Cisco Firewall :: ASA 5512-X / VPN Client Is Connected But Unable To Ping Internal Network
Mar 17, 2013
I have created a VPN connection for ASA 5512-X by using the wizards and nothing seems to be wrong on the wizards's config.I am able to connect to the network by using the VPN but unable to ping internal network.Below is my config for your reference:
Result of the command: "sh run"
: Saved
:
ASA Version 8.6(1)2
!
hostname FAA-ASA-1
enable password crzcsirI44h2BHoz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code].....
View 6 Replies
ADVERTISEMENT
Mar 28, 2012
I just setup my home network with Pix 515 acting as my router/firewall but I can't seem to ping my internal PC from my ASA. I can access the internet and ping my Pix 515 inside interface from my pc but I can't ping my pc from my Pix 515. I can also renew/release IP's from my PC. I also did a packet tracer and it says that it was dropped due to an access list but I have one in place. Also my switch has the default config. Below is my config
Internet <----> Comcast modem <-----> Pix 515 <-------> Cisco switch <-----> PC
MYFIREWALL# sh run
: Saved
[Code].....
View 4 Replies
View Related
Jan 15, 2012
Cisco ASA 5505 Cannot Ping Secondary Internal Network.
View 9 Replies
View Related
Sep 20, 2012
Just doing some basic testing before we replace our ancient PIX 515E with a new 5512. I have a mini lab set up following the diagram below, although I am unable to telnet through to the mail server's netcat listener on port 25 TCP. I can ping all the way outbound from 192.168.101.1 to 10.0.0.2, and the 10.0.0.2 machine shows it is translated properly to 200.225.117.1.
NAT and access rules are as follows:
object network mail
host 192.168.101.1
description Mail relay
access-list inbound extended permit ip any host 200.225.117.1
[code]....
EDIT: Somehow the new global access rule is involved. When adding a permit any any in there I can get to the mail server no problem. When I remove it but leave in my permit ip any any on the outside interface, I am denied?
View 3 Replies
View Related
Oct 10, 2012
I'm able to build my tunnel but unable to RDP nor ICMP back to the internal network.
VPN Client IP: 192.168.200.200
INTERNAL IP: 172.17.130.200
my configuration is below:
HOME-ASAFW02(config)# wr t: Saved:ASA Version 8.4(4)!hostname HOME-ASAFW02domain-name hsd1.nj.comcast.netenable password ViPq56cvd3SGvB08 encryptedpasswd 8bcozHCAwCqA5BmN encryptednames!interface Ethernet0/0description OUTSIDE-Connectionswitchport access vlan 2switchport protected!interface Ethernet0/1description INSIDE-Connectionswitchport protectedspeed 100duplex full!interface Ethernet0/2description WiFi-LinkSYSswitchport access vlan 3switchport protected!interface Ethernet0/3shutdown!interface Ethernet0/4shutdown!interface Ethernet0/5shutdown!interface Ethernet0/6shutdown!interface Ethernet0/7shutdown!interface Vlan1description INTERNAL-Networknameif insidesecurity-level 100ip address 172.17.130.129 255.255.255.128!interface Vlan2description OUTSIDE-Link-to-ISPnameif
[code]....
View 12 Replies
View Related
Dec 3, 2011
I've got a 2621 configured as my main gateway to the internet - right now it's obtaining a DHCP ip from a the ISP's proprietary router set to bridged mode.
As of now, I'm unable to ping the internal interface of the router. I can ping external IP's only, even though I have DNS servers listed, i am unable to resolve host names. I'm running a few servers to which people are able to connect to my web server, among other services. I even have a crypto map setup to another 2621 across the country and can ping all internal ips on the other end... I JUST CANNOT PING THE INTERNAL INTERFACE of the router!!
I've noticed that when I ping the router during it's boot process (using linux un-interupted) I get a response in a very short window, then dies again. I'll post my config below:
[code]....
View 9 Replies
View Related
Apr 21, 2013
CISCO ASA 5520 -K9 .Client can connects ASA server and get ip address(172.168.31.X),but can't ping ASA inside interface ip address and other servers in lan .
View 2 Replies
View Related
Jan 18, 2013
I am trying to connect my 2800 Series CIsco Office router with VPN client software from home. I can successfully authenticate and get the IP address from the pool configured but couldnt ping any LAN Ips including default gateway. I am pasting my router's configuration.
IP Address Of LAN: 192.168.22.x/ 24
IP Addresses handed out to Clients: 10.10.10.5- 10.10.10.20
aaa new-model
!
!
aaa authentication login default local
[code]....
I have noticed that my virtual-access interface comes up but the line protocol of virtual-interface remains down as follows:
Virtual-Template100 x.x.x.x YES TFTP up down
Also The client PC picks up a random gateway of 10.10.10.1 which I never configured anywhere on the server.
View 26 Replies
View Related
Oct 15, 2012
We have two networks HQ and Site1 and for some reason we can’t ping the inside IP for Site1 PIX device. We have site-site-VPN set up between the two and everything works fine except we can’t ping the Site1 PIX from internal IP. However, I can ASDM/SSH in from HQ to the external IP of the Site1 PIX.
HQ is using an ASA 5550 (172.1.0.1) PC from HQ (172.1.64.x) Site1 is using a PIX-515E (172.2.0.1) PC from Site1 (172.2.64.x)
Ping from HQ PC to Site1 PC (172.1.64.x to 172.2.64.x) works fine
Ping from Site1 PC to HQ PC (172.2.64.x to 172.1.64.x) works fine
[code]...
ASDM/SSH from any HQ PC to Site1 PIX internal IP (172.1.64.x to 172.2.0.1) doesn’t work
ASDM/SSH from any HQ PC to Site1 PIX external IP (172.1.64.x to Site1 external IP) works fine
Everything was working fine until we recently changed the outside IP address for Site1 because we switch to a different ISP. Nothing changed on the HQ ASA or Site1 PIX other than the outside IP address on Site1 PIX. I did rebuild the site-to-site VPN tunnel between Site1 and HQ.
View 5 Replies
View Related
May 28, 2012
We have an internal DNS server that all internal hosts do lookups to .. these requests are forwarded onto open dns for anything the dns server isnt authoritative for.. My question is we have purchased the botnet filter and this requires the asa5505 dns client to be active on at least one interface .. Should i point the asa dns to an external IP such as 8.8.8.8 and apply DNS enabled on interface outside ( am using asdm) I don't want the ASA to control DNS for our internal clients we already have a internal server for this, i DO want the asa5505 to check dns packets against its botnet filter, whilst still using open dns for forwarding.
View 1 Replies
View Related
Nov 11, 2012
I have the connection working with my ASA 5505 but cannot ping the internal network. (Note external interface is getting the IP via DHCP)
View 4 Replies
View Related
Feb 6, 2011
I'm new to this cisco 5505 and I want to carry out a task as simple as a remote access VPN, in my case I did the wizard, with time on my test, I could connect to the VPN, but I can not ping any device internal network. [code]
View 6 Replies
View Related
Nov 19, 2012
I have a netger router/moden connected to my phone line for broadband, an ethernet cable coming out of that to a netgear switch an then a cable going from the switch to fa4 on the 861. I can ping the netgear router from the 861, however, when I connect my PC to it, I am unable to ping let alone connect to the internet, the PC is getting an IP from the 861 and I can ping the fa4 interface from the pc. I just don't understand my I can not ping the broadband router, I even added a static route to the netgear with no luck.
View 5 Replies
View Related
Jun 26, 2012
Background: Wireless credit card machines can't stay connected to the 5508 controller 7.0.116 / 1142 ap wireless system. MAC address of one of the wireless hosts is 00:12:0e:ec:ce:97. AP servicing them is d4:a0:2a:99:34:60. Hosts are able to connect to the network after a reboot and stay connected for random periods of time but then don't come back unless you manually reload them. I have 3 in total in the same room services by the same ap.
I have the output of debug client 00:12:0e:ec:ce:97. Output showed 802.1x 'timeoutEvt' Timer expired for station 00:12:0e:ec:ce:97 so I increased the value to 4000ms on the controller but am still having the issue.
Note that the output below is the state the client stays in after receiving the timeout (802.1x 'timeoutEvt') showing subsequent attampts. The only way to get them back on is a reload of the credit card machine.
[Code]........
View 3 Replies
View Related
Oct 31, 2011
I have configured Clientless SSL VPN for access to ASA 5540 internal network. Still I am unable to take ssh to my core switc [code]
View 5 Replies
View Related
Apr 22, 2012
I am tasked with transferring all clients from one subnet to the other. I figure the nicest way to do this is to temporarily have the subnets talk to each other in an endeavour to avoid as much downtime as possible. The two internal subnets are:
192.168.0.0/24
192.168.43.0/24 (the intended migration network)
I am beating my head against the desk here as I dont seem to be getting anywhere after the changes I have made. The current configuration is as such:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name *****
enable password ***** encrypted
passwd ***** encrypted
names
[code]......
Upgrading the firmware is not really an option?
View 3 Replies
View Related
Jun 11, 2012
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
View 7 Replies
View Related
Jun 6, 2011
I've setup a CISCO 871 which receives DHCP IP address on WAN interface Fa4 and DHCP-assigned static IP Address on virtual-ppp1. The static address is used for site-to-site VPN's, while I've planned the DHCP address for standard web access and CISCO VPN Client dial-out.
Internally, I've created 2 VLAN's, one for standard PC's with access to the remote sites via site-to-site and cisco client, and the other for a 'secured' area with only HTTP/S allowed out. [code]
Clients in the PCLAN should also be allowed to dial-out using CISCO VPN client to remote sites via the OUTSIDE interface. This is partially working because the client does log into a remote site, however I cannot ping or rdp remote stations once connected."ip inspect log drop-packets" does not reveal dropped packets when trying to ping or rdp. [code]
View 5 Replies
View Related
Nov 19, 2012
I have a base config of AnyConnect VPN below, however the ASA 8.3.1 code has deprecated some commands and the VPN/NAT/FW rule syntax is quite different. Can som point out what's missing from the pertinent config below that prevents the VPN Pool from accessing the internal LAN?
The Core LAN router is 1.2.3.1.
!
ASA Version 8.3(1)
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 1.2.3.2 255.255.255.0
View 2 Replies
View Related
Jan 9, 2013
Internet ISP -> Juniper SRX 210 Ge-0/0/0
Juniper fe0/0/2 -> Cisco ASA 5505
Cisco ASA 5505 - >Inernal LAN switch.
1. Internet is connected to Juniper Ge0/0/0 via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.
From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
Issue:
1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30)
2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA.
2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop.
3. Allowed all services in untrust zone in bound traffic in Juniper SRX.
4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **
View 2 Replies
View Related
Dec 7, 2012
The issue i was having is when i connect to 192.168.50.* network i cannot seem to ping or connect to 192.168.51.2 (esxi host1) and 192.168.51.3 (esxi host2) and also free nas device i.e 192.168.52.2. i can only connect to these devices if i ping the 192. 168.50.1 from both the esxi hosts and also from free nas. Everything starts working if i ping from the esxihosts & Freenas device to 192.168.50.1.
f i connect to the hp procurve switch i can ping the hosts fine from the switch not when i connect to Draytek Router i.e 192.168.50.1 unless i run a ping from esxi hosts and free nas device then everything starts working.Here is my network setup for my ESXI home lab.
I have Draytek Vigor 2800 Router with ipaddress 192.168.50.1 (This Router is Downstairs and connected to DSL Line) and another Router with Firmware flushed with DD-WRT and IP address for this is 192.168.50.2. (this router is in upstairs labroom and is connected in Wireless Bridge Mode to Draytek Router Downstairs)
There is a HP Pro curve Switch 2610-24 with IPaddress of 192.168.50.3 and has VLAN's configured on this switch.The VLAN's are : VLAN10 is esxi vlan and ipaddress is 192.168.51.1 and vlan20 is storagevlan and ipaddress is 192.168.52.1 and vlan 30 is internet vlan and ipaddress is 192.168.50.3 (Switch Address).Port 24 is untagged to vlan 30 i.e internet vlan and connnected the port to dd-wrt router lan port. I have untagged ports 1 to 5 to vlan10 i.e esxivlan and connected esxi host's 1 & 2 to ports 1 and 2 respectively and connected freenas device i.e storage to port 6 which is untagged to vlan20 i.e storagevlan
IP Routing is enabled on the switch and ip route 0.0.0.0 0.0.0.0 192.168.50.2 and Default gateway on the switch is 192.168.50.1.
On the Draytek router i have configured a static route for 192.168.51.0/24 and Default Gateway is 192.168.50.3 and another static route 192.168.52.0/24 and default Gateway is 192.168.50.3
View 19 Replies
View Related
Apr 18, 2012
We are going to impliment Spectrum (CA) in my network,i have ASA-5580-20 firewall now my spectrum server want to communicate with firewall,then only it will discover the firewall logs.Now the problem is my spectrum server is in MZ zone(10.10.10.45) security leval is 70 and my inside interface(10.20.20.101) security leval is 100.
I am unable to ping from spectrum server to firewall because of high security leval.How can i solve this problem,can i change my inside security leval to 69 then i think it will ping.
View 1 Replies
View Related
Feb 11, 2012
I've connected a dslmodem/router to a fast ethernet port(fa0/1) on a 2620 router.There is a 2950 switch connected to the other port (fa0/0).I can ping the Internet via the router but and the switch but not from a host connected to the switch.I can't reach the dslmodem from the host pc.I've configured nat(overload) on the router.
View 8 Replies
View Related
Jun 3, 2013
I have two ASA5505 with a site to site VPN.One of the ASA is connected to the internal network 192.168.150.0.The other one is connected to 192.168.151.0.
I have also configured IPSec Cisco client VPN to the one which is plugged to 192.168.150.0.
I would like to know if it is possible for a client connected with the Cisco VPN to access the network 192.168.151.0 through the site to site VPN.
View 3 Replies
View Related
Sep 24, 2012
I've installed Fortigate 60B and now need to provide access to our guests. Guests must be isolated from office infrastructure. For this configuration I've set up DMZ interface with DHCP server. Client connected to DMZ port gets DHCP configuration but can't go out to the Internet.
Internal interface:
Addressing mode: manual (10.0.0.250/24)
DMZ interface config:
Addressing mode: manual (192.168.16.1/24)
[Code].....
View 5 Replies
View Related
May 30, 2012
I have the following VPN site-2-site configuration.The trouble I'm having is host 172.168.88.3 in site A is not able to ping 172.168.200.3 in site B and visa versa. Think I have added the static routes and ACLs correctly on the 3560 switches (acting as gateways) and both PIX's to access the internal networks. Host 172.168.9.3 can ping 172.168.200.3 fine.
View 3 Replies
View Related
Sep 9, 2011
I just tried to configure my ASA but unable to ping. My setup is as follows:
Cable Modem (DHCP from IPS)---> ASA (192.168.1.1)--->Belking Router (192.168.5.1)--->Switch (192.168.5.14)--->
ASA Version 8.2(3)
!
hostname WoodHomeASA-1
[Code].....
View 30 Replies
View Related
Mar 29, 2012
I have the following setup.
host PC (192.168.9.3) -----> gateway (192.168.9.2) ----- Pix E1 (192.168.9.1)/Pix E0 (81.x.x.250) ------ Internet
The 192.168.9.2 gateway is a 3560 switch connected to the PIX. I can ping out to the Internet via IP from the PIX, but not via the host PC (192.168.9.3) on the LAN. PIX and gateway configs below. Am I missing something that's preventing me pinging out to the Internet from the internal LAN?
PIX config
test-cal-pix01# sh run
: Saved
:
PIX Version 8.0(3)
!
hostname test-cal-pix01
enable password btf1YD.Vq7mE6vEA encrypted
[code]....
View 1 Replies
View Related
Apr 5, 2013
I have setup 5505 ASA for Testing purposes. It has static route to layer 3 switch on outside interface that goes to the internet.
ciscoasa# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
[Code].....
View 20 Replies
View Related
Dec 1, 2012
I' d like to have some support for a very-basic PIX firewall configuration. I 'm dealing with PIX 515E. Inside hosts can ping inside interface , outside hosts outside interface and so on. Simply i cannot ping outside interface from inside hosts, Inside host-192.168.1.0
Outside - any host like google.com, or to check my isp link's dns ip. I have attached the pix configuration text file to test.
View 10 Replies
View Related
Aug 12, 2012
I configured a new Asa 5505 with Ios 8.44-1-k8.bin and when I installed the Asa the client's after about 1 hour were unable to ping or map drives to the Asa. I got the following error,%ASA-2-106007: Deny inbound UDP from XXXX to XXXX due to DNS Query. I added the command same-security-traffic permit intra-interface they were then able to ping the server and connect to the Internet, but still unable to map drives i could see the connections from the Pc's to the server in a show conn with was tcp port 445 with Saa? I reverted back to Ios 8.25 and everything works.
View 2 Replies
View Related
Feb 13, 2012
We have a cisco asa 5505 on which we have setup a group VPN. The VPN connections from all cisco vpn clients works fine except one. The keep getting the below error
"Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding. Connection Terminated".
Not sure why only one client won't be able to connect. The version we are using is 5.0.02 for VPN client.
View 10 Replies
View Related
Sep 13, 2011
I configured ASA5520 and RV042 for site-to-site IPSec VPN tunnel.Tunnel get connected, but no ping, no traffic between both end network.
Network:
=======
192.168.113.0/24----------192.168.113.6 -ASA--------public, static IP address------Cisco 2821--------Internet
192.168.10.0/24-----------192.168.10.1 -RV042-----public, static IP address------Cisco 2821--------Internet
ASA5520 config:
----------------------
name 192.168.10.0 VPN
!
interface GigabitEthernet0/1
nameif NET
security-level 100
ip address 192.168.113.6 255.255.255.0
[code]....
View 5 Replies
View Related
