Routing to internet issue with ASA 8.4 from different subnet

ShareefHuddle
ShareefHuddle used Ask the Experts™
on
Ok I have a little bit of a long one here. I have 3 sites that have two local subnets (data + voice). Site 1 is 192.168.1.x, site 2 is 192.168.2.x, etc. They are all connected through MPLS and all have internet connections. The ip scheme goes like this 192.168.(1-3).x/24=data and 192.168.(10-30).x/24=voice and they have a ra vpn with 192.168.(101-103).x/24=vpn clients.

Each site uses a ASA5505 for Internet, Routing, and VPN.  ASA ip is 192.168.(1-3).253. ASA is routing traffic to the internet which is fire-walled and the site to site communications through the MPLS router. They each have a MPLS router that is at .254. Each site has a HP Procurve that is 192.168.(1-3).54 and 192.168.(10-30).54. The procurve routes the (.10-.30) to the MPLS for internetwork communications. And has default gateway to ASA for internet connection.

Now that we have ip scheme out of the way lets talk about the projected outcome. All sites will need their data + voice have internet access through their own connection.  And be able to communicate across the MPLS for all cross subnet traffic.

I have everything talking but can't get the voice (192.168.(10-30).x) network to get to the internet. And everything else is. What's worse is I have my ASA's updated to the new 8.4 OS which has made quite a bit of changes to NATing. Posted below is my ASA config. I know that I didn't do the best job naming things so I will understand if you this is confusing :)

: Saved
:
ASA Version 8.4(2)
!
hostname site3-asa
domain-name company.com
enable password  encrypted
passwd  encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.253 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address a.b.c.d 255.255.255.248
!
boot system disk0:/asa842-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name company.com
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.103.0_25
 subnet 192.168.103.0 255.255.255.128
object network obj-192.168.3.0
 subnet 192.168.3.0 255.255.255.0
object network obj-192.168.2.0
 subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
 subnet 192.168.1.0 255.255.255.0
object network obj-192.168.102.0
 subnet 192.168.102.0 255.255.255.0
object network obj-192.168.101.0
 subnet 192.168.101.0 255.255.255.0
object network site2_vpn
 subnet 192.168.102.0 255.255.255.0
object network site1_vpn
 subnet 192.168.101.0 255.255.255.0
object network site3_lan
 subnet 192.168.3.0 255.255.255.0
object network obj-192.168.30.0
 subnet 192.168.30.0 255.255.255.0
object network obj-192.168.20.0
 subnet 192.168.20.0 255.255.255.0
object network obj-192.168.10.0
 subnet 192.168.10.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
access-list tsb extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list tsb extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list tsb extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list tsb extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list tsb extended permit ip object site3_lan object site1_vpn
access-list tsb extended permit ip object site3_lan object site2_vpn
access-list tsb extended permit ip object site1_vpn object site3_lan
access-list tsb extended permit ip object site2_vpn object site3_lan
access-list tsb extended permit ip 192.168.3.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list tsb extended permit ip 192.168.30.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list tsb extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list tsb extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list tsb extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list tsb extended permit ip 192.168.20.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list -site3_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list -site3_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list -site3_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool site3_VPN_Pool 192.168.103.50-192.168.103.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.103.0_25 NETWORK_OBJ_192.168.103.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.103.0_25 NETWORK_OBJ_192.168.103.0_25 no-proxy-arp route-lookup
nat (inside,inside) source static obj-192.168.2.0 obj-192.168.2.0
nat (inside,inside) source static obj-192.168.1.0 obj-192.168.1.0
nat (inside,inside) source static obj-192.168.102.0 obj-192.168.102.0
nat (inside,inside) source static obj-192.168.101.0 obj-192.168.101.0
nat (inside,inside) source static obj-192.168.30.0 obj-192.168.30.0
nat (inside,inside) source static obj-192.168.20.0 obj-192.168.20.0
nat (inside,inside) source static obj-192.168.10.0 obj-192.168.10.0
!
object network obj_any
 nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 a.b.c.e 1
route inside 192.168.2.0 255.255.255.0 192.168.3.254 1
route inside 192.168.10.0 255.255.255.0 192.168.3.254 1
route inside 192.168.20.0 255.255.255.0 192.168.3.254 1
route inside 192.168.30.0 255.255.255.0 192.168.3.54 1
route inside 192.168.101.0 255.255.255.0 192.168.3.254 1
route inside 192.168.102.0 255.255.255.0 192.168.3.254 1
route inside 192.168.1.0 255.255.255.0 192.168.3.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server site3grp protocol nt
aaa-server site3grp (inside) host 192.168.3.2
 nt-auth-domain-controller 192.168.3.2
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 fqdn 3vpn.company.com
 subject-name CN=3vpn.nderson.com
 keypair sslvpnkeypair
 crl configure
crypto ca certificate chain localtrust
 certificate b291044e
    308201fb 30820164 a0030201 020204b2 91044e30 0d06092a 864886f7 0d010105
    05003042 311c301a 06035504 03131363 76706e2e 6e6f616e 64657273 6f6e2e63
    6f6d3122 30200609 2a864886 f70d0109 02161363 76706e2e 6e6f616e 64657273
    6f6e2e63 6f6d301e 170d3131 30363237 31393537 33365a17 0d323130 36323431
    39353733 365a3042 311c301a 06035504 03131363 76706e2e 6e6f616e 64657273
    6f6e2e63 6f6d3122 30200609 2a864886 f70d0109 02161363 76706e2e 6e6f616e
    64657273 6f6e2e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00
    30818902 818100a7 aa9d8e87 dc27aaec f722efa6 f7757ffe 9c4a3d12 832e8386
    b9b653f4 d922ffbd 66e2a39b e7f86569 fcbad24f a0750324 91a73fd2 1ff712ca
    4e68b02e 3c408737 148f9f02 844d4180 e15941d2 7ddff0f2 93e74ccc 27e4e2ad
    736cd285 0f75eb65 1c1ef895 8050b54e f44fda98 e10f6985 5a272f89 52bdd433
    07bb848f 782d6d02 03010001 300d0609 2a864886 f70d0101 05050003 81810090
    8b1e1251 fd6f0097 4e389434 19057bbf 11253739 fa3a0b74 b90502ea 1842d8c9
    5c6ab14c ad83115c 02ca1a01 f5655436 33e3b96a 24268f13 483ecbba d8993b47
    95483f8c 3ec98c2b d125f100 25ce7227 d382818e 4d968fea 97c722c1 7d882f5f
    929aed6c 06256d1d c8a7da92 ab1b3ccc 5e155e72 bf307313 c4b389a8 c805aa
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint localtrust
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
 anyconnect profiles site3_Anyconnect_client_profile disk0:/site3_Anyconnect_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy -site3 internal
group-policy -site3 attributes
 dns-server value 192.168.3.2 192.168.2.2
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value -site3_splitTunnelAcl
 default-domain value company.com
group-policy GroupPolicy_site3_Anyconnect internal
group-policy GroupPolicy_site3_Anyconnect attributes
 wins-server none
 dns-server value 192.168.3.2
 vpn-tunnel-protocol ikev2 ssl-client
 default-domain value company.com
 webvpn
  anyconnect profiles value site3_Anyconnect_client_profile type user
username sayvandelay password fl0kZqdC1nVN7ySp encrypted privilege 0
username sayvandelay attributes
 vpn-group-policy -site3
tunnel-group -site3 type remote-access
tunnel-group -site3 general-attributes
 address-pool site3_VPN_Pool
 authentication-server-group site3grp
 default-group-policy -site3
tunnel-group -site3 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group site3_Anyconnect type remote-access
tunnel-group site3_Anyconnect general-attributes
 address-pool site3_VPN_Pool
 authentication-server-group site3grp
 default-group-policy GroupPolicy_site3_Anyconnect
tunnel-group site3_Anyconnect webvpn-attributes
 group-alias site3_Anyconnect enable
!
class-map stateBypassMap
 match access-list tsb
!
!
policy-map tcp_bypass_policy
 class stateBypassMap
  set connection advanced-options tcp-state-bypass
!
service-policy tcp_bypass_policy interface inside
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0d69476765ecf2023dce440ec7300765
:


Any help would be much ablidged.

Thanks,

Shareef

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior infrastructure engineer
Top Expert 2012
Commented:
If you do a trace from the VOIP network, does it get you to the (correct) ASA?
And if so, is anything showing in the logs of the ASA?

Author

Commented:
I found that the default gateway represented in my HP Procurves isn't used for routing. Had to add an ip route 0.0.0.0 0.0.0.0 192.168.(1-3).253.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Glad you figured it out :)
Thx for the points.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial