ASA 5520 VPN client cannot ping inside network
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by on July 29, 2008, 1:17 pm
Please log in for more thread options ACLs somewhere, but not versed enough in VPN to know, My VPN client can connect and get an IP, but after that it cannot ping anything on the inside. Here is the config on the ASA: ASA Version 7.0(7) ! hostname asavpn domain-name some.domain.com enable password TRPEas6f/aa6JSPL encrypted names dns-guard ! interface GigabitEthernet0/0 nameif inside security-level 0 ip address 172.16.5.1 255.255.252.0 ! interface GigabitEthernet0/1 nameif outside security-level 0 ip address 192.168.110.44 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif Management_only security-level 100 ip address 10.2.206.20 255.255.255.0 ! passwd TRPEas6f/aa6JSPL encrypted ftp mode passive dns domain-lookup inside dns domain-lookup outside dns domain-lookup Management_only dns name-server 10.1.206.10 dns name-server 10.1.206.22 same-security-traffic permit intra-interface access-list split standard permit 172.16.4.0 255.255.252.0 access-list nonat extended permit ip 172.16.4.0 255.255.252.0 172.16.20.0 255.255.252.0 pager lines 24 logging enable logging console informational logging buffered informational mtu inside 1500 mtu outside 1500 mtu Management_only 1500 ip local pool VPN_USE_Addresses 172.16.20.3-172.16.23.254 mask 255.255.252.0 no failover icmp permit any inside asdm image disk0:/asdm-507.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 route inside 10.0.0.0 255.0.0.0 172.16.4.1 1 route inside 192.168.81.0 255.255.255.0 172.16.4.1 1 route outside 0.0.0.0 0.0.0.0 192.168.110.100 1 route Management_only 10.1.2.0 255.255.255.0 10.2.206.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server VPN protocol radius aaa-server VPN host 10.1.206.27 key Pass1234 group-policy vpn1 internal group-policy vpn1 attributes wins-server value 10.1.206.10 10.1.206.22 dns-server value 10.1.206.10 10.1.206.22 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value split default-domain value some.domain.com client-firewall none webvpn http server enable http 10.1.2.0 255.255.255.0 Management_only no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map VPN 1 set transform-set ESP-3DES-MD5 crypto map VPN 65535 ipsec-isakmp dynamic VPN crypto map VPN interface outside isakmp identity address isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 isakmp nat-traversal 20 tunnel-group vpn1 type ipsec-ra tunnel-group vpn1 general-attributes address-pool VPN_USE_Addresses authentication-server-group VPN default-group-policy vpn1 tunnel-group vpn1 ipsec-attributes pre-shared-key * no vpn-addr-assign aaa no vpn-addr-assign dhcp telnet 10.1.2.0 255.255.255.0 Management_only telnet 10.1.71.143 255.255.255.255 Management_only telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:d45e7fda6aadad53c03abf8390a8861a : end | |||||||||||||
|
Posted by Artie Lange on July 29, 2008, 1:40 pm
Please log in for more thread options > nat (inside) 0 access-list nonat
> nat (inside) 1 0.0.0.0 0.0.0.0 > So you are using the ACL called nonat for your NAT exclusion for your VPN clients, you have an ACL permitting 172.16.4.0 255.255.252.0 to access your VPN clients, but you have yet to define an ACL allowing inbound traffic from the VPN clients try: access-list nonat permit ip 172.16.20.0 255.255.252.0 172.16.4.0 255.255.252.0 | |||||||||||||
|
Posted by on July 29, 2008, 6:58 pm
Please log in for more thread options > mora...@gmail.com wrote:
> > access-list split standard permit 172.16.4.0 255.255.252.0
> > access-list nonat extended permit ip 172.16.4.0 255.255.252.0 > > 172.16.20.0 255.255.252.0 > > nat (inside) 0 access-list nonat > > nat (inside) 1 0.0.0.0 0.0.0.0 >
> So you are using the ACL called nonat for your NAT exclusion for your > VPN clients, you have an ACL permitting 172.16.4.0 255.255.252.0 to > access your VPN clients, but you have yet to define an ACL allowing > inbound traffic from the VPN clients try: > > access-list nonat =A0permit ip 172.16.20.0 255.255.252.0 172.16.4.0 > 255.255.252.0 thanks for the help! no go so far in trying to ping 172.16.5.1. here is what the ASA log is saying: %ASA-4-113019: Group =3D vpn1, Username =3D userx, IP =3D 71.x.x.x, Session disconnected. Session Type: IPSecOverN atT, Duration: 0h:03m:02s, Bytes xmt: 0, Bytes rcv: 1140, Reason: User Requested %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.110.100/0 gaddr 192.168.110.44/0 laddr 192.168.110.44/0 %ASA-5-713904: IP =3D 71.x.x.x, Received encrypted packet with no matching SA, dropping %ASA-6-302021: Teardown ICMP connection for faddr 192.168.110.100/0 gaddr 192.168.110.44/0 laddr 192.168.110.44/0 %ASA-6-302015: Built inbound UDP connection 7017 for outside:71.x.x.x/ 50980 (71.x.x.x/50980) to NP Identity Ifc:192 =2E168.110.44/500 (192.168.110.44/500) %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.110.100/0 gaddr 192.168.110.44/0 laddr 192.168.110.44/0 %ASA-6-302021: Teardown ICMP connection for faddr 192.168.110.100/0 gaddr 192.168.110.44/0 laddr 192.168.110.44/0 %ASA-6-302015: Built inbound UDP connection 7019 for outside:71.x.x.x/ 50981 (71.x.x.x/50981) to NP Identity Ifc:192 =2E168.110.44/4500 (192.168.110.44/4500) %ASA-6-713172: Group =3D vpn1, IP =3D 71.x.x.x, Automatic NAT Detection Status: Remote end IS behind a NAT devi ce This end IS behind a NAT device %ASA-6-302015: Built outbound UDP connection 7020 for inside: 10.1.206.27/1645 (10.1.206.27/1645) to NP Identity Ifc:172.16.5. 1/1025 (172.16.5.1/1025) %ASA-6-113004: AAA user authentication Successful : server =3D 10.1.206.27 : user =3D userx %ASA-6-113009: AAA retrieved default group policy (vpn1) for user =3D userx %ASA-6-113008: AAA transaction status ACCEPT : user =3D userx %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.110.100/0 gaddr 192.168.110.44/0 laddr 192.168.110.44/0 %ASA-6-302021: Teardown ICMP connection for faddr 192.168.110.100/0 gaddr 192.168.110.44/0 laddr 192.168.110.44/0 %ASA-5-713130: Group =3D vpn1, Username =3D userx, IP =3D 71.x.x.x, Receive= d unsupported transaction mode attribut e: 5 %ASA-5-713131: Group =3D vpn1, Username =3D userx, IP =3D 71.x.x.x, Receive= d unknown transaction mode attribute: 2 8683 %ASA-5-713131: Group =3D vpn1, Username =3D userx, IP =3D 71.x.x.x, Receive= d unknown transaction mode attribute: 2 8684 %ASA-6-713184: Group =3D vpn1, Username =3D userx, IP =3D 71.x.x.x, Client Type: WinNT Client Application Version : 5.0.03.0560 %ASA-6-713228: Group =3D vpn1, Username =3D userx, IP =3D 71.x.x.x, Assigne= d private IP address 172.16.20.3 to rem ote user %ASA-3-713119: Group =3D vpn1, Username =3D userx, IP =3D 71.x.x.x, PHASE 1 COMPLETED %ASA-5-713075: Group =3D vpn1, Username =3D userx, IP =3D 71.x.x.x, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds %ASA-6-602303: IPSEC: An outbound remote access SA (SPI=3D 0x156F1B77) between 192.168.110.44 and 71.x.x.x (user=3D x\si sbpm) has been created. %ASA-5-713049: Group =3D vpn1, Username =3D userx, IP =3D 71.x.x.x, Securit= y negotiation complete for User (x\ userx) Responder, Inbound SPI =3D 0x007cb0ea, Outbound SPI =3D 0x156f1b77 %ASA-6-602303: IPSEC: An inbound remote access SA (SPI=3D 0x007CB0EA) between 192.168.110.44 and 71.x.x.x (user=3D x\sis bpm) has been created. %ASA-6-713905: Group =3D vpn1, Username =3D userx, IP =3D 71.x.x.x, Startin= g P2 Rekey timer to expire in 27360 sec onds %ASA-5-713120: Group =3D vpn1, Username =3D userx, IP =3D 71.x.x.x, PHASE 2 COMPLETED (msgid=3Dd05ec494) %ASA-6-302020: Built inbound ICMP connection for faddr 172.16.20.3/1280 gaddr 172.16.5.1/0 laddr 172.16.5.1/0 (userx) %ASA-6-302021: Teardown ICMP connection for faddr 172.16.20.3/1280 gaddr 172.16.5.1/0 laddr 172.16.5.1/0 (userx) | |||||||||||||
|
Posted by Artie Lange on July 30, 2008, 7:59 am
Please log in for more thread options moranwa@gmail.com wrote:
>> mora...@gmail.com wrote:
>>> access-list split standard permit 172.16.4.0 255.255.252.0
>>> access-list nonat extended permit ip 172.16.4.0 255.255.252.0 >>> 172.16.20.0 255.255.252.0 >>> nat (inside) 0 access-list nonat >>> nat (inside) 1 0.0.0.0 0.0.0.0 >> So you are using the ACL called nonat for your NAT exclusion for your
>> VPN clients, you have an ACL permitting 172.16.4.0 255.255.252.0 to >> access your VPN clients, but you have yet to define an ACL allowing >> inbound traffic from the VPN clients try: >> >> access-list nonat permit ip 172.16.20.0 255.255.252.0 172.16.4.0 >> 255.255.252.0 >
> thanks for the help! no go so far in trying to ping 172.16.5.1. here > is what the ASA log is saying: > Where do these log entries come into play? %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.110.100/0 gaddr 192.168.110.44/0 laddr 192.168.110.44/0 %ASA-6-302021: Teardown ICMP connection for faddr 192.168.110.100/0 gaddr 192.168.110.44/0 laddr 192.168.110.44/0 What is 192.168.110.44? | |||||||||||||
|
Posted by on July 30, 2008, 1:14 pm
Please log in for more thread options > mora...@gmail.com wrote:
> >> mora...@gmail.com wrote:
> >>> access-list split standard permit 172.16.4.0 255.255.252.0 > >>> access-list nonat extended permit ip 172.16.4.0 255.255.252.0 > >>> 172.16.20.0 255.255.252.0 > >>> nat (inside) 0 access-list nonat > >>> nat (inside) 1 0.0.0.0 0.0.0.0 > >> So you are using the ACL called nonat for your NAT exclusion for your > >> VPN clients, you have an ACL permitting 172.16.4.0 255.255.252.0 to > >> access your VPN clients, but you have yet to define an ACL allowing > >> inbound traffic from the VPN clients try: >
> >> access-list nonat =A0permit ip 172.16.20.0 255.255.252.0 172.16.4.0
> >> 255.255.252.0 >
> > thanks for the help! no go so far in trying to ping 172.16.5.1. here
> > is what the ASA log is saying: >
> Where do these log entries come into play? > > %ASA-6-302020: Built inbound ICMP connection for faddr > 192.168.110.100/0 gaddr 192.168.110.44/0 laddr 192.168.110.44/0 > %ASA-6-302021: Teardown ICMP connection for faddr 192.168.110.100/0 > gaddr 192.168.110.44/0 laddr 192.168.110.44/0 > > What is 192.168.110.44?- Hide quoted text - > > - Show quoted text - 192.168.110.44 is the 'outside' interface: interface GigabitEthernet0/1 nameif outside security-level 0 ip address 192.168.110.44 255.255.255.0 the outside interface is connected on the other side to a switch on the following port: interface GigabitEthernet8/9 description VPN Outside interface switchport switchport access vlan 800 no ip address VLAN 800 on the switch is: interface Vlan800 ip address 192.168.110.100 255.255.255.0 the default route goes out 110.1 Gateway of last resort is 192.168.110.1 to network 0.0.0.0 C 192.168.110.0/24 is directly connected, Vlan800 | |||||||||||||
> access-list nonat extended permit ip 172.16.4.0 255.255.252.0
> 172.16.20.0 255.255.252.0