Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2236
Views
0
Helpful
2
Replies

ASA 5506 Remote VPN - Can't access network after connect

Go to solution
rschember1
Level 1
Level 1

‎09-13-2017 10:54 AM - edited ‎03-12-2019 04:32 AM

Hello,

 

I recently upgraded an old ASA 5505 unit to an ASA 5506 to take advantage of the gigabit interfaces. Some of the configuration from the 5505 transferred to the 5506 with no issues.

 

The site-to-site VPNs work as expected. I can also connect to an IPSEC VPN, but I'm unable to access the internal network after connecting. Also, there's no internet access from the internal network. 

 

I'm not sure what I'm missing in the configuration. Comparing it to the 5505 which worked correctly, it's identical! I'm sure I'm just missing a NAT statement somewhere, but I just can't figure it out. What am I missing?

 

I've been troubleshooting this for 2 days and none of the other solutions have got me anywhere. Any help is appreciated. Thanks.

 

: Saved

: 
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
!
ASA Version 9.8(2) 
!
hostname SPFBackup
domain-name ASA5505
enable password xxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxx encrypted
names
ip local pool VPN-98 10.10.98.25-10.10.98.100 mask 255.255.255.0

!
interface GigabitEthernet1/1
 nameif ISP1
 security-level 0
 ip address xx.xx.xxx.xxx 255.255.255.248 
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside
 security-level 100
!
interface GigabitEthernet1/3
 nameif GB3
 security-level 100
 no ip address
!
interface GigabitEthernet1/4
 nameif GB4
 security-level 100
 no ip address
!
interface GigabitEthernet1/5
 nameif GB5
 security-level 100
 no ip address
!
interface GigabitEthernet1/6
 nameif GB6
 security-level 100
 no ip address
!
interface GigabitEthernet1/7
 nameif GB7
 security-level 100
 no ip address
!
interface GigabitEthernet1/8
 nameif GB8
 security-level 100
 no ip address
!
interface Management1/1
 management-only
 nameif Manage
 security-level 0
 no ip address
!
interface BVI1
 nameif inside_bridge
 security-level 100
 ip address 10.10.1.6 255.255.255.0 
!
boot system disk0:/asa982-lfbff-k8.SPA
boot system disk0:/asa971-4-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name ASA5505
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network obj-10.10.1.0
 subnet 10.10.1.0 255.255.255.0
object network obj-10.10.50.0
 subnet 10.10.50.0 255.255.255.0
object network obj-10.10.20.0
 subnet 10.10.20.0 255.255.255.0
object network obj-10.10.14.0
 subnet 10.10.14.0 255.255.255.0
object network obj-10.10.2.0
 subnet 10.10.2.0 255.255.255.0
object network obj-10.10.98.0_25
 subnet 10.10.98.0 255.255.255.128
object network obj-10.10.16.0
 subnet 10.10.16.0 255.255.255.0
object network obj-10.10.1.11
 host 10.10.1.11
object network obj-10.10.1.13
 host 10.10.1.13
object network NW-obj-10.10.1.11
 host 10.10.1.11
object network NW-obj-10.10.1.11-01
 host 10.10.1.11
object network NW-obj-10.10.1.11-02
 host 10.10.1.11
object network NW-obj-10.10.1.11-03
 host 10.10.1.11
object network NW-obj-10.10.1.11-04
 host 10.10.1.11
object network obj-10.10.1.14
 host 10.10.1.14
object network obj-10.10.1.15
 host 10.10.1.15
object network inside-network
 subnet 10.10.1.0 255.255.255.0
object network AS400
 host 10.10.1.11
object-group network obj_any
object-group network DM_INLINE_NETWORK_1
 network-object object obj-10.10.1.11
 network-object object obj-10.10.1.13
 network-object object obj-10.10.1.14
 network-object object obj-10.10.1.15
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object tcp destination eq ssh 
object-group service DM_INLINE_SERVICE_2
 service-object ip 
 service-object tcp destination eq ssh 
object-group service DM_INLINE_SERVICE_3
 service-object ip 
 service-object tcp destination eq ssh 
object-group service DM_INLINE_SERVICE_4
 service-object ip 
 service-object tcp destination eq ssh 
object-group service DM_INLINE_SERVICE_5
 service-object ip 
 service-object tcp destination eq ssh 
object-group service DM_INLINE_SERVICE_6
 service-object ip 
 service-object tcp destination eq ssh 
object-group service DM_INLINE_SERVICE_7
 service-object ip 
 service-object tcp destination eq ssh 
object-group service DM_INLINE_SERVICE_8
 service-object ip 
 service-object icmp echo-reply
access-list inside_access_in remark Implicit rule: Permit all traffic to less secure networks
access-list inside_access_in extended permit icmp 10.10.1.0 255.255.255.0 any4 log disable 
access-list inside_access_in extended permit ip 10.10.1.0 255.255.255.0 any4 log disable 
access-list inside_access_in extended permit ip 10.10.2.0 255.255.255.0 any4 
access-list inside_access_in extended permit ip 10.10.14.0 255.255.255.0 any4 
access-list inside_access_in extended permit ip 10.10.16.0 255.255.255.0 any4 
access-list inside_access_in extended permit ip 10.10.20.0 255.255.255.0 any4 
access-list inside_access_in extended permit ip 10.10.50.0 255.255.255.0 any4 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 10.10.98.0 255.255.255.128 any 
access-list outside_access_in extended permit tcp host xxx.254.251.50 any4 eq ssh 
access-list outside_access_in extended permit ip host xxx.254.251.50 any4 
access-list outside_access_in extended permit tcp any4 host 10.10.1.11 eq www 
access-list outside_access_in extended permit tcp any4 host 10.10.1.11 eq 992 
access-list outside_access_in extended permit tcp any4 host 10.10.1.11 eq 8999 
access-list outside_access_in extended permit tcp host xxx.64.254.32 host 10.10.1.11 eq ftp-data 
access-list outside_access_in extended permit tcp host xxx.64.254.32 host 10.10.1.11 eq ftp 
access-list outside_access_in extended permit tcp any4 host 10.10.12.21 eq 10000 
access-list outside_access_in extended permit tcp host xxx.155.146.226 any4 eq ssh 
access-list outside_access_in extended permit ip host xxx.155.146.226 any4 
access-list outside_access_in extended permit tcp host xx.197.154.218 any4 eq ssh 
access-list outside_access_in extended permit ip host xx.197.154.218 any4 
access-list outside_access_in extended permit tcp host xxx.155.138.130 any4 eq ssh 
access-list outside_access_in extended permit ip host xxx.155.138.130 any4 
access-list outside_access_in extended permit icmp any4 any4 echo-reply 
access-list 114 extended permit ip 10.10.1.0 255.255.255.0 10.10.14.0 255.255.255.0 
access-list 120 extended permit ip 10.10.1.0 255.255.255.0 10.10.20.0 255.255.255.0 
access-list 102 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 
access-list 150 extended permit ip 10.10.1.0 255.255.255.0 10.10.50.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.11 
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.13 
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.14 
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.15 
access-list 116 extended permit ip 10.10.1.0 255.255.255.0 10.10.16.0 255.255.255.0 
access-list ISP1_cryptomap_65535.65535 extended permit ip any4 any4 
pager lines 24
logging enable
logging asdm informational
mtu ISP1 1500
mtu inside 1500
mtu GB3 1500
mtu GB4 1500
mtu GB5 1500
mtu GB6 1500
mtu GB7 1500
mtu GB8 1500
mtu Manage 1500
no failover
no monitor-interface inside_bridge
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
icmp permit any unreachable ISP1
icmp permit any ISP1
icmp permit any inside
asdm image disk0:/asdm-782.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.10.2.0 obj-10.10.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.10.14.0 obj-10.10.14.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.10.16.0 obj-10.10.16.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.10.20.0 obj-10.10.20.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.10.50.0 obj-10.10.50.0 no-proxy-arp route-lookup
nat (inside,ISP1) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static obj-10.10.98.0_25 obj-10.10.98.0_25 no-proxy-arp route-lookup
!
object network obj-10.10.98.0_25
 nat (ISP1,ISP1) dynamic interface
object network NW-obj-10.10.1.11
 nat (inside,ISP1) static interface service tcp 992 992 
object network NW-obj-10.10.1.11-01
 nat (inside,ISP1) static interface service tcp 8999 8999 
object network NW-obj-10.10.1.11-02
 nat (inside,ISP1) static interface service tcp www 8015 
object network NW-obj-10.10.1.11-03
 nat (inside,ISP1) static interface service tcp ftp-data ftp-data 
object network NW-obj-10.10.1.11-04
 nat (inside,ISP1) static interface service tcp ftp ftp 
!
nat (inside,ISP1) after-auto source dynamic any interface
nat (ISP1,ISP1) after-auto source dynamic any interface
access-group outside_access_in in interface ISP1
access-group inside_access_in in interface inside
access-group inside_access_in in interface inside_bridge
route ISP1 0.0.0.0 0.0.0.0 xx.xx.xxx.xxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside_bridge) host 10.10.1.13
 key xxxxxxxx
 radius-common-pw xxxxxxx
 no mschapv2-capable
 acl-netmask-convert auto-detect
aaa-server RADIUS (inside_bridge) host 10.10.1.14
 key xxxxxxxxx
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication login-history
http server enable
http 10.10.1.0 255.255.255.0 inside
http 10.10.2.0 255.255.255.0 inside
http 10.10.14.0 255.255.255.0 inside
http 10.10.16.0 255.255.255.0 inside
http 10.10.20.0 255.255.255.0 inside
http 10.10.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address ISP1_cryptomap_65535.65535
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES128-SHA1_TRANS ESP-AES256-SHA1_TRANS ESP-AES256-SHA1
crypto map outside_map 1 match address 120
crypto map outside_map 1 set peer xx.xx.xx.202 
crypto map outside_map 1 set ikev1 transform-set ESP-DES-SHA
crypto map outside_map 2 match address 114
crypto map outside_map 2 set peer xx.xx.xx.205 
crypto map outside_map 2 set ikev1 transform-set ESP-DES-SHA
crypto map outside_map 3 match address 150
crypto map outside_map 3 set peer xx.xx.xx.2 
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 4 match address 102
crypto map outside_map 4 set pfs group1
crypto map outside_map 4 set peer xx.xx.xx.209 
crypto map outside_map 4 set ikev1 transform-set ESP-DES-SHA
crypto map outside_map 5 match address 116
crypto map outside_map 5 set peer xx.xx.xx.1 
crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 5 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface ISP1
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
crypto isakmp nat-traversal 1500
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable ISP1
crypto ikev1 enable ISP1
crypto ikev1 policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 28800
telnet 10.10.1.0 255.255.255.0 inside
telnet 10.10.2.0 255.255.255.0 inside
telnet 10.10.14.0 255.255.255.0 inside
telnet 10.10.16.0 255.255.255.0 inside
telnet 10.10.20.0 255.255.255.0 inside
telnet 10.10.50.0 255.255.255.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd lease 1048575
dhcpd ping_timeout 3000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 132.163.4.101 source ISP1 prefer
ntp server 132.163.4.102 source ISP1 prefer
ntp server 132.163.4.103 source ISP1 prefer
ntp server 64.113.32.5 source ISP1 prefer
webvpn
 anyconnect-essentials
 cache
  disable
 error-recovery disable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 10.10.1.13 8.8.8.8
 vpn-tunnel-protocol ikev1 l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_xxx.xxx.241.2 internal
group-policy GroupPolicy_xxx.xxx.241.2 attributes
 vpn-tunnel-protocol ikev1 ikev2 
group-policy GroupPolicy_xxx.xx.237.1 internal
group-policy GroupPolicy_xxx.xx.237.1 attributes
 vpn-tunnel-protocol ikev1 ikev2 
dynamic-access-policy-record DfltAccessPolicy
username xxxx password $xxxxx pbkdf2
username xxxxxVPN password xxxxx= nt-encrypted privilege 0
username xxxxxVPN attributes
 vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN-98
 authentication-server-group RADIUS LOCAL
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key xxxxxx
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
tunnel-group xx.xxx.10.205 type ipsec-l2l
tunnel-group xx.xxx.10.205 ipsec-attributes
 ikev1 pre-shared-key xxxxxxxx
tunnel-group xx.xx.190.202 type ipsec-l2l
tunnel-group xx.xx.190.202 ipsec-attributes
 ikev1 pre-shared-key xxxxxxxx
tunnel-group xx.xx.27.209 type ipsec-l2l
tunnel-group xx.xx.27.209 ipsec-attributes
 ikev1 pre-shared-key xxxxxxxx
tunnel-group xx.xx.241.2 type ipsec-l2l
tunnel-group xx.xx.241.2 general-attributes
 default-group-policy GroupPolicy_xx.xx.241.2
tunnel-group xx.xx.241.2 ipsec-attributes
 ikev1 pre-shared-key xxxxxxxx
 ikev2 remote-authentication pre-shared-key xxxxxxxx
 ikev2 local-authentication pre-shared-key xxxxxxxx
tunnel-group xx.xx.237.1 type ipsec-l2l
tunnel-group xx.xx.237.1 general-attributes
 default-group-policy GroupPolicy_xx.xx.237.1
tunnel-group xx.xx.237.1 ipsec-attributes
 ikev1 pre-shared-key xxxxxxxx
 ikev2 remote-authentication pre-shared-key xxxxxxxx
 ikev2 local-authentication pre-shared-key xxxxxxxx
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:8f2ec4b7a6c8adf31b6de09490395557
: end

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rschember1
Level 1
Level 1

‎10-26-2017 06:58 AM

I'm still not sure what the problem actually was. I rebuilt the whole configuration from scratch and it's working now.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
GioGonza
Level 4
Level 4

‎09-22-2017 12:35 PM

Hello @rschember1,

I checked the configuration and this is what I found:

 

VPN Pool
ip local pool VPN-98 10.10.98.25-10.10.98.100 mask 255.255.255.0

 

Split-Tunnel ACL
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.11
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.13
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.14
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.15

 

ACLs for Site to Site
access-list 114 extended permit ip 10.10.1.0 255.255.255.0 10.10.14.0 255.255.255.0
access-list 120 extended permit ip 10.10.1.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list 102 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list 150 extended permit ip 10.10.1.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list 116 extended permit ip 10.10.1.0 255.255.255.0 10.10.16.0 255.255.255.0

 

Based on this, the Pool for the RA is not configured to go through any Site to Site VPN tunnel you have configured on your ASA, also the destination are not included on the Split-Tunnel ACL, so you need to do the following:

 

Example Tunnel 1:


ACL Split-tunnel
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.20.0 255.255.255.0

 

ACL for crypto map 1:
access-list 120 extended permit ip 10.10.98.0 255.255.255.128 10.10.20.0 255.255.255.0

 

NAT:
nat (ISP1,ISP1) source static obj-10.10.98.0_25 obj-10.10.98.0_25 destination static obj-10.10.20.0 obj-10.10.20.0 no-proxy-arp route-lookup

 

Also you need to verify the configuration on the other side and check if the Pool is allowed to go through the VPN tunnel.

 

HTH

Gio

0 Helpful

Go to solution
rschember1
Level 1
Level 1

‎10-26-2017 06:58 AM

I'm still not sure what the problem actually was. I rebuilt the whole configuration from scratch and it's working now.

0 Helpful
Customers Also Viewed These Support Documents