ASA 5505 + Remote VPN traffic
Hello,
I am having problems trying to get users to VPN into the main site and reach the remote site.
Main Site Internet (Static) Remote Site Internet (DHCP)
| |
| |
Subnet ------ ASA --------Uplink ---------Wireless Bridge ------------- Uplink --------- ASA ---------Subnet
The error that I am getting is:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:172.30.3.104 dst uplink:192.168.100.50 (type 8, code 0) denied due to NAT reverse path failure
I do not see any logs at the remote site.
Any ideas?
Main Site
: Saved
:
ASA Version 8.2(4)
!
hostname xxxx
names
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x
!
interface Vlan3
nameif uplink
security-level 100
ip address 10.250.1.1 255.255.255.248
!
interface Vlan5
no forward interface Vlan1
nameif public
security-level 50
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa824-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list SPLIT standard permit 192.168.10.0 255.255.255.0
access-list SPLIT standard permit 192.168.100.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.10.0 255.255.255.0 172.30.3.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list NoNAT extended permit ip 172.30.3.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in remark ***For Exchange***
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq https
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list UplinkNoNAT extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 10.250.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 172.30.3.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu public 1500
mtu uplink 1500
ip local pool vpn_pool 172.30.3.101-172.30.3.125 mask 255.255.255.0
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (public) 1 192.168.1.0 255.255.255.0
nat (uplink) 0 access-list UplinkNoNAT
nat (uplink) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.xxx 192.168.10.25 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 63.138.62.193 1
route uplink 172.30.3.0 255.255.255.0 10.250.1.2 2
route uplink 192.168.100.0 255.255.255.0 10.250.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set TunnelSec esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RemoteUser 10 set transform-set TunnelSec
crypto dynamic-map RemoteUser 10 set security-association lifetime seconds 288000
crypto dynamic-map RemoteUser 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map RemoteUser 10 set reverse-route
crypto map VPNConns 10 set peer <IP address>
crypto map VPNConns 10 set transform-set TunnelSec
crypto map VPNConns 10 set security-association lifetime seconds 28800
crypto map VPNConns 10 set security-association lifetime kilobytes 4608000
crypto map VPNConns 100 ipsec-isakmp dynamic RemoteUser
crypto map VPNConns interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 60
ssh xxx.xxx.xxx.xxx 255.255.255.128 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd option 43 ip 192.168.1.1
!
dhcpd address 192.168.1.100-192.168.1.20
dhcpd dns 8.8.8.8 8.8.4.4 interface public
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 192.168.10.22
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
default-domain value ms.seniorsfirstonline.com
address-pools value vpn_pool
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
tunnel-group RemoteUser type remote-access
tunnel-group RemoteUser general-attributes
address-pool vpn_pool
tunnel-group SSLAccess type remote-access
tunnel-group SSLAccess general-attributes
default-group-policy SSLVPN
tunnel-group SSLAccess webvpn-attributes
group-alias RemoteUsers enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:757f542ca89
: end
---------------------
Remote
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
nameif uplink
security-level 100
ip address 10.250.1.2 255.255.255.248
!
boot system disk0:/asa824-k8.bin
ftp mode passive
dns server-group DefaultDNS
name-server 192.168.10.22
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list NoNAT extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.100.0 255.255.255.0 172.30.3.0 255.255.255.0
access-list NoNAT extended permit ip 172.30.3.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 172.30.3.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu uplink 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (uplink) 0 access-list UplinkNoNAT
nat (uplink) 1 0.0.0.0 0.0.0.0
route uplink 172.30.3.0 255.255.255.0 10.250.1.1 2
route uplink 192.168.10.0 255.255.255.0 10.250.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.100.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 60
ssh 74.39.247.128 255.255.255.128 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 192.168.10.22
dhcpd wins 192.168.10.22
dhcpd domain xxx
!
dhcpd address 192.168.100.104-192.168.10
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map
inspect icmp
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1ffd362cb99
I am having problems trying to get users to VPN into the main site and reach the remote site.
Main Site Internet (Static) Remote Site Internet (DHCP)
| |
| |
Subnet ------ ASA --------Uplink ---------Wireless Bridge ------------- Uplink --------- ASA ---------Subnet
The error that I am getting is:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:172.30.3.104 dst uplink:192.168.100.50 (type 8, code 0) denied due to NAT reverse path failure
I do not see any logs at the remote site.
Any ideas?
Main Site
: Saved
:
ASA Version 8.2(4)
!
hostname xxxx
names
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x
!
interface Vlan3
nameif uplink
security-level 100
ip address 10.250.1.1 255.255.255.248
!
interface Vlan5
no forward interface Vlan1
nameif public
security-level 50
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa824-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list SPLIT standard permit 192.168.10.0 255.255.255.0
access-list SPLIT standard permit 192.168.100.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.10.0 255.255.255.0 172.30.3.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list NoNAT extended permit ip 172.30.3.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in remark ***For Exchange***
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq https
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list UplinkNoNAT extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 10.250.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 172.30.3.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu public 1500
mtu uplink 1500
ip local pool vpn_pool 172.30.3.101-172.30.3.125 mask 255.255.255.0
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (public) 1 192.168.1.0 255.255.255.0
nat (uplink) 0 access-list UplinkNoNAT
nat (uplink) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.xxx 192.168.10.25 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 63.138.62.193 1
route uplink 172.30.3.0 255.255.255.0 10.250.1.2 2
route uplink 192.168.100.0 255.255.255.0 10.250.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set TunnelSec esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RemoteUser 10 set transform-set TunnelSec
crypto dynamic-map RemoteUser 10 set security-association lifetime seconds 288000
crypto dynamic-map RemoteUser 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map RemoteUser 10 set reverse-route
crypto map VPNConns 10 set peer <IP address>
crypto map VPNConns 10 set transform-set TunnelSec
crypto map VPNConns 10 set security-association lifetime seconds 28800
crypto map VPNConns 10 set security-association lifetime kilobytes 4608000
crypto map VPNConns 100 ipsec-isakmp dynamic RemoteUser
crypto map VPNConns interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 60
ssh xxx.xxx.xxx.xxx 255.255.255.128 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd option 43 ip 192.168.1.1
!
dhcpd address 192.168.1.100-192.168.1.20
dhcpd dns 8.8.8.8 8.8.4.4 interface public
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 192.168.10.22
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
default-domain value ms.seniorsfirstonline.com
address-pools value vpn_pool
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
tunnel-group RemoteUser type remote-access
tunnel-group RemoteUser general-attributes
address-pool vpn_pool
tunnel-group SSLAccess type remote-access
tunnel-group SSLAccess general-attributes
default-group-policy SSLVPN
tunnel-group SSLAccess webvpn-attributes
group-alias RemoteUsers enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:757f542ca89
: end
---------------------
Remote
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
nameif uplink
security-level 100
ip address 10.250.1.2 255.255.255.248
!
boot system disk0:/asa824-k8.bin
ftp mode passive
dns server-group DefaultDNS
name-server 192.168.10.22
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list NoNAT extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.100.0 255.255.255.0 172.30.3.0 255.255.255.0
access-list NoNAT extended permit ip 172.30.3.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 172.30.3.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu uplink 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (uplink) 0 access-list UplinkNoNAT
nat (uplink) 1 0.0.0.0 0.0.0.0
route uplink 172.30.3.0 255.255.255.0 10.250.1.1 2
route uplink 192.168.10.0 255.255.255.0 10.250.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.100.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 60
ssh 74.39.247.128 255.255.255.128 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 192.168.10.22
dhcpd wins 192.168.10.22
dhcpd domain xxx
!
dhcpd address 192.168.100.104-192.168.10
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map
inspect icmp
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1ffd362cb99
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yup, you were correct. There was an ACL missing for the 192.168.100.x traffic to 172.30.3.x at the main site.
Glad I could help :) And of course thx for the points.
The 172.30.3.x addresses are at the outside interface (VPN clients) so that route should go.
I reread my first post and that isn't stated very well. The nat exempts (nat 0) set on an interface are for traffic coming in to that interface. There you define what outgoing traffic is exempted from NAT. So in to the interface and out the device.
For example main site:
access-list UplinkNoNAT extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 10.250.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 192.168.100.0 255.255.255.0 172.30.3.0 255.255.255.0