Cisco VPN – Cannot Ping LAN via VPN

ciscocisco-asafirewallpingvpn

I'm configuring a Cisco ASA 5505. I try to configure a AnyConnect VPN. It works for the outside GAN. I have access to that, I can ping it also, but I cannot ping/access anything that is in my LAN. Can someone help me?

Here is my configuration

: Saved
:
: Serial Number: JMX1737Z0E5
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(1)
!
hostname au-asa-1
names
ip local pool Pool 172.16.200.1-172.16.200.254 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 101
!
interface Ethernet0/1
 switchport trunk allowed vlan 101-119
 switchport trunk native vlan 101
 switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan101
 nameif outside
 security-level 0
 ip address 10.0.0.2 255.255.255.252
!
interface Vlan110
 nameif inside
 security-level 100
 ip address 172.16.110.1 255.255.255.0
!
interface Vlan111
 nameif users
 security-level 100
 ip address 172.16.101.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_172.16.200.0_24
 subnet 172.16.200.0 255.255.255.0
object network global-inside-network
 subnet 172.16.0.0 255.255.0.0
object network vpn
 subnet 172.16.200.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 service-object tcp-udp destination eq domain
 service-object tcp destination eq www
 service-object tcp destination eq https
access-list global_access extended permit icmp any4 any4 log
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list 101 extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu users 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic any interface
access-group inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.0.0 outside
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=au-asa-1
 keypair sl
 crl configure
crypto ca trustpoint SelfSigner
 enrollment terminal
 subject-name CN=au-asa-1
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
 certificate 024ad854
    308202d4 308201bc a0030201 02020402 4ad85430 0d06092a 864886f7 0d010105
    0500302c 3111300f 06035504 03130861 752d6173 612d3131 17301506 092a8648
    86f70d01 09021608 61752d61 73612d31 301e170d 31353032 31303036 31323234
    5a170d32 35303230 37303631 3232345a 302c3111 300f0603 55040313 0861752d
    6173612d 31311730 1506092a 864886f7 0d010902 16086175 2d617361 2d313082
    0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100cd
    f1ab81e4 7cb566c3 664046dd f48813e4 f40944e2 167e0452 996fcced aade43ff
    079e0fd1 e4c07e5a 4a1af380 d80ecbea cb2e47ce 3270afd5 844f0b8a 91fa0aa9
    fdd95149 bd6d125d 4befcfd8 888518e5 26211577 02763e31 b99e8e1e d71199c3
    afacc9ea cd58e99d cc804f9a bbc41292 029ec2dd 403a975a b89f703c 81739d9c
    9f976e73 1b6a18de c3e82270 fa2263b6 468cf531 d088703b 1ffe1bc4 1859905a
    aafdfb27 4d17e6ec f2f43124 4c51ae24 56912008 aad2adf9 77daeb09 2be910d9
    8a06328a 351b8abb d16e899b a214425a 92417d31 b508d3ba c3be2ed0 bba2d8a3
    5148e6e8 3b9bd298 e899a367 40f0d5b3 0b4828f2 50ac5644 e2fd0c98 4bf70d02
    03010001 300d0609 2a864886 f70d0101 05050003 82010100 811b8fdc dc811692
    b3e6b1d1 0205d4b7 2be92c49 7aaa0bbc aae1537d 8add52aa a59a8310 25936e0e
    0ebe9500 ba234db8 c98c90e6 7a2cb931 bd4a7f7f d50a10c0 9e133f85 6f3656b3
    6360ba34 6be06ca8 ab14900e a422b303 4c374372 c1c96ae7 4ecae664 d9d6fbef
    b67ee3f6 cb8118b4 5e1ac05d 27955876 c7e8dd15 67a26c6d b3eb3291 5b10df3c
    01a03f7c 366053a2 4fc7acc4 c85cd242 5398bea6 06970019 abaee8df 69a88023
    7c487858 2e303069 fa98088c 9df54910 c9dcdef7 5f81dcb8 b14ff27c 89db190f
    91cfdd2a f4aa0bda 592fb4ac 32b57fc5 a827c886 3951feff 1ff74c6c 47268ba4
    e1049a00 e4826509 c8aba2f1 feec0e35 62828991 15475abb
  quit
telnet timeout 5
no ssh stricthostkeycheck
ssh 10.0.0.0 255.255.0.0 outside
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 0
 
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_au-vpn internal
group-policy GroupPolicy_au-vpn attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client
 default-domain none
username ***** password ************* encrypted
tunnel-group au-vpn type remote-access
tunnel-group au-vpn general-attributes
 address-pool Pool
 default-group-policy GroupPolicy_au-vpn
 nat-assigned-to-public-ip inside
tunnel-group au-vpn webvpn-attributes
 group-alias au-vpn enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:990aef84171010a071adbd5d207cb479
: end

Be indulgent with me, I'm a dev.

Update

@hertitu worked. Now I can ping inside. But another problem appear. I cannot ping outside anymore.

Best Answer

You currently have this NAT configuration:

nat (any,outside) source dynamic any interface

which matches the traffic between the Anyconnect client (which is on the outside!) and the inside. Therefor you need NAT Exemption, i.e. a NAT rule saying that al traffic from inside to the VPN should not be translated, like this:

nat (inside,outside) 1 source static any any destination static NETWORK_OBJ_172.16.200.0_24 NETWORK_OBJ_172.16.200.0_24
nat (users,outside) 1 source static any any destination static NETWORK_OBJ_172.16.200.0_24 NETWORK_OBJ_172.16.200.0_24

Note that the "1" will cause this rule to be matched before all other NAT.

Edit: as discussed in comments/chat, for the Internet access to also work, you need to modify the above 2 rules and replace "any" with "global-inside-network" :

nat (inside,outside) 1 source static global-inside-network global-inside-network destination static NETWORK_OBJ_172.16.200.0_24 NETWORK_OBJ_172.16.200.0_24
nat (users,outside) 1 source static global-inside-network global-inside-network destination static NETWORK_OBJ_172.16.200.0_24 NETWORK_OBJ_172.16.200.0_24

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco ASA – Remote Users Cannot Access Site-to-Site Tunnel

Got a response on the cisco forums that solved my problem.

you are missing NAT exempt from the IP local pool to the destination of the site to site:

access-list NAT_EXEMPT permit ip 10.0.0.0 255.255.255.0 172.17.0.0 255.255.0.0

NAT (outside) 0 access-list NAT_EXEMPT