09-13-2017 10:54 AM - edited 03-12-2019 04:32 AM
Hello,
I recently upgraded an old ASA 5505 unit to an ASA 5506 to take advantage of the gigabit interfaces. Some of the configuration from the 5505 transferred to the 5506 with no issues.
The site-to-site VPNs work as expected. I can also connect to an IPSEC VPN, but I'm unable to access the internal network after connecting. Also, there's no internet access from the internal network.
I'm not sure what I'm missing in the configuration. Comparing it to the 5505 which worked correctly, it's identical! I'm sure I'm just missing a NAT statement somewhere, but I just can't figure it out. What am I missing?
I've been troubleshooting this for 2 days and none of the other solutions have got me anywhere. Any help is appreciated. Thanks.
: Saved : : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) ! ASA Version 9.8(2) ! hostname SPFBackup domain-name ASA5505 enable password xxxxx encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd xxxxx encrypted names ip local pool VPN-98 10.10.98.25-10.10.98.100 mask 255.255.255.0 ! interface GigabitEthernet1/1 nameif ISP1 security-level 0 ip address xx.xx.xxx.xxx 255.255.255.248 ! interface GigabitEthernet1/2 bridge-group 1 nameif inside security-level 100 ! interface GigabitEthernet1/3 nameif GB3 security-level 100 no ip address ! interface GigabitEthernet1/4 nameif GB4 security-level 100 no ip address ! interface GigabitEthernet1/5 nameif GB5 security-level 100 no ip address ! interface GigabitEthernet1/6 nameif GB6 security-level 100 no ip address ! interface GigabitEthernet1/7 nameif GB7 security-level 100 no ip address ! interface GigabitEthernet1/8 nameif GB8 security-level 100 no ip address ! interface Management1/1 management-only nameif Manage security-level 0 no ip address ! interface BVI1 nameif inside_bridge security-level 100 ip address 10.10.1.6 255.255.255.0 ! boot system disk0:/asa982-lfbff-k8.SPA boot system disk0:/asa971-4-lfbff-k8.SPA ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name ASA5505 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any1 subnet 0.0.0.0 0.0.0.0 object network obj_any2 subnet 0.0.0.0 0.0.0.0 object network obj_any3 subnet 0.0.0.0 0.0.0.0 object network obj_any4 subnet 0.0.0.0 0.0.0.0 object network obj_any5 subnet 0.0.0.0 0.0.0.0 object network obj_any6 subnet 0.0.0.0 0.0.0.0 object network obj_any7 subnet 0.0.0.0 0.0.0.0 object network obj-10.10.1.0 subnet 10.10.1.0 255.255.255.0 object network obj-10.10.50.0 subnet 10.10.50.0 255.255.255.0 object network obj-10.10.20.0 subnet 10.10.20.0 255.255.255.0 object network obj-10.10.14.0 subnet 10.10.14.0 255.255.255.0 object network obj-10.10.2.0 subnet 10.10.2.0 255.255.255.0 object network obj-10.10.98.0_25 subnet 10.10.98.0 255.255.255.128 object network obj-10.10.16.0 subnet 10.10.16.0 255.255.255.0 object network obj-10.10.1.11 host 10.10.1.11 object network obj-10.10.1.13 host 10.10.1.13 object network NW-obj-10.10.1.11 host 10.10.1.11 object network NW-obj-10.10.1.11-01 host 10.10.1.11 object network NW-obj-10.10.1.11-02 host 10.10.1.11 object network NW-obj-10.10.1.11-03 host 10.10.1.11 object network NW-obj-10.10.1.11-04 host 10.10.1.11 object network obj-10.10.1.14 host 10.10.1.14 object network obj-10.10.1.15 host 10.10.1.15 object network inside-network subnet 10.10.1.0 255.255.255.0 object network AS400 host 10.10.1.11 object-group network obj_any object-group network DM_INLINE_NETWORK_1 network-object object obj-10.10.1.11 network-object object obj-10.10.1.13 network-object object obj-10.10.1.14 network-object object obj-10.10.1.15 object-group service DM_INLINE_SERVICE_1 service-object ip service-object tcp destination eq ssh object-group service DM_INLINE_SERVICE_2 service-object ip service-object tcp destination eq ssh object-group service DM_INLINE_SERVICE_3 service-object ip service-object tcp destination eq ssh object-group service DM_INLINE_SERVICE_4 service-object ip service-object tcp destination eq ssh object-group service DM_INLINE_SERVICE_5 service-object ip service-object tcp destination eq ssh object-group service DM_INLINE_SERVICE_6 service-object ip service-object tcp destination eq ssh object-group service DM_INLINE_SERVICE_7 service-object ip service-object tcp destination eq ssh object-group service DM_INLINE_SERVICE_8 service-object ip service-object icmp echo-reply access-list inside_access_in remark Implicit rule: Permit all traffic to less secure networks access-list inside_access_in extended permit icmp 10.10.1.0 255.255.255.0 any4 log disable access-list inside_access_in extended permit ip 10.10.1.0 255.255.255.0 any4 log disable access-list inside_access_in extended permit ip 10.10.2.0 255.255.255.0 any4 access-list inside_access_in extended permit ip 10.10.14.0 255.255.255.0 any4 access-list inside_access_in extended permit ip 10.10.16.0 255.255.255.0 any4 access-list inside_access_in extended permit ip 10.10.20.0 255.255.255.0 any4 access-list inside_access_in extended permit ip 10.10.50.0 255.255.255.0 any4 access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 10.10.98.0 255.255.255.128 any access-list outside_access_in extended permit tcp host xxx.254.251.50 any4 eq ssh access-list outside_access_in extended permit ip host xxx.254.251.50 any4 access-list outside_access_in extended permit tcp any4 host 10.10.1.11 eq www access-list outside_access_in extended permit tcp any4 host 10.10.1.11 eq 992 access-list outside_access_in extended permit tcp any4 host 10.10.1.11 eq 8999 access-list outside_access_in extended permit tcp host xxx.64.254.32 host 10.10.1.11 eq ftp-data access-list outside_access_in extended permit tcp host xxx.64.254.32 host 10.10.1.11 eq ftp access-list outside_access_in extended permit tcp any4 host 10.10.12.21 eq 10000 access-list outside_access_in extended permit tcp host xxx.155.146.226 any4 eq ssh access-list outside_access_in extended permit ip host xxx.155.146.226 any4 access-list outside_access_in extended permit tcp host xx.197.154.218 any4 eq ssh access-list outside_access_in extended permit ip host xx.197.154.218 any4 access-list outside_access_in extended permit tcp host xxx.155.138.130 any4 eq ssh access-list outside_access_in extended permit ip host xxx.155.138.130 any4 access-list outside_access_in extended permit icmp any4 any4 echo-reply access-list 114 extended permit ip 10.10.1.0 255.255.255.0 10.10.14.0 255.255.255.0 access-list 120 extended permit ip 10.10.1.0 255.255.255.0 10.10.20.0 255.255.255.0 access-list 102 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 access-list 150 extended permit ip 10.10.1.0 255.255.255.0 10.10.50.0 255.255.255.0 access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.11 access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.13 access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.14 access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.15 access-list 116 extended permit ip 10.10.1.0 255.255.255.0 10.10.16.0 255.255.255.0 access-list ISP1_cryptomap_65535.65535 extended permit ip any4 any4 pager lines 24 logging enable logging asdm informational mtu ISP1 1500 mtu inside 1500 mtu GB3 1500 mtu GB4 1500 mtu GB5 1500 mtu GB6 1500 mtu GB7 1500 mtu GB8 1500 mtu Manage 1500 no failover no monitor-interface inside_bridge no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 icmp permit any unreachable ISP1 icmp permit any ISP1 icmp permit any inside asdm image disk0:/asdm-782.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.10.2.0 obj-10.10.2.0 no-proxy-arp route-lookup nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.10.14.0 obj-10.10.14.0 no-proxy-arp route-lookup nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.10.16.0 obj-10.10.16.0 no-proxy-arp route-lookup nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.10.20.0 obj-10.10.20.0 no-proxy-arp route-lookup nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.10.50.0 obj-10.10.50.0 no-proxy-arp route-lookup nat (inside,ISP1) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static obj-10.10.98.0_25 obj-10.10.98.0_25 no-proxy-arp route-lookup ! object network obj-10.10.98.0_25 nat (ISP1,ISP1) dynamic interface object network NW-obj-10.10.1.11 nat (inside,ISP1) static interface service tcp 992 992 object network NW-obj-10.10.1.11-01 nat (inside,ISP1) static interface service tcp 8999 8999 object network NW-obj-10.10.1.11-02 nat (inside,ISP1) static interface service tcp www 8015 object network NW-obj-10.10.1.11-03 nat (inside,ISP1) static interface service tcp ftp-data ftp-data object network NW-obj-10.10.1.11-04 nat (inside,ISP1) static interface service tcp ftp ftp ! nat (inside,ISP1) after-auto source dynamic any interface nat (ISP1,ISP1) after-auto source dynamic any interface access-group outside_access_in in interface ISP1 access-group inside_access_in in interface inside access-group inside_access_in in interface inside_bridge route ISP1 0.0.0.0 0.0.0.0 xx.xx.xxx.xxx 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server RADIUS (inside_bridge) host 10.10.1.13 key xxxxxxxx radius-common-pw xxxxxxx no mschapv2-capable acl-netmask-convert auto-detect aaa-server RADIUS (inside_bridge) host 10.10.1.14 key xxxxxxxxx user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication telnet console LOCAL aaa authentication login-history http server enable http 10.10.1.0 255.255.255.0 inside http 10.10.2.0 255.255.255.0 inside http 10.10.14.0 255.255.255.0 inside http 10.10.16.0 255.255.255.0 inside http 10.10.20.0 255.255.255.0 inside http 10.10.50.0 255.255.255.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address ISP1_cryptomap_65535.65535 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES128-SHA1_TRANS ESP-AES256-SHA1_TRANS ESP-AES256-SHA1 crypto map outside_map 1 match address 120 crypto map outside_map 1 set peer xx.xx.xx.202 crypto map outside_map 1 set ikev1 transform-set ESP-DES-SHA crypto map outside_map 2 match address 114 crypto map outside_map 2 set peer xx.xx.xx.205 crypto map outside_map 2 set ikev1 transform-set ESP-DES-SHA crypto map outside_map 3 match address 150 crypto map outside_map 3 set peer xx.xx.xx.2 crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 4 match address 102 crypto map outside_map 4 set pfs group1 crypto map outside_map 4 set peer xx.xx.xx.209 crypto map outside_map 4 set ikev1 transform-set ESP-DES-SHA crypto map outside_map 5 match address 116 crypto map outside_map 5 set peer xx.xx.xx.1 crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 5 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface ISP1 crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpool policy crypto isakmp nat-traversal 1500 crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable ISP1 crypto ikev1 enable ISP1 crypto ikev1 policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 10 authentication pre-share encryption des hash sha group 2 lifetime 28800 telnet 10.10.1.0 255.255.255.0 inside telnet 10.10.2.0 255.255.255.0 inside telnet 10.10.14.0 255.255.255.0 inside telnet 10.10.16.0 255.255.255.0 inside telnet 10.10.20.0 255.255.255.0 inside telnet 10.10.50.0 255.255.255.0 inside telnet timeout 5 ssh stricthostkeycheck ssh 10.10.1.0 255.255.255.0 inside ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside dhcpd lease 1048575 dhcpd ping_timeout 3000 ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 132.163.4.101 source ISP1 prefer ntp server 132.163.4.102 source ISP1 prefer ntp server 132.163.4.103 source ISP1 prefer ntp server 64.113.32.5 source ISP1 prefer webvpn anyconnect-essentials cache disable error-recovery disable group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 10.10.1.13 8.8.8.8 vpn-tunnel-protocol ikev1 l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless group-policy GroupPolicy_xxx.xxx.241.2 internal group-policy GroupPolicy_xxx.xxx.241.2 attributes vpn-tunnel-protocol ikev1 ikev2 group-policy GroupPolicy_xxx.xx.237.1 internal group-policy GroupPolicy_xxx.xx.237.1 attributes vpn-tunnel-protocol ikev1 ikev2 dynamic-access-policy-record DfltAccessPolicy username xxxx password $xxxxx pbkdf2 username xxxxxVPN password xxxxx= nt-encrypted privilege 0 username xxxxxVPN attributes vpn-group-policy DefaultRAGroup tunnel-group DefaultRAGroup general-attributes address-pool VPN-98 authentication-server-group RADIUS LOCAL default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key xxxxxx tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2 tunnel-group xx.xxx.10.205 type ipsec-l2l tunnel-group xx.xxx.10.205 ipsec-attributes ikev1 pre-shared-key xxxxxxxx tunnel-group xx.xx.190.202 type ipsec-l2l tunnel-group xx.xx.190.202 ipsec-attributes ikev1 pre-shared-key xxxxxxxx tunnel-group xx.xx.27.209 type ipsec-l2l tunnel-group xx.xx.27.209 ipsec-attributes ikev1 pre-shared-key xxxxxxxx tunnel-group xx.xx.241.2 type ipsec-l2l tunnel-group xx.xx.241.2 general-attributes default-group-policy GroupPolicy_xx.xx.241.2 tunnel-group xx.xx.241.2 ipsec-attributes ikev1 pre-shared-key xxxxxxxx ikev2 remote-authentication pre-shared-key xxxxxxxx ikev2 local-authentication pre-shared-key xxxxxxxx tunnel-group xx.xx.237.1 type ipsec-l2l tunnel-group xx.xx.237.1 general-attributes default-group-policy GroupPolicy_xx.xx.237.1 tunnel-group xx.xx.237.1 ipsec-attributes ikev1 pre-shared-key xxxxxxxx ikev2 remote-authentication pre-shared-key xxxxxxxx ikev2 local-authentication pre-shared-key xxxxxxxx ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context call-home reporting anonymous Cryptochecksum:8f2ec4b7a6c8adf31b6de09490395557 : end
Solved! Go to Solution.
10-26-2017 06:58 AM
I'm still not sure what the problem actually was. I rebuilt the whole configuration from scratch and it's working now.
09-22-2017 12:35 PM
Hello @rschember1,
I checked the configuration and this is what I found:
VPN Pool
ip local pool VPN-98 10.10.98.25-10.10.98.100 mask 255.255.255.0
Split-Tunnel ACL
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.11
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.13
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.14
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.10.1.15
ACLs for Site to Site
access-list 114 extended permit ip 10.10.1.0 255.255.255.0 10.10.14.0 255.255.255.0
access-list 120 extended permit ip 10.10.1.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list 102 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list 150 extended permit ip 10.10.1.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list 116 extended permit ip 10.10.1.0 255.255.255.0 10.10.16.0 255.255.255.0
Based on this, the Pool for the RA is not configured to go through any Site to Site VPN tunnel you have configured on your ASA, also the destination are not included on the Split-Tunnel ACL, so you need to do the following:
Example Tunnel 1:
ACL Split-tunnel
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.20.0 255.255.255.0
ACL for crypto map 1:
access-list 120 extended permit ip 10.10.98.0 255.255.255.128 10.10.20.0 255.255.255.0
NAT:
nat (ISP1,ISP1) source static obj-10.10.98.0_25 obj-10.10.98.0_25 destination static obj-10.10.20.0 obj-10.10.20.0 no-proxy-arp route-lookup
Also you need to verify the configuration on the other side and check if the Pool is allowed to go through the VPN tunnel.
HTH
Gio
10-26-2017 06:58 AM
I'm still not sure what the problem actually was. I rebuilt the whole configuration from scratch and it's working now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide