnect 6224
!
IP routing
IP route 0.0.0.0 0.0.0.0 192.168.5.1
interface vlan 5
name "to connect to the Cisco router.
Routing
IP 192.168.5.2 255.255.255.248
output
!
interface vlan 10
"internal network" name
Routing
IP 192.168.10.1 255.255.255.0
output
!
interface ethernet 1/g12
switchport mode acesss vlan 5
output
!
interface ethernet 1/g29
switchport mode access vlan 10
output
!
Hi Samuel,.
I went through your configuration and picked up a few problematic lines...
First of all, you can't have your vpn-pool to be in the range of 192.168.10.x/24, because you already have this subnet used behind the switch (this would be possible if you had 192.168.10.x range connected directly to the router). In addition, you may not link your virtual model to the WAN ip address, it must be bound to an interface with a subnet that includes your IP vpn-pool range.
The cleaner for this is,
Create a new interface of back of loop with a new subnet
!
loopback interface 0
192.168.99.1 IP address 255.255.255.0
!
New vpn set up, pool
!
IP local pool defaultpool 192.168.99.200 192.168.99.210
!
Change your template to point the new loopback interface,
!
interface virtual-Template1
IP unnumbered loopback0
encapsulation ppp
peer default ip address pool defaultpool
Ms-chap PPP chap authentication protocol
!
All vpn clients will get an IP address of 192.168.99.200 192.168.99.210 range. And they will be able to get the router and up to the desired range 192.168.10.x/24 behind the router. Packages get the switch, then to the host. Host will respond through the gateway (switch)-> router-> Client.
PS: Sooner, even if your packages arrive at the host, the host will never try to send the response back through the gateway (switch) packets because STI (hosts) point of view, the package came from the same local network, so the host will simply try to "arp" for shippers MAC and eventually will expire)
I hope this helps.
Please don't forget to rate/brand of useful messages
Shamal
Tags: Cisco Security
Similar Questions
-
ASA 5505 Split tunneling stopped working when upgraded to 8.3 (1) 8.4 (3).
A user has to connect to the old device of 8.3 (1) that they could access all of our subnets: 10.1.0.0/16, 10.33.0.0/16, 10.89.0.0/16, 10.60.0.0/16
but now, they can't and in the newspapers, I see just
6 October 31, 2012 08:17:59 110003 10.60.30.111 1 10.89.30.41 0 routing cannot locate the next hop for ICMP to outside:10.60.30.111/1 to inside:10.89.30.41/0
any tips? I almost tried everything. the running configuration is:
: Saved
:
ASA Version 8.4 (3)
!
host name asa
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.60.70.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
IP 80.90.98.217 255.255.255.248
!
passive FTP mode
clock timezone GMT 0
DNS lookup field inside
DNS domain-lookup outside
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NETWORK_OBJ_10.33.0.0_16 object
10.33.0.0 subnet 255.255.0.0
network of the NETWORK_OBJ_10.60.0.0_16 object
10.60.0.0 subnet 255.255.0.0
network of the NETWORK_OBJ_10.89.0.0_16 object
10.89.0.0 subnet 255.255.0.0
network of the NETWORK_OBJ_10.1.0.0_16 object
10.1.0.0 subnet 255.255.0.0
network tetPC object
Home 10.60.10.1
test description
network of the NETWORK_OBJ_10.60.30.0_24 object
10.60.30.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.60.30.64_26 object
255.255.255.192 subnet 10.60.30.64
the SSH server object network
Home 10.60.20.6
network of the SSH_public object
network ftp_public object
Home 80.90.98.218
rdp network object
Home 10.60.10.4
ftp_server network object
Home 10.60.20.2
network ssh_public object
Home 80.90.98.218
Service FTP object
tcp destination eq 12 service
network of the NETWORK_OBJ_10.60.20.3 object
Home 10.60.20.3
network of the NETWORK_OBJ_10.60.40.192_26 object
255.255.255.192 subnet 10.60.40.192
network of the NETWORK_OBJ_10.60.10.10 object
Home 10.60.10.10
network of the NETWORK_OBJ_10.60.20.2 object
Home 10.60.20.2
network of the NETWORK_OBJ_10.60.20.21 object
Home 10.60.20.21
network of the NETWORK_OBJ_10.60.20.4 object
Home 10.60.20.4
network of the NETWORK_OBJ_10.60.20.5 object
Home 10.60.20.5
network of the NETWORK_OBJ_10.60.20.6 object
Home 10.60.20.6
network of the NETWORK_OBJ_10.60.20.7 object
Home 10.60.20.7
network of the NETWORK_OBJ_10.60.20.29 object
Home 10.60.20.29
service port_tomcat object
Beach service tcp 8080 8082 source
network of the TBSF object
172.16.252.0 subnet 255.255.255.0
the e-mail server object network
Home 10.33.10.2
Mail server description
service object HTTPS
tcp source eq https service
test network object
network access_web_mail object
Home 10.60.50.251
network downtown_Interface_host object
Home 10.60.50.1
Downtown host Interface description
service of the Oracle_port object
tcp source eq sqlnet service
network of the NETWORK_OBJ_10.60.50.248_29 object
subnet 10.60.50.248 255.255.255.248
network of the NETWORK_OBJ_10.60.50.1 object
Home 10.60.50.1
network of the NETWORK_OBJ_10.60.50.0_28 object
subnet 10.60.50.0 255.255.255.240
brisel network object
10.191.191.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.191.191.0_24 object
10.191.191.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.60.60.0_24 object
10.60.60.0 subnet 255.255.255.0
object-group service TCS_Service_Group
Description this group of Services offered is for the CLD's Clients
port_tomcat service-object
HTTPS_ACCESS tcp service object-group
EQ object of the https port
the DM_INLINE_NETWORK_1 object-group network
object-network 10.1.0.0 255.255.0.0
network-object 10.33.0.0 255.255.0.0
network-object 10.60.0.0 255.255.0.0
network-object 10.89.0.0 255.255.0.0
allow outside_1_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.33.0.0 255.255.0.0
allow outside_2_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0
outside_3_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 allow 10.1.0.0 255.255.0.0
OUTSIDE_IN list extended access permit icmp any one time exceed
OUTSIDE_IN list extended access allow all unreachable icmp
OUTSIDE_IN list extended access permit icmp any any echo response
OUTSIDE_IN list extended access permit icmp any any source-quench
OUTSIDE_IN list extended access permitted tcp 194.2.20.0 255.255.255.0 host 80.90.98.220 eq smtp
OUTSIDE_IN list extended access permit tcp host 194.25.12.0 host 80.90.98.220 eq smtp
OUTSIDE_IN list extended access allow icmp 80.90.98.222 host 80.90.98.217
OUTSIDE_IN list extended access permit tcp host 162.162.4.1 host 80.90.98.220 eq smtp
OUTSIDE_IN list extended access permit tcp host 98.85.125.2 host 80.90.98.221 eq ssh
Standard access list OAKDCAcl allow 10.60.0.0 255.255.0.0
Standard access list OAKDCAcl allow 10.33.0.0 255.255.0.0
access-list OAKDCAcl note backoffice
Standard access list OAKDCAcl allow 10.89.0.0 255.255.0.0
access-list OAKDCAcl note maint
OAKDCAcl list standard access allowed 10.1.0.0 255.255.0.0
access-list allowed standard osgd host 10.60.20.4
access-list allowed standard osgd host 10.60.20.5
access-list allowed standard osgd host 10.60.20.7
standard access list testOAK_splitTunnelAcl allow 10.60.0.0 255.255.0.0
list access allowed extended snmp udp any eq snmptrap everything
list of access allowed extended snmp udp any any eq snmp
downtown_splitTunnelAcl list standard access allowed host 10.60.20.29
webMailACL list standard access allowed host 10.33.10.2
access-list standard HBSC allowed host 10.60.30.107
access-list standard HBSC deny 10.33.0.0 255.255.0.0
access-list standard HBSC deny 10.89.0.0 255.255.0.0
allow outside_4_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.191.191.0 255.255.255.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.1.0.0 255.255.0.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.33.0.0 255.255.0.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.60.0.0 255.255.0.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.89.0.0 255.255.0.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 10.60.30.110 - 10.60.30.150 255.255.0.0 IP local pool OAKPRD_pool
IP local pool mail_sddress_pool 10.60.50.251 - 10.60.50.255 mask 255.255.0.0
test 10.60.50.1 mask 255.255.255.255 IP local pool
IP local pool ipad 10.60.30.90 - 10.60.30.99 mask 255.255.0.0
mask 10.60.40.200 - 10.60.40.250 255.255.255.0 IP local pool TCS_pool
local pool OSGD_POOL 10.60.50.2 - 10.60.50.10 255.255.0.0 IP mask
mask 10.60.60.0 - 10.60.60.255 255.255.0.0 IP local pool OAK_pool
IP verify reverse path inside interface
IP verify reverse path to the outside interface
IP audit alarm action name ThreatDetection attack
verification of IP within the ThreatDetection interface
interface IP outside the ThreatDetection check
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow any echo inside
ICMP allow any echo outdoors
enable ASDM history
ARP timeout 14400
NAT (inside, outside) static static source NETWORK_OBJ_10.33.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.33.0.0_16
NAT (inside, outside) static static source NETWORK_OBJ_10.89.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.89.0.0_16
NAT (inside, outside) static static source NETWORK_OBJ_10.1.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.1.0.0_16
NAT (inside, outside) static source all all NETWORK_OBJ_10.60.30.0_24 of NETWORK_OBJ_10.60.30.0_24 static destination
NAT (inside, outside) static source all all NETWORK_OBJ_10.60.30.64_26 of NETWORK_OBJ_10.60.30.64_26 static destination
NAT (inside, outside) static static source NETWORK_OBJ_10.60.40.192_26 destination NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.40.192_26 any port_tomcat service
NAT (inside, outside) static source any destination of all public static NETWORK_OBJ_10.60.50.1 NETWORK_OBJ_10.60.50.1
NAT (inside, outside) static static source NETWORK_OBJ_10.60.50.248_29 destination MailServer MailServer NETWORK_OBJ_10.60.50.248_29
NAT (inside, outside) static source all all NETWORK_OBJ_10.60.50.0_28 of NETWORK_OBJ_10.60.50.0_28 static destination
NAT (inside, outside) static static source NETWORK_OBJ_10.191.191.0_24 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.191.191.0_24
NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_10.60.60.0_24 NETWORK_OBJ_10.60.60.0_24 non-proxy-arp-search of route static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
Route outside 0.0.0.0 0.0.0.0 80.90.98.222 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 10.60.10.10 255.255.255.255 inside
http 10.33.30.33 255.255.255.255 inside
http 10.60.30.33 255.255.255.255 inside
SNMP-server host within the 10.33.30.108 community * version 2 c
SNMP-server host within the 10.89.70.30 community *.
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set lux_trans_set ikev1 aes - esp esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 84.51.31.173
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
card crypto outside_map 2 match address outside_2_cryptomap
peer set card crypto outside_map 2 98.85.125.2
card crypto outside_map 2 set transform-set ESP-3DES-SHA ikev1
card crypto outside_map 3 match address outside_3_cryptomap
peer set card crypto outside_map 3 220.79.236.146
card crypto outside_map 3 set transform-set ESP-3DES-SHA ikev1
card crypto 4 correspondence address outside_4_cryptomap outside_map
card crypto outside_map 4 set pfs
peer set card crypto outside_map 4 159.146.232.122
card crypto 4 ikev1 transform-set lux_trans_set set outside_map
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 30
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
IKEv1 crypto policy 50
preshared authentication
aes encryption
sha hash
Group 1
life 86400
IKEv1 crypto policy 70
preshared authentication
aes encryption
sha hash
Group 5
life 86400
Telnet 10.60.10.10 255.255.255.255 inside
Telnet 10.60.10.1 255.255.255.255 inside
Telnet 10.60.10.5 255.255.255.255 inside
Telnet 10.60.30.33 255.255.255.255 inside
Telnet 10.33.30.33 255.255.255.255 inside
Telnet timeout 30
SSH 10.60.10.5 255.255.255.255 inside
SSH 10.60.10.10 255.255.255.255 inside
SSH 10.60.10.3 255.255.255.255 inside
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd dns 155.2.10.20 155.2.10.50 interface inside
dhcpd auto_config outside interface inside
!
a basic threat threat detection
length 3600 scanning-threat shun threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
TFTP server inside 10.60.10.10 configs/config1
WebVPN
internal testTG group policy
attributes of the strategy of group testTG
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
internal DefaultRAGroup_1 group strategy
attributes of Group Policy DefaultRAGroup_1
value of 155.2.10.20 DNS server 155.2.10.50
Protocol-tunnel-VPN l2tp ipsec
internal TcsTG group strategy
attributes of Group Policy TcsTG
VPN-idle-timeout 20
VPN-session-timeout 120
Ikev1 VPN-tunnel-Protocol
IPSec-udp disable
IPSec-udp-port 10000
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list testOAK_splitTunnelAcl
the address value TCS_pool pools
internal downtown_interfaceTG group policy
attributes of the strategy of group downtown_interfaceTG
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list downtown_splitTunnelAcl
internal HBSCTG group policy
HBSCTG group policy attributes
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value HBSC
internal OSGD group policy
OSGD group policy attributes
value of 155.2.10.20 DNS server 155.2.10.50
VPN-session-timeout no
Ikev1 VPN-tunnel-Protocol
group-lock value OSGD
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list testOAK_splitTunnelAcl
internal OAKDC group policy
OAKDC group policy attributes
Ikev1 VPN-tunnel-Protocol
value of group-lock OAKDC
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list OAKDCAcl
Disable dhcp Intercept 255.255.0.0
the address value OAKPRD_pool pools
internal mailTG group policy
attributes of the strategy of group mailTG
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list webMailACL
internal OAK-distance group strategy
attributes of OAK Group Policy / remote
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value OAK-remote_splitTunnelAcl
VPN-group-policy OAKDC
type of nas-prompt service
attributes global-tunnel-group DefaultRAGroup
address pool OAKPRD_pool
ipad address pool
Group Policy - by default-DefaultRAGroup_1
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
tunnel-group 84.51.31.173 type ipsec-l2l
IPSec-attributes tunnel-group 84.51.31.173
IKEv1 pre-shared-key *.
tunnel-group 98.85.125.2 type ipsec-l2l
IPSec-attributes tunnel-group 98.85.125.2
IKEv1 pre-shared-key *.
tunnel-group 220.79.236.146 type ipsec-l2l
IPSec-attributes tunnel-group 220.79.236.146
IKEv1 pre-shared-key *.
type tunnel-group OAKDC remote access
attributes global-tunnel-group OAKDC
address pool OAKPRD_pool
Group Policy - by default-OAKDC
IPSec-attributes tunnel-group OAKDC
IKEv1 pre-shared-key *.
type tunnel-group TcsTG remote access
attributes global-tunnel-group TcsTG
address pool TCS_pool
Group Policy - by default-TcsTG
IPSec-attributes tunnel-group TcsTG
IKEv1 pre-shared-key *.
type tunnel-group downtown_interfaceTG remote access
tunnel-group downtown_interfaceTG General-attributes
test of the address pool
Group Policy - by default-downtown_interfaceTG
downtown_interfaceTG group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group TunnelGroup1 remote access
type tunnel-group mailTG remote access
tunnel-group mailTG General-attributes
address mail_sddress_pool pool
Group Policy - by default-mailTG
mailTG group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group testTG remote access
tunnel-group testTG General-attributes
address mail_sddress_pool pool
Group Policy - by default-testTG
testTG group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group OSGD remote access
tunnel-group OSGD General-attributes
address OSGD_POOL pool
strategy-group-by default OSGD
tunnel-group OSGD ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group HBSCTG remote access
attributes global-tunnel-group HBSCTG
address OSGD_POOL pool
Group Policy - by default-HBSCTG
IPSec-attributes tunnel-group HBSCTG
IKEv1 pre-shared-key *.
tunnel-group 159.146.232.122 type ipsec-l2l
IPSec-attributes tunnel-group 159.146.232.122
IKEv1 pre-shared-key *.
tunnel-group OAK type remote access / remote
attributes global-tunnel-group OAK / remote
address pool OAK_pool
Group Policy - by default-OAK-remote control
IPSec-attributes tunnel-group OAK / remote
IKEv1 pre-shared-key *.
!
!
!
Policy-map global_policy
!
context of prompt hostname
no remote anonymous reporting call
HPM topN enable
: end
enable ASDM history
Hi David,
I see that you have:
allow outside_2_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0
So, please make the following changes:
network object obj - 10.60.30.0
10.60.30.0 subnet 255.255.255.0
!
Route outside 10.60.30.0 255.255.255.0 80.90.98.222
Route outside 10.89.0.0 255.255.0.0 80.90.98.222
NAT (outside, outside) 1 source static obj - 10.60.30.0 obj - 10.60.30.0 static destination NETWORK_OBJ_10.89.0.0_16 NETWORK_OBJ_10.89.0.0_16 non-proxy-arp-search to itinerary
HTH
Portu.
Please note all useful posts
Post edited by: Javier Portuguez
-
Cannot find the next jump - ASA 5505 VPN routing l2l
We have a 5505 (soon to be replaced by two 5515-x) firewall with two VPN l2l.
"Were trying to allow a remote site traffic flow through the other remote site but the syslog shows."
10.5.25.4 1 172.16.10.10 0 Could not locate the next hop for ICMP outside:10.5.25.4/1 to inside:172.16.10.10/0 routing
Config is less than
:
ASA Version 8.4 (3)
names of
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
<--- more="" ---="">
!
interface Ethernet0/7
switchport access vlan 10
!
interface Vlan1
nameif inside
security-level 100
allow-ssc-mgmt
IP 10.5.19.254 255.255.255.0
!
interface Vlan2
WIMAX Interface Description
nameif outside
security-level 0
IP address x.247.x.18 255.255.255.248
!
passive FTP mode
clock timezone GMT 1
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network guestwifi object
10.1.110.0 subnet 255.255.255.0
<--- more="" ---="">
network of the NETWORK_OBJ_10.5.19.0_24 object
10.5.19.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.5.31.0_24 object
10.5.31.0 subnet 255.255.255.0
network of the NETWORK_OBJ_172.16.0.0_16 object
subnet 172.16.0.0 255.255.0.0
the object DS365-Cloud network
172.16.10.0 subnet 255.255.255.0
Description DS365-Cloud
network of the object to the inside-network-16
10.5.0.0 subnet 255.255.0.0
atanta network object
10.5.16.0 subnet 255.255.255.0
Atanta description
network guest_dyn_nat object
10.5.29.0 subnet 255.255.255.0
network of the NETWORK_OBJ_172.16.254.0_25 object
subnet 172.16.254.0 255.255.255.128
network of the NETWORK_OBJ_10.5.16.0_20 object
subnet 10.5.16.0 255.255.240.0
network of the NETWORK_OBJ_10.5.16.0_26 object
255.255.255.192 subnet 10.5.16.0
network of the LDAP_DC7 object
Home 10.5.21.1
<--- more="" ---="">
LDAP description
network c2si object
range 10.5.21.180 10.5.21.200
network of the NETWORK_OBJ_10.5.25.0_24 object
10.5.25.0 subnet 255.255.255.0
object-group network rfc1918
object-network 192.168.0.0 255.255.0.0
object-network 172.16.0.0 255.255.240.0
object-network 10.0.0.0 255.0.0.0
the DM_INLINE_NETWORK_1 object-group network
object-network 10.5.19.0 255.255.255.0
network-object 10.5.20.0 255.255.254.0
object-network 10.5.22.0 255.255.255.0
object-network 10.5.30.0 255.255.255.0
object-network 192.168.100.0 255.255.255.0
the Sure_Signal object-group network
network-object x.183.x.128 255.255.255.192
network-host x.183.133.177 object
network-host x.183.133.178 object
network-host x.183.133.179 object
network-host x.183.133.181 object
network-host x.183.133.182 object
the LDAP_source_networks object-group network
network-object 135.196.24.192 255.255.255.240
<--- more="" ---="">
object-network 195.130.x.0 255.255.255.0
network-object x.2.3.128 255.255.255.192
network-object 213.235.63.64 255.255.255.192
object-network 91.220.42.0 255.255.255.0
object-network 94.x.240.0 255.255.255.0
object-network 94.x.x.0 255.255.255.0
the c2si_Allow object-group network
host of the object-Network 10.5.16.1
host of the object-Network 10.5.21.1
network-object object c2si
the DM_INLINE_NETWORK_2 object-group network
network-object 10.5.20.0 255.255.254.0
object-network 10.5.21.0 255.255.255.0
object-network 10.5.22.0 255.255.255.0
object-network 10.5.29.0 255.255.255.0
network-object, object NETWORK_OBJ_10.5.19.0_24
the DM_INLINE_NETWORK_3 object-group network
object-network 10.5.19.0 255.255.255.0
network-object 10.5.20.0 255.255.254.0
object-network 10.5.21.0 255.255.255.0--->--->--->--->
object-network 10.5.22.0 255.255.255.0
atanta network-object
the DM_INLINE_NETWORK_4 object-group network
network-object 10.5.20.0 255.255.254.0
<--- more="" ---="">--->
object-network 10.5.21.0 255.255.255.0
object-network 10.5.22.0 255.255.255.0
object-network 10.5.23.0 255.255.255.0
object-network 10.5.30.0 255.255.255.0
network-object, object NETWORK_OBJ_10.5.19.0_24
atanta network-object
network-object DS365-Cloud
inside_access_in list extended access permit tcp any eq 50 Sure_Signal object-group
inside_access_in list extended access permit tcp any object-group Sure_Signal eq pptp
inside_access_in list extended access permits will all object-group Sure_Signal
inside_access_in list extended access permit udp any eq ntp Sure_Signal object-group
inside_access_in access list extended icmp permitted no echo of Sure_Signal object-group
inside_access_in list extended access permit udp any eq 50 Sure_Signal object-group
inside_access_in list extended access permit udp any eq Sure_Signal object-group 4500
inside_access_in list extended access permit udp any eq isakmp Sure_Signal object-group
inside_access_in of access allowed any ip an extended list
255.255.0.0 allow access list extended ip 10.5.0.0 clientvpn 10.5.30.0 255.255.255.0
access-list extended BerkeleyAdmin-clientvpn ip 10.5.0.0 allow 255.255.0.0 10.5.30.0 255.255.255.0
IP 10.5.21.0 allow to Access-list BerkeleyUser-clientvpn extended 255.255.255.0 10.5.30.0 255.255.255.0
outside_cryptomap extended access list permit ip object inside-network-16 10.5.25.0 255.255.255.0
access extensive list ip 10.5.29.0 guest_access_in allow 255.255.255.0 any
state_bypass allowed extended access list tcp 192.168.100.0 255.255.255.0 10.5.30.0 255.255.255.0 connect
state_bypass allowed extended access list tcp 10.5.30.0 255.255.255.0 192.168.100.0 255.255.255.0 connect
state_bypass allowed extended access list tcp 10.5.29.0 255.255.255.0 10.5.30.0 255.255.255.0 connect
<--- more="" ---="">
state_bypass allowed extended access list tcp 10.5.30.0 255.255.255.0 10.5.29.0 255.255.255.0 connect
outside_access_in list extended access permit icmp any one
access extensive list ip 10.5.16.0 outside_cryptomap_1 allow 255.255.240.0 10.5.16.0 255.255.255.192
access-list extended global_access permitted tcp object-group LDAP_source_networks host 10.5.21.1 eq ldap
access extensive list 10.5.0.0 ip outside_cryptomap_2 255.255.0.0 allow object DS365-Cloud
outside_cryptomap_3 list extended access allowed object-group ip DM_INLINE_NETWORK_4 10.5.25.0 255.255.255.0
pager lines 24
Enable logging
exploitation forest-size of the buffer of 100000
recording of debug console
debug logging in buffered memory
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool clientvpn 10.5.30.1 - 10.5.30.100
mask 172.16.254.1 - 172.16.254.100 255.255.255.0 IP local pool VPN_IP_Pool
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) source static rfc1918 rfc1918 destination rfc1918 static rfc1918
NAT (inside, outside) static source NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.31.0_24 NETWORK_OBJ_10.5.31.0_24 non-proxy-arp-search of route static destination
<--- more="" ---="">
NAT (inside, outside) static source NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source to the static inside-network-16 inside-network-16 destination DS365-DS365-cloud no-proxy-arp-route search
NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_172.16.254.0_25 NETWORK_OBJ_172.16.254.0_25 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_10.5.16.0_20 NETWORK_OBJ_10.5.16.0_20 NETWORK_OBJ_10.5.16.0_26 NETWORK_OBJ_10.5.16.0_26 non-proxy-arp-search of route static destination--->--->
NAT (inside, outside) source static c2si_Allow c2si_Allow NETWORK_OBJ_172.16.254.0_25 NETWORK_OBJ_172.16.254.0_25 non-proxy-arp-search of route static destination
NAT (inside, outside) source static atanta atanta static destination NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary
NAT (inside, outside) static source DS365-DS365-cloud static destination NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary
NAT (inside, outside) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 static destination DS365-DS365-cloud no-proxy-arp-route search
NAT (inside, outside) static source DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 static destination DS365-DS365-cloud no-proxy-arp-route search
NAT (inside, outside) static source to the inside-network-16 inside-network-16 destination static NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary
NAT (inside, outside) static source DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search of route static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
network of the LDAP_DC7 object
NAT 194.247.x.19 static (inside, outside) tcp ldap ldap service
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Access-Group global global_access
!
Router eigrp 143
No Auto-resume
Network 10.5.19.0 255.255.255.0
<--- more="" ---="">
Network 10.5.29.0 255.255.255.0
Network 10.5.30.0 255.255.255.0
redistribute static
!
Route outside 0.0.0.0 0.0.0.0 194.247.x.17 1 track 1
Route inside 10.5.16.0 255.255.255.0 10.5.19.252 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
RADIUS protocol for AAA-server group
AAA (inside) 10.5.21.1 host server group
key *.
AAA (inside) 10.5.16.1 host server group
key *.
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
<--- more="" ---="">
http 192.168.1.0 255.255.255.0 inside
http 10.5.16.0 255.255.240.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Sysopt connection tcpmss 1350
SLA 1 monitor
type echo protocol ipIcmpEcho 8.8.4.4 outside interface
SLA monitor Appendix 1 point of life to always start-time now
Crypto ipsec transform-set ikev1 strong-comp esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set strong aes-256-esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec ikev2 strong ipsec proposal
Protocol esp encryption aes-256
Esp integrity sha-1 protocol
<--- more="" ---="">
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256--->--->--->
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto-map dynamic dyn1 1 set transform-set ikev1 strong
1 correspondence address outside_cryptomap_1 outside crypto map
crypto card outside pfs set 1
1 set 83.x.172.68 counterpart outside crypto map
Crypto card outside 1 set transform-set ESP-AES-256-SHA ikev1
1 set ikev2 AES256 ipsec-proposal outside crypto map
card crypto off game 2 address outside_cryptomap_3
map external crypto 2 peers set 23.100.x.177
card external crypto 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5
<--- more="" ---="">
map external crypto 2 set AES256 AES192 AES strong proposal ipsec ikev2
Crypto card outside 2 kilobytes of life of security association set 102400000--->
card crypto outside match 3 address outside_cryptomap_2
3 set pfs outside crypto map
map external crypto 3 peers set 91.x.3.39
crypto card outside ikev1 set 3 transform-set ESP-3DES-SHA
map external crypto 3 3DES ipsec-ikev2 set proposal
dynamic outdoor 100 dyn1 ipsec-isakmp crypto map
card crypto outside interface outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
IKEv1 crypto policy 2
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
track 1 rtr 1 accessibility
Telnet 10.5.16.0 255.255.240.0 inside
Telnet timeout 5
SSH 83.x.x.90 255.255.255.255 outside
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcprelay Server 10.5.21.1 on the inside
time-out of 60 dhcprelay
a basic threat threat detection
statistical threat detection port
<--- more="" ---="">
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP 10.5.19.253 Server prefer
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 2
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal GroupPolicy_c2si group strategy
attributes of Group Policy GroupPolicy_c2si
WINS server no
value of 10.5.16.1 DNS server 10.5.21.1
client ssl-VPN-tunnel-Protocol
by default no
internal GroupPolicy_91.x.3.39 group strategy
attributes of Group Policy GroupPolicy_91.x.3.39
VPN-tunnel-Protocol ikev1, ikev2
internal GroupPolicy_83.x.172.68 group strategy
attributes of Group Policy GroupPolicy_83.x.172.68
VPN-tunnel-Protocol ikev1, ikev2
<--- more="" ---="">
internal GroupPolicy_23.100.x.177 group strategy
attributes of Group Policy GroupPolicy_23.100.x.177
VPN-tunnel-Protocol ikev1, ikev2
internal GroupPolicy_user group strategy--->--->
attributes of Group Policy GroupPolicy_user
WINS server no
value of 10.5.21.1 DNS server 10.5.16.1
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value BerkeleyAdmin-clientvpn
myberkeley.local value by default-field
internal GroupPolicy_23.101.x.122 group strategy
attributes of Group Policy GroupPolicy_23.101.x.122
VPN-tunnel-Protocol ikev1, ikev2
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
VPN-tunnel-Protocol ikev1, ikev2
internal BerkeleyUser group strategy
attributes of Group Policy BerkeleyUser
value of 10.5.21.1 DNS server 10.5.16.1
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value BerkeleyUser-clientvpn
myberkeley.local value by default-field
internal DS365 group policy
<--- more="" ---="">
DS365 group policy attributes
VPN-idle-timeout no
VPN-filter no
IPv6-vpn-filter no
VPN-tunnel-Protocol ikev1, ikev2
internal BerkeleyAdmin group strategy
attributes of Group Policy BerkeleyAdmin
value of 10.5.21.1 DNS server 10.5.16.1
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value BerkeleyAdmin-clientvpn
myberkeley.local value by default-field
acsadmin encrypted V6hUzNl366K37eiV privilege 15 password username
atlanta uxelpvEvM3I7tw.Z encrypted privilege 15 password username
username of berkeley Kj.RBvUp5dtyLw5T encrypted password
type tunnel-group BerkeleyUser remote access
attributes global-tunnel-group BerkeleyUser
address clientvpn pool
authentication-server-group
Group Policy - by default-BerkeleyUser
IPSec-attributes tunnel-group BerkeleyUser
IKEv1 pre-shared-key *.--->
type tunnel-group BerkeleyAdmin remote access
attributes global-tunnel-group BerkeleyAdmin
address clientvpn pool
<--- more="" ---="">
authentication-server-group
Group Policy - by default-BerkeleyAdmin
IPSec-attributes tunnel-group BerkeleyAdmin
IKEv1 pre-shared-key *.
type tunnel-group user remote access
tunnel-group user General attributes
address pool VPN_IP_Pool
authentication-server-group
Group Policy - by default-GroupPolicy_user
tunnel-group user webvpn-attributes
enable-alias of user group
type tunnel-group c2si remote access
tunnel-group c2si-global attributes
address pool VPN_IP_Pool
authentication-server-group
Group Policy - by default-GroupPolicy_c2si
tunnel-group c2si webvpn-attributes
Group-alias c2si enable
tunnel-group 83.x.172.68 type ipsec-l2l
tunnel-group 83.x.172.68 General-attributes
Group - default policy - GroupPolicy_83.x.172.68
83.x.172.68 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
<--- more="" ---="">
pre-shared-key authentication local IKEv2 *.
tunnel-group 23.101.x.122 type ipsec-l2l
tunnel-group 23.101.x.122 General-attributes
Group - default policy - GroupPolicy_23.101.x.122
23.101.x.122 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
tunnel-group 91.x.3.39 type ipsec-l2l
tunnel-group 91.x.3.39 general-attributes
Group - default policy - GroupPolicy_91.x.3.39
91.x.3.39 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
tunnel-group 23.100.x.177 type ipsec-l2l
tunnel-group 23.100.x.177 General-attributes
Group - default policy - GroupPolicy_23.100.63.177
23.100.x.177 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
class-map state_bypass
corresponds to the state_bypass access list
Policy-map state_bypass_policy
class state_bypass
set the advanced options of the tcp-State-bypass connection
!
service-policy state_bypass_policy to the inside interface
context of prompt hostname
anonymous reporting remote call--->--->
Cryptochecksum:bbc6f2ec2db9b09a1b6eb90270ddfeea
: end
PTB-ch-asa5505 #.
Ah OK I see now.
Your cryptomap for the cloud of DS365 is:
access extensive list 10.5.0.0 ip outside_cryptomap_2 255.255.0.0 allow object DS365-Cloud
so, which covers interesting traffic.
However, your NAT statement is:
NAT (inside, outside) static source NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 static destination DS365-DS365-cloud no-proxy-arp-route search
Network 10.5.25.0 is remote, then it will actually appear to be an "outside" network so I think you need this statement to begin "nat (outside, outside).
-
S2S VPN - cannot get the tunnel upward
I couldn't lift a VPN site-to site because of a configuration error that I can't fix
The topology is Server1 > Hub > ASA - 1 ASA-2<><>
When I launch a ping server 1 Server 2 to try to get out of the tunnel to the top, I get the following error:
% ASA-6-110002: unable to locate the output for ICMP inside:192.168.100.2/2655 to 192.168.200.2/0 interface
No matter which side I am ping, I get the error on both of the ASA. Here is the config for the two ASA, thanks for any help.
!
ASA-1 hostname
!
interface GigabitEthernet0
nameif outside
security-level 0
IP 80.1.1.1 255.255.255.252
!
interface GigabitEthernet1
nameif inside
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
passive FTP mode
network of the PC_LAN object
255.255.255.0 subnet 192.168.100.0
network of the REMOTE_LAN object
192.168.200.0 subnet 255.255.255.0
extended access list ACL-OUTSIDE-PING icmp permitted any one
LAB_S2S_VPN to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.200.0 255.255.255.0 connect
LAB_S2S_VPN list extended access allow icmp 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0 connect
pager lines 24
Enable logging
exploitation forest-size of the buffer of 6000
debug logging in buffered memory
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ARP timeout 14400
NAT static PC_LAN PC_LAN destination (indoor, outdoor) static source REMOTE_LAN REMOTE_LAN
Access-Group ACL-OUTSIDE-PING to the interface inside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 aes-esp - SHA-AES-ESP esp-sha-hmac
card crypto VPN_CRYPTO_MAP 1 corresponds to the address LAB_S2S_VPN
card crypto VPN_CRYPTO_MAP 1 set peer 80.1.1.2
card crypto VPN_CRYPTO_MAP 1 set transform-set ESP-AES-SHA ikev1
VPN_CRYPTO_MAP interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 86400
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
tunnel-group 80.1.1.2 type ipsec-l2l
IPSec-attributes tunnel-group 80.1.1.2
IKEv1 pre-shared-key *.ASA-2 host name
!
interface GigabitEthernet0
nameif outside
security-level 0
IP 80.1.1.2 255.255.255.252
!
interface GigabitEthernet1
nameif inside
security-level 100
192.168.200.1 IP address 255.255.255.0
!
interface GigabitEthernet2
Shutdown
No nameif
no level of security
no ip address
!
passive FTP mode
network of the PC_LAN object
192.168.200.0 subnet 255.255.255.0
network of the REMOTE_LAN object
255.255.255.0 subnet 192.168.100.0
extended access list ACL-OUTSIDE-PING icmp permitted any one
LAB_S2S_VPN to access extended list ip 192.168.200.0 allow 255.255.255.0 192.168.100.0 255.255.255.0 connect
LAB_S2S_VPN list extended access allow icmp 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0 connect
pager lines 24
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT static REMOTE_LAN REMOTE_LAN destination (indoor, outdoor) static source PC_LAN PC_LAN
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 aes-esp - SHA-AES-ESP esp-sha-hmac
card crypto VPN_CRYPTO_MAP 1 corresponds to the address LAB_S2S_VPN
card crypto VPN_CRYPTO_MAP 1 set peer 80.1.1.1
card crypto VPN_CRYPTO_MAP 1 set transform-set ESP-AES-SHA ikev1
VPN_CRYPTO_MAP interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
tunnel-group 80.1.1.1 type ipsec-l2l
IPSec-attributes tunnel-group 80.1.1.1
IKEv1 pre-shared-key *.
!You won't have a road to 192.168.200.2 so he was not able to locate the next hop for the traffic of the tunnel.
These static routes adding causes all traffic to be sent to the default gateway of the internet, including VPN and VPN traffic not.
So adding a route for 192.168.200.0 pointing to 80.1.1.X gave the same results.Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
ASA-6-110003: routing could not locate the next hop
Hello
I have a problem with our ASA firewall. I have a firewall that's inside, outside and DMZ interface. I have VPN clients that connect correctly and can access the internal network. However, for profiles that I have configured to connect via VPN to the DMZ network fails with the following messages.
ASA-6-110003: routing could not locate the next hop
&
ASA-6-302014: disassembly of the TCP connection... No contiguity valid
I have connections in the DMZ, but aren't VPN via internal and external interfaces without problem.
The routing table has a route to this network and I have a nat in place - I'm quite puzzled by the present.
Thank you
Ed
Hello Ed,
Well, Nat seems good but you can do the following for me please:
network of the DMZ_subnet object
10.1.213.0 subnet 255.255.255.0
network of the VPN_Subnet object
subnet 255.255.x.x x.x.x.x
public static DMZ_subnet DMZ_subnet destination NAT source (dmz - 2 outside) public static VPN_Subnet VPN_Subnet
Kind regards
Julio
-
Peer AnyConnect VPN cannot ping, RDP each other
I have an ASA5505 running ASA 8.3 (1) and ASDM 7.1 (1). I have a remote access VPN set up and remote access users are able to connect and access to network resources. I can ping the VPN peers between the Remote LAN. My problem counterparts VPN cannot ping (RDP, CDR) between them. Ping a VPN peer of reveals another the following error in the log of the SAA.
Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp outside CBC: 10.10.10.8 outside dst: 10.10.10.9 (type 8, code 0) rejected due to the failure of reverse NAT.
Here's my ASA running-config:
ASA Version 8.3 (1)
!
ciscoasa hostname
domain dental.local
activate 9ddwXcOYB3k84G8Q encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS server-group DefaultDNS
192.168.1.128 server name
domain dental.local
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the RAVPN object
10.10.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.10.10.0_28 object
subnet 10.10.10.0 255.255.255.240
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
access-list Local_LAN_Access note VPN Customer local LAN access
Local_LAN_Access list standard access allowed host 0.0.0.0
DefaultRAGroup_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
Note VpnPeers access list allow peer vpn ping on the other
permit access list extended ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28 VpnPeers
pager lines 24
Enable logging
asdm of logging of information
logging of information letter
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of information
record level of 1 600 6 rate-limit
Outside 1500 MTU
Within 1500 MTU
mask 10.10.10.5 - 10.10.10.10 255.255.255.0 IP local pool VPNPool
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 711.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) static source all electricity static destination RAVPN RAVPN
NAT (inside, outside) static static source NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28
NAT (inside, outside) static source all all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
network of the RAVPN object
dynamic NAT (all, outside) interface
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transit
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP ESP-AES-128-SHA ESP - AES - 192 - SHA ESP - AES - 256 - SHA ESP - 3DES - SHA - OF - SHA ESP - AES - 128 - SHA - TRANS ESP - AES - 192 - SHA - TRANS ESP - AES - 256 - SHA - ESP ESP - 3DES - SHA - TRANS TRANS-DES - SHA - TRANS
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
trustpoint crypto ca-CA-SERVER ROOM
LOCAL-CA-SERVER key pair
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ciscoasa
billvpnkey key pair
Proxy-loc-transmitter
Configure CRL
crypto ca server
CDP - url http://ciscoasa/+CSCOCA+/asa_ca.crl
name of the issuer CN = ciscoasa
SMTP address [email protected] / * /
crypto certificate chain ca-CA-SERVER ROOM
certificate ca 01
* hidden *.
quit smoking
string encryption ca ASDM_TrustPoint0 certificates
certificate 10bdec50
* hidden *.
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
enable client-implementation to date
Telnet 192.168.1.1 255.255.255.255 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.50 - 192.168.1.99 inside
dhcpd allow inside
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
SVC disk0:/anyconnect-win-3.1.04072-k9.pkg 1 image
SVC profiles DellStudioClientProfile disk0: / dellstudioclientprofile.xml
enable SVC
tunnel-group-list activate
internal-password enable
chip-tunnel list SmartTunnelList RDP mstsc.exe windows platform
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
Server DNS 192.168.1.128 value
Protocol-tunnel-VPN l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
Dental.local value by default-field
WebVPN
SVC value vpngina modules
internal DefaultRAGroup_1 group strategy
attributes of Group Policy DefaultRAGroup_1
Server DNS 192.168.1.128 value
Protocol-tunnel-VPN l2tp ipsec
Dental.local value by default-field
attributes of Group Policy DfltGrpPolicy
Server DNS 192.168.1.128 value
VPN - 4 concurrent connections
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
value of group-lock RAVPN
value of Split-tunnel-network-list Local_LAN_Access
Dental.local value by default-field
WebVPN
the value of the URL - list DentalMarks
SVC value vpngina modules
SVC value dellstudio type user profiles
SVC request to enable default webvpn
chip-tunnel enable SmartTunnelList
wketchel1 5c5OoeNtCiX6lGih encrypted password username
username wketchel1 attributes
VPN-group-policy DfltGrpPolicy
WebVPN
SVC value DellStudioClientProfile type user profiles
username privilege 15 encrypted password 5c5OoeNtCiX6lGih wketchel
username wketchel attributes
VPN-group-policy DfltGrpPolicy
WebVPN
modules of SVC no
SVC value DellStudioClientProfile type user profiles
jenniferk 5.TcqIFN/4yw0Vq1 of encrypted password privilege 0 username
jenniferk username attributes
VPN-group-policy DfltGrpPolicy
WebVPN
SVC value DellStudioClientProfile type user profiles
attributes global-tunnel-group DefaultRAGroup
address pool VPNPool
LOCAL authority-server-group
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authentication
type tunnel-group RAVPN remote access
attributes global-tunnel-group RAVPN
address pool VPNPool
LOCAL authority-server-group
tunnel-group RAVPN webvpn-attributes
enable RAVPN group-alias
IPSec-attributes tunnel-group RAVPN
pre-shared key *.
tunnel-group RAVPN ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authentication
type tunnel-group WebSSLVPN remote access
tunnel-group WebSSLVPN webvpn-attributes
enable WebSSLVPN group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
173.194.64.108 SMTP server
context of prompt hostname
HPM topN enable
Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8
: end
Hello
Seems to me that you can clean the current NAT configuration a bit and make it a little clearer.
I suggest the following changes
network of the VPN-POOL object
10.10.10.0 subnet 255.255.255.0
the object of the LAN network
subnet 192.168.1.0 255.255.255.0
PAT-SOURCE network object-group
object-network 192.168.1.0 255.255.255.0
object-network 10.10.10.0 255.255.255.0
NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL
destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
The above should allow
- Dynamic PAT for LAN and VPN users
- NAT0 for traffic between the VPN and LAN
- NAT0 for traffic between the VPN users
You can then delete the previous NAT configurations. Naturally, please save the configuration before you make the change, if you want to revert to the original configuration.
no static source nat (inside, everything) all electricity static destination RAVPN RAVPN
No source (indoor, outdoor) nat static static NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28
No source (indoor, outdoor) nat static everything all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination
No network obj_any object
No network object RAVPN
In case you do not want to change the settings a lot you might be right by adding this
network of the VPN-POOL object
10.10.10.0 subnet 255.255.255.0
destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL
But the other above configurations changes would make NAT configurations currently simpler and clearer to see every goal of "nat" configurations.
-Jouni
-
ASA VPN cannot ping ip local pool
Hello
We have ASA 5510 a device be deployed for a period of time. Everything works fine except customers local VPN cannot ping local customer VPN which get their IP address to the local swimming pool. They can ping anywhere on the local network of company, but not each other. I don't know there's a logical explantion for this because of an ACL but all appreciated the advice...
Thanks in advance
Keith
Hi Keith,
I think that, in order to allow a customer VPN reach another VPN client, the SAA should turn the VPN traffic (because it will receive the traffic of a VPN tunnel and re - again to send another tunnel.)
Can you add "same-security-traffic intra-interface permits" and try again?
Federico.
-
After that host on vSHere 4.0 strightly connected to iSCSI (initiator) host cannot ping the server iSCSI (target), but target can. And iSCSI works well. I mean I can create and use the iSCSI disk, why? It makes me confused.
Thank you!
Geoarge,
iSCSI traffic uses a VMkernel port, instead of using the command 'ping', use 'vmkping '.
André
-
Cannot ping the Virtual Machine by host
Hi all,
Please help, I use VMWare Workstation 6.5 and I have a physical operating system which is Windows XP SP2, I have a network card, but not connected to a physical switch, the IP address is 192.168.0.1. I installed a Virtual Machine using Microsoft Windows 2003 server as the operating system, promote as domain controller, install the DHCP, DNS service and assign an IP 192.168.0.2, no default gateway.
My VMnet1 on physical operating system has an IP 192.168.204.1 and VMNet8 has an IP 192.168.126.1.
The host, I cannot ping the 192.168.0.2 which is the IP address of the Virtual Machine. Even in the Virtual Machine, I can not ping 192.168.0.1 is the IP address of the host. From what I read, the physical and the virtual machine were connected with a virtual switch. Am I wrong?
Any advice?
Thanks in advance.
They SEEM to be in different networks, you need search routing between them,... since they differnet networks...
on the other
they do host and the virtual machine on the same subnet / network for EXAMPLE: class C class network 192.168.200.0/24
granting of points if my answer was helpful... Thank you > > > > > > > >
concerning
Joe
-
Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2
I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa.
I can ping the FWb inside interface 192.168.20.1 from the FWa inside 172.16.1.1 interface, but I can not ping to the 10.52.100.10 of the FWa FWb inside2 interface. I can not ping the gateway host FWa 10.52.100.1.
I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2.
=========================================================Here is a skeleton of the FWa configuration:
name 172.16.1.0 network-inside
name 192.168.20.0 HprCnc Thesys
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name S.S.S.S outside-interfaceinterface Vlan1
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
interface Vlan2
Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
nameif outside
security-level 0
outside interface IP address 255.255.255.240the DM_INLINE_NETWORK_5 object-group network
network-object HprCnc Thesys 255.255.255.0
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-objectthe DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
network-object HprCnc Thesys 255.255.255.0
ring53-network 255.255.255.0 network-objectoutside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3
inside_nat_outbound list extended access allowed inside-network ip, 255.255.255.0 DM_INLINE_NETWORK_5 object-group
permit access list extended ip host 173.162.149.72 Outside_nat0_outbound aus_asx_uat 255.255.255.0NAT (inside) 0 access-list sheep
NAT (inside) 101-list of access inside_nat_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access Outside_nat0_outboundcard crypto VPN 5 corresponds to the address Outside_5_cryptomap
card crypto VPN 5 set pfs Group1
VPN 5 set peer D.D.D.D crypto card
VPN 5 value transform-set VPN crypto card
tunnel-group D.D.D.D type ipsec-l2l
IPSec-attributes tunnel-Group D.D.D.D
pre-shared key *.=========================================================
FWb:
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name 10.51.100.0 ring51-network
name 10.54.100.0 ring54-networkinterface Vlan1
nameif inside
security-level 100
address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP D.D.D.D 255.255.255.240
!
interface Vlan52
prior to interface Vlan1
nameif inside2
security-level 100
IP 10.52.100.10 255.255.255.0the DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-objectthe DM_INLINE_NETWORK_2 object-group network
ring52-network 255.255.255.0 network-object
object-network 192.168.20.0 255.255.255.0
ring53-network 255.255.255.0 network-objectinside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 host S.S.S.S
inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip hostoutside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
inside2_nat0_outbound (inside2) NAT 0 access list
NAT (inside2) 1 0.0.0.0 0.0.0.0Route inside2 network ring51 255.255.255.0 10.52.100.1 1
Route inside2 network ring53 255.255.255.0 10.52.100.1 1
Route inside2 network ring54 255.255.255.0 10.52.100.1 1card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
outside_map game 1 card crypto peer S.S.S.S
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outsidetunnel-group S.S.S.S type ipsec-l2l
IPSec-attributes tunnel-group S.S.S.S
pre-shared key *.=========================================================================
I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.Ping Successul FWa inside the interface on FWb
FWa # ping 192.168.20.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.1, time-out is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.1 ID = 32068 seq = 23510 len = 72
! ICMP echo reply to 192.168.20.1 in outside-interface ID = 32068 seq = 23510 len = 72
....FWb #.
Echo ICMP of S.S.S.S to 192.168.20.1 ID request = 32068 seq = 23510 len = 72
ICMP echo reply 192.168.20.1 S.S.S.S ID = 32068 seq = 23510 len = 72
==============================================================================
Successful ping of Fwa on a host connected to the inside interface on FWbFWa # ping 192.168.20.15
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.15, wait time is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.15 ID = seq 50862 = 18608 len = 72
! ICMP echo reply to 192.168.20.15 in outside-interface ID = seq 50862 = 18608 len = 72
...FWb #.
Inside outside:S.S.S.S ICMP echo request: 192.168.20.15 ID = seq 50862 = 18608 len = 72
ICMP echo reply to Interior: 192.168.20.15 outside:S.S.S.S ID = seq 50862 = 18608 len = 72===========================
Unsuccessful ping of FWa to inside2 on FWb interfaceFWa # ping 10.52.100.10
Send 5, echoes ICMP 100 bytes to 10.52.100.10, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
? Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
...FWb #.
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
....==================================================================================
Unsuccessful ping of Fwa to a host of related UI inside2 on FWb
FWa # ping 10.52.100.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.52.100.1, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.1 ID = 11842 seq = 15799 len = 72FWb #.
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72=======================
Thank you
Hi odelaporte2,
Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm.
This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time.
It may be useful
-Randy-
-
VPN Site-to-Site - cannot ping the router's internal IP address
Hi guys,.
I configured a VPN site-to site between two routers, everything works well except ping the internal (LAN) IP of a router.
Everything works fine: ping the hosts through the tunnel in both feel.
Routers that I use:
-IOS 1841: M3 15.0 (1)
-2811 IOS: 15.0 (1) M5-> here is the problem. I can't ping the inside interface of the router.
I checked its ipsec counters and it seems that it does not send packets through the tunnel when I ping from the LAN interface.
#pkts program is not incrementing.
Anyone had this problem before?
Thank you very much.
Best regards
I think that happens because when the router responds to icmp request he gets is outside interface IP (not the IP Address of the inside interface, wich you are trying to ping) as the source of a package. If icmp-response does not go in the tunnel, because the IP address in the router's external interface is not included in the crypto-acl.
Solution to this, if it's correct guess, is to add the router's external IP to the crypto-acl.
-
Customer quick RV042 VPN cannot ping lan network
Hi guys,.
I just created a client2gateway on RV042 IPSec tunnel and use the remote PC quick VPN client tries to connect to this router.
Fast VPN showed that the tunnel has been established. But I couldn't ping the LAN behind the router RV042.
Can someone help me?
Thank you.
Hello
Yes, you are right. To use the fast with RV042 VPN, it is necessary to configure the user name and a password for access to the VPN Client page. As this router does not support VLANs, you can only connect the VPN client to the LAN subnet (you cannot connect the client to any beach IP configured with multiple subnets)
Kind regards
Bismuth
-
Cannot ping the Anyconnect client IP address to LAN
Hi guys,.
I have an old ASA5520 running 9.1 (6) 8 where I installed Anyconnect SSL split tunneling access:
See establishing group policy enforcement
attributes of Group Policy DfltGrpPolicy
VPN-tunnel-Protocol ikev1, ikev2 clientless ssllanwan-gp group policy internal
gp-lanwan group policy attributes
WINS server no
DNS server no
VPN - connections 1
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value lanwan-acl
by default no
WebVPN
AnyConnect value lanwan-profile user type profilespermit for line lanwan-acl access-list 1 standard 172.16.0.0 255.254.0.0 (hitcnt = 48) 0xb5bbee32
Now I can ping, RDP, etc. of any VPN host connected to any destination within 172.16.0.0 255.254.0.0 range.
Here is my routing information:
See the road race
Route outside 0.0.0.0 0.0.0.0 69.77.43.1 1
Route inside 172.16.0.0 255.254.0.0 172.25.8.1 1interface GigabitEthernet0/1
nameif inside
security-level 100
IP 172.25.8.4 255.255.254.0But I can't ping any Anyconnect VPN client connected from my LAN.
See the establishment of performance ip local pool
mask IP local pool lanwan-pool 172.25.9.8 - 172.25.9.15 255.255.254.0
Here's the traceroute of LAN:
C:\Users\Florin>tracert d 172.25.9.10
Determination of the route to 172.25.9.10 with a maximum of 30 hops
1 1 ms<1 ms="" 1="" ms="">1>
2<1 ms="" *="">1><1 ms="">1>
3 * the request exceeded.
4 * request timed out.While the ASA routing table has good info:
show route | I have 69.77.43.1
S 172.25.9.10 255.255.255.255 [1/0] via 69.77.43.1, outdoors
Other things to mention:
-There is no other FW between LAN and the ASA
-There is no FW or NAT configured or enabled on this ASA(see her running nat and see the race group-access they return all two virgins).
-FW Windows on the Anyconnect workstation is disabled (the service is running). I also tested and able to ping to my workstation Anyconnect House of another device on the same network.
So, I'm left with two questions:
1. first a I do not understand: after reading some threads here, I added this line standard lanwan-acl access-list allowed 69.77.43.0 255.255.255.0
out of ping and tracert commands remains the same, but now I can RDP to the docking station VPN connected to any workstation LAN;
What happens here?
2. how can I do ICMP work after all? I also tried fixup protocol icmp and icmp Protocol Error Correction, still no luck
Thanks in advance,
Florin.
Hi Florin,
The entire production is clear enough for me
in debugging, you can see that traffic is constituent of the ASA
"Inside ICMP echo request: 172.17.35.71 outside: 172.25.9.9 ID = 22 seq = 14024 len = 32.
the SAA can be transferred on or can be a downfall for some reason unknow
can we have a wireshark capture on the vpn client to see if the icmp request is to reach the customer? I want to just isolate the problem of fw so that we can concentrate on the ASA rather than silly windows ;) fw
made the RDP Protocol for VPN client for you inside the LAN work?
run logging on ASA and ping and then inside to VPN client and the Coachman connects on the firewall, if ASA comes down the pkt it will appear in the log.
loggon en
debug logging in buffered memory#sh logging buffere | in icmp
#Rohan
-
Site to Site VPN - cannot ping remote subnet
Hi all.
I have a site to site VPN IPSEC between a 5510 (HQ) and 5505 (Remote). Everything works on the tunnel. Crypto cards and ACL is symmetrical. I see that the tunnel is in place for the required subnets. However, I can not ping of internal subnets inside 5510 to Remote LAN inside 5505 and vice versa. I have other rays VPN 5510 where I can ping within remote LAN successfully x.x.x.x. Can figure out what I'm missing. I can ping internet points, but cannot ping HQ.
Any suggestions?
I'm also an instant learn the ASAs, so I'm not an expert. I know that I encouraged outside ICMP. My statement SHEEP and crypto are running off of the same group of objects that lists subnets of HQ.
Thanks in advance.
5505 lack the command:
management-access inside
Federico.
-
Customer remote VPN cannot ping certain IP
My Cisco VPN client can establish the tunnel with my successful ASA5505 Office vpn but cannot ping some IP such as an internal server (10.100.194.6).
FIREWALL-1 # ping 10.100.194.6
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.100.194.6, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/1 msWhy I can't ping certain IP?
Help, please.
Thank you.
Hey Kevin,
Check out the capture, it is obvious that there is a problem of internal routing as we can see packets from the VPN client requests, but there is no response from the server package.
Please ensure that the server has pointing on the Firewall VPN subnet route.
HTH.Kind regards
Dinesh Moudgil
PS: Please check the useful messages.
Maybe you are looking for
-
iBooks - bookmarks, notes and other syncronization between devices with imported books
Hello! I was wondering if there are any fay to synchronize bookmarks m, notes and other stuff acros my devices in imported books iBooks! (ePub) It would mean so much to have this featur. I see that the books syncronize on iCloud in the new iOS 9.3, b
-
Question about the extended international warranty for Qosmio F10
FriendsI bought a Qosmio F10 of UAE UNITED and it came with an international warranty of 3 years and its expiration time, December 12, 2007.I would like to know if someone has purchased an extended international warranty for Toshiba Qosmio F10 model.
-
Can not access my google drive using my Tablet alpha Acer 12 switch
Hello I just got this new ACER switch Alpha 12. I can access to many websites, but when I try to access the drive.google.com the connection back, but at the same time, I can walk on my mini HP laptop and access the drive of google without problem? No
-
Classic when BlackBerry available in the USA?
I wanted to get back to the type "BOLD" of blackberry phone for 3 years. Ready to destroy my iPhone 5 with the hammer. WHEN CLASSIC WILL BE AVAILABLE UNDER THE AMERICAN CARRIERS?
-
My toshiba canvio basics3.0 1.0 TB will not back up my toshiba computer
I have Toshiba Z830 CORE i7 with windows 7 & I'm trying to go back to Toshiba Canvio Basics 3.0 1.0 to external hard drive, but the custom of the computer recognize the external device. He appears in the devices, but is not recognized when you try to