mcgiga
asked on
Cisco ASA: No vpn traffic between Site A and B
Hello community,
I have a problem with vpn traffic between site A (ASA 5506, Outside) and site B (ASA 5505, Outside3). Each ASA can establish a tunnel to the other site but there is no traffic flow. ASA 5506 is running a policy based routing (PBR) because of different ISP. While trying to find the error, I have disabled PBR and used outside1 von VPN connection without beeing successfull.
The following IP addresses are in use in both configs:
Site A
Gateway: AAA.AAA.AAA.AAA
Outside1/2: PPPOe connection used for uncritical stuff.
Outside3: BBB.BBB.BBB.BBB
Local network: 192.168.11.0
Site B
Gateway: CCC.CCC.CCC.CCC
Outside: DDD.DDD.DDD.DDD
Local network: 192.168.10.0
I have set up many site to site connections, it's the first time I have such a problem. I have attached two edited configs.
Regards,
Dennis
Site A:
: Saved
:
: Serial Number:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname CISCOASA02
names
!
interface GigabitEthernet1/1
nameif outside1
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1/2
nameif outside2
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface GigabitEthernet1/3
nameif outside3
security-level 0
ip address 213.160.13.154 255.255.255.252
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
nameif guest-wlan
security-level 50
ip address 192.168.111.1 255.255.255.0
!
interface GigabitEthernet1/8
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
policy-route route-map PBR
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa961-lfbff-k8.SPA
boot system disk0:/asa952-2-lfbff-k8.S PA
boot system disk0:/asa951-lfbff-k8.spa
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside1
dns domain-lookup outside3
dns server-group DefaultDNS
name-server 192.168.5.20
name-server 217.237.150.115
name-server 217.237.148.70
name-server 217.237.150.188
object network RAVPN_Hosts-192.168.20.0
subnet 192.168.20.0 255.255.255.0
object network Inside_Network-192.168.11. 0-01
subnet 192.168.11.0 255.255.255.0
object network Inside_Network-192.168.11. 0-02
subnet 192.168.11.0 255.255.255.0
object network Inside_Network-192.168.11. 0-03
subnet 192.168.11.0 255.255.255.0
object network Guest-WLAN_Network-192.168 .111.0
subnet 192.168.111.0 255.255.255.0
object network Remote_Network-192.168.10. 0
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.11.0_2 4
subnet 192.168.11.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
object-group network DM_INLINE_NETWORK_2
object-group network DM_INLINE_NETWORK_3
network-object object RAVPN_Hosts-192.168.20.0
object-group network PBR1
network-object host 192.168.11.85
network-object host 192.168.11.86
object-group network PBR2
network-object host 192.168.11.11
network-object host 192.168.11.13
network-object host 192.168.11.15
network-object host 192.168.11.17
network-object host 192.168.11.20
network-object host 192.168.11.25
network-object host 192.168.11.26
network-object host 192.168.11.3
network-object host 192.168.11.40
network-object host 192.168.11.41
network-object host 192.168.11.42
network-object host 192.168.11.43
network-object host 192.168.11.44
network-object host 192.168.11.45
network-object host 192.168.11.46
network-object host 192.168.11.47
network-object host 192.168.11.48
network-object host 192.168.11.49
network-object host 192.168.11.4
network-object host 192.168.11.10
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3712
port-object eq 8010
object-group network PBR3
network-object host 192.168.11.14
network-object host 192.168.11.16
access-list RAVPN-Client_splitTunnelAc l extended permit ip object Inside_Network-192.168.11. 0-01 any
access-list outside1_access_out remark Domain
access-list outside1_access_out extended permit udp any any eq domain
access-list outside1_access_out remark NTP
access-list outside1_access_out extended permit udp any any eq ntp
access-list outside1_access_out remark FTP
access-list outside1_access_out extended permit tcp any any eq ftp
access-list outside1_access_out remark Remote VPN
access-list outside1_access_out extended permit udp any any eq 1701
access-list outside1_access_out remark Remote VPN
access-list outside1_access_out extended permit udp any any eq isakmp
access-list outside1_access_out remark Remote VPN
access-list outside1_access_out extended permit udp any any eq 4500
access-list outside1_access_out remark IMAP
access-list outside1_access_out extended permit tcp any any eq imap4
access-list outside1_access_out remark IMAP4S
access-list outside1_access_out extended permit tcp any any eq 993
access-list outside1_access_out remark POP3S
access-list outside1_access_out extended permit tcp any any eq 995
access-list outside1_access_out remark Ping
access-list outside1_access_out extended permit icmp any any
access-list outside1_access_out remark POP3
access-list outside1_access_out extended permit tcp any any eq pop3
access-list outside1_access_out remark SMTP
access-list outside1_access_out extended permit tcp any any eq smtp
access-list outside1_access_out remark HTTP
access-list outside1_access_out extended permit tcp any any eq www
access-list outside1_access_out remark HTTPS
access-list outside1_access_out extended permit tcp any any eq https
access-list outside1_access_out remark SMTPS
access-list outside1_access_out extended permit tcp any any eq 465
access-list outside1_access_out remark HBCI
access-list outside1_access_out extended permit tcp any any eq 3000
access-list outside1_access_out remark Remotedesktop
access-list outside1_access_out extended permit tcp any any eq 3389
access-list outside1_access_out remark SMTPS
access-list outside1_access_out extended permit tcp any any eq 587
access-list outside1_access_out remark DynDNS
access-list outside1_access_out extended permit udp any any eq 3544
access-list outside1_access_out remark Remote VPN
access-list ACL-PBR-1 extended permit ip object-group PBR1 any
access-list outside2_access_out remark DNS
access-list outside2_access_out extended permit udp any any eq domain
access-list outside2_access_out remark NTP
access-list outside2_access_out extended permit udp any any eq ntp
access-list outside2_access_out remark FTP
access-list outside2_access_out extended permit tcp any any eq ftp
access-list outside2_access_out remark Remote VPN
access-list outside2_access_out extended permit udp any any eq 1701
access-list outside2_access_out remark Remote VPN
access-list outside2_access_out extended permit udp any any eq isakmp
access-list outside2_access_out remark Remote VPN
access-list outside2_access_out extended permit udp any any eq 4500
access-list outside2_access_out remark IMAP
access-list outside2_access_out extended permit tcp any any eq imap4
access-list outside2_access_out remark IMAP4S
access-list outside2_access_out extended permit tcp any any eq 993
access-list outside2_access_out remark POP3S
access-list outside2_access_out extended permit tcp any any eq 995
access-list outside2_access_out remark Ping
access-list outside2_access_out extended permit icmp any any
access-list outside2_access_out remark POP3
access-list outside2_access_out extended permit tcp any any eq pop3
access-list outside2_access_out remark SMTP
access-list outside2_access_out extended permit tcp any any eq smtp
access-list outside2_access_out remark HTTP
access-list outside2_access_out extended permit tcp any any eq www
access-list outside2_access_out remark HTTPS
access-list outside2_access_out extended permit tcp any any eq https
access-list outside2_access_out remark SMTPS
access-list outside2_access_out extended permit tcp any any eq 465
access-list outside2_access_out remark Remotedesktop
access-list outside2_access_out extended permit tcp any any eq 3389
access-list outside2_access_out remark SMTPS
access-list outside2_access_out extended permit tcp any any eq 587
access-list outside2_access_out remark DynDNS
access-list outside2_access_out extended permit udp any any eq 3544
access-list outside2_access_out remark HTTPS
access-list outside2_cryptomap_65535.6 5535 extended permit ip any any
access-list outside1_cryptomap_65535.6 5535 extended permit ip any any
access-list ACL-PBR-2 extended permit ip object-group PBR2 any
access-list ACL-PBR-3 extended permit ip object-group PBR3 any
access-list outside3_cryptomap_1 extended permit ip object NETWORK_OBJ_192.168.11.0_2 4 object Remote_Network-192.168.10. 0
access-list outside3_access_out remark DNS
access-list outside3_access_out extended permit udp any any eq domain
access-list outside3_access_out remark NTP
access-list outside3_access_out extended permit udp any any eq ntp
access-list outside3_access_out remark FTP
access-list outside3_access_out extended permit tcp any any eq ftp
access-list outside3_access_out remark Remote VPN
access-list outside3_access_out extended permit udp any any eq 1701
access-list outside3_access_out remark Remote VPN
access-list outside3_access_out extended permit udp any any eq isakmp
access-list outside3_access_out remark Remote VPN
access-list outside3_access_out extended permit udp any any eq 4500
access-list outside3_access_out remark IMAP
access-list outside3_access_out extended permit tcp any any eq imap4
access-list outside3_access_out remark IMAP4S
access-list outside3_access_out extended permit tcp any any eq 993
access-list outside3_access_out remark POP3S
access-list outside3_access_out extended permit tcp any any eq 995
access-list outside3_access_out remark Ping
access-list outside3_access_out extended permit icmp any any
access-list outside3_access_out remark POP3
access-list outside3_access_out extended permit tcp any any eq pop3
access-list outside3_access_out remark SMTP
access-list outside3_access_out extended permit tcp any any eq smtp
access-list outside3_access_out remark HTTP
access-list outside3_access_out extended permit tcp any any eq www
access-list outside3_access_out remark HTTPS
access-list outside3_access_out extended permit tcp any any eq https
access-list outside3_access_out remark SMTPS
access-list outside3_access_out extended permit tcp any any eq 465
access-list outside3_access_out remark Remotedesktop
access-list outside3_access_out extended permit tcp any any eq 3389
access-list outside3_access_out remark DynDNS
access-list outside3_access_out extended permit udp any any eq 3544
access-list outside3_access_out extended permit ip object Inside_Network-192.168.11. 0-03 object Remote_Network-192.168.10. 0
access-list outside3_access_out remark HTTPS
pager lines 24
logging enable
logging asdm informational
mtu outside1 1500
mtu outside2 1500
mtu outside3 1500
mtu guest-wlan 1500
mtu inside 1500
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside1) source static Inside_Network-192.168.11. 0-01 Inside_Network-192.168.11. 0-01 destination static RAVPN_Hosts-192.168.20.0 RAVPN_Hosts-192.168.20.0 no-proxy-arp
nat (inside,outside3) source static NETWORK_OBJ_192.168.11.0_2 4 NETWORK_OBJ_192.168.11.0_2 4 destination static Remote_Network-192.168.10. 0 Remote_Network-192.168.10. 0 no-proxy-arp route-lookup
!
object network Inside_Network-192.168.11. 0-01
nat (inside,outside1) dynamic interface
object network Inside_Network-192.168.11. 0-02
nat (inside,outside2) dynamic interface
object network Inside_Network-192.168.11. 0-03
nat (inside,outside3) dynamic interface
object network Guest-WLAN_Network-192.168 .111.0
nat (inside,outside1) dynamic interface
access-group outside1_access_out out interface outside1
access-group outside2_access_out out interface outside2
access-group outside3_access_in in interface outside3
access-group outside3_access_out out interface outside3
!
route-map PBR permit 10
match ip address ACL-PBR-1
set ip next-hop 192.168.1.1
!
route-map PBR permit 20
match ip address ACL-PBR-2
set ip next-hop 192.168.2.1
!
route-map PBR permit 30
match ip address ACL-PBR-3
set ip next-hop AAA.AAA.AAA.AAA
!
route outside1 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside2 0.0.0.0 0.0.0.0 192.168.2.1 2
route outside3 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA 3
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.11.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside1_map interface outside1
crypto map outside2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside2_map interface outside2
crypto map outside3_map 1 match address outside3_cryptomap_1
crypto map outside3_map 1 set peer DDD.DDD.DDD.DDD
crypto map outside3_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside3_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside3_map interface outside3
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside1
crypto ikev2 enable outside3
crypto ikev1 enable outside1
crypto ikev1 enable outside3
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.11.0 255.255.255.0 inside
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd auto_config outside1
!
dhcpd address 192.168.111.10-192.168.111 .100 guest-wlan
dhcpd dns 217.237.150.115 217.237.148.70 interface guest-wlan
dhcpd lease 86400 interface guest-wlan
dhcpd enable guest-wlan
!
ntp server 130.149.17.21 source outside1
ssl cipher tlsv1.2 custom "AES256-SHA AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA DES-CBC-SHA RC4-SHA RC4-MD5"
group-policy RAVPN-Client internal
group-policy RAVPN-Client attributes
dns-server value 192.168.11.12
vpn-tunnel-protocol ikev1
password-storage disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN-Client_splitTunnelAc l
group-policy GroupPolicy_DDD.DDD.DDD.DD D internal
group-policy GroupPolicy_DDD.DDD.DDD.DD D attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-reco rd DfltAccessPolicy
tunnel-group RAVPN-Client type remote-access
tunnel-group RAVPN-Client general-attributes
default-group-policy RAVPN-Client
tunnel-group RAVPN-Client ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DDD.DDD.DDD.DDD type ipsec-l2l
tunnel-group DDD.DDD.DDD.DDD general-attributes
default-group-policy GroupPolicy_DDD.DDD.DDD.DD D
tunnel-group DDD.DDD.DDD.DDD ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:ea4f3674884 545ac06d02 6b730d3c05 9
: end
asdm image disk0:/asdm-761.bin
no asdm history enable
SITE B:
: Saved
:
: Serial Number:
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(6)11
!
hostname ciscoasa01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool RAVPN 192.168.20.100-192.168.20. 110 mask 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address DDD.DDD.DDD.DDD 255.255.255.252
!
boot system disk0:/asa916-11-k8.bin
boot system disk0:/asa917-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network RAVPN_Hosts-192.168.20.0
subnet 192.168.20.0 255.255.255.0
object network Guest-WLAN_Network-192.168 .110.0
subnet 192.168.110.0 255.255.255.0
object network Inside_Network-192.168.10. 0
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_2 4
subnet 192.168.10.0 255.255.255.0
object network test
subnet 192.168.10.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_out remark Domain
access-list outside_access_out extended permit udp any any eq domain
access-list outside_access_out remark NTP
access-list outside_access_out extended permit udp any any eq ntp
access-list outside_access_out remark FTP
access-list outside_access_out extended permit tcp any any eq ftp
access-list outside_access_out remark Remote VPN
access-list outside_access_out extended permit udp any any eq 1701
access-list outside_access_out remark Remote VPN
access-list outside_access_out extended permit udp any any eq isakmp
access-list outside_access_out remark POP3
access-list outside_access_out extended permit tcp any any eq pop3
access-list outside_access_out remark SMTP
access-list outside_access_out extended permit tcp any any eq smtp
access-list outside_access_out remark IMAP
access-list outside_access_out extended permit tcp any any eq imap4
access-list outside_access_out remark HTTP
access-list outside_access_out extended permit tcp any any eq www
access-list outside_access_out remark HTTPS
access-list outside_access_out extended permit tcp any any eq https
access-list outside_access_out remark Remote Desktop
access-list outside_access_out extended permit tcp any any eq 3389
access-list outside_access_out remark Ping
access-list outside_access_out extended permit icmp any any
access-list outside_access_out remark SSL
access-list outside_access_out extended permit tcp any any eq 993
access-list outside_access_out remark POP3S
access-list outside_access_out extended permit tcp any any eq 995
access-list outside_access_out remark SIP Telefonie
access-list outside_access_out extended permit ip object Inside_Network-192.168.10. 0 object Remote_Network-192.168.11. 0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 object RAVPN_Hosts-192.168.20.0
access-list RAVPN-Client_splitTunnelAc l extended permit ip 192.168.10.0 255.255.255.0 any4
access-list outside_cryptomap_3 extended permit ip object NETWORK_OBJ_192.168.10.0_2 4 object Remote_Network-192.168.11. 0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside
asdm image disk0:/asdm-752-153.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside_Network-192.168.10. 0 Inside_Network-192.168.10. 0 destination static RAVPN_Hosts-192.168.20.0 RAVPN_Hosts-192.168.20.0 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_2 4 NETWORK_OBJ_192.168.10.0_2 4 destination static Remote_Network-192.168.11. 0 Remote_Network-192.168.11. 0 no-proxy-arp route-lookup
!
object network Inside_Network-192.168.10. 0
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 CCC.CCC.CCC.CCC 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.20.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set ikev1 transform-set ESP-AES-256-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 40 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 40 set ikev1 transform-set ESP-AES-256-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 40 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 60 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 60 set ikev1 transform-set ESP-AES-256-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 60 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer BBB.BBB.BBB.BBB
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.10.100-192.168.10. 120 inside
dhcpd dns 212.202.215.1 212.202.215.2 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 130.149.17.21 source outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
ip-comp enable
re-xauth enable
secure-unit-authentication enable
user-authentication enable
user-authentication-idle-t imeout none
group-policy RAVPN-Client internal
group-policy RAVPN-Client attributes
dns-server value 192.168.10.12
vpn-tunnel-protocol ikev1 ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN-Client_splitTunnelAc l
group-policy GroupPolicy_BBB.BBB.BBB.BB B internal
group-policy GroupPolicy_BBB.BBB.BBB.BB B attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
tunnel-group RAVPN-Client type remote-access
tunnel-group RAVPN-Client general-attributes
address-pool RAVPN
default-group-policy RAVPN-Client
tunnel-group RAVPN-Client ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group BBB.BBB.BBB.BBB type ipsec-l2l
tunnel-group BBB.BBB.BBB.BBB general-attributes
default-group-policy GroupPolicy_BBB.BBB.BBB.BB B
tunnel-group BBB.BBB.BBB.BBB ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:665bb1830be 029d1adba7 79feae6aa1 8
: end
asdm image disk0:/asdm-752-153.bin
no asdm history enable
I have a problem with vpn traffic between site A (ASA 5506, Outside) and site B (ASA 5505, Outside3). Each ASA can establish a tunnel to the other site but there is no traffic flow. ASA 5506 is running a policy based routing (PBR) because of different ISP. While trying to find the error, I have disabled PBR and used outside1 von VPN connection without beeing successfull.
The following IP addresses are in use in both configs:
Site A
Gateway: AAA.AAA.AAA.AAA
Outside1/2: PPPOe connection used for uncritical stuff.
Outside3: BBB.BBB.BBB.BBB
Local network: 192.168.11.0
Site B
Gateway: CCC.CCC.CCC.CCC
Outside: DDD.DDD.DDD.DDD
Local network: 192.168.10.0
I have set up many site to site connections, it's the first time I have such a problem. I have attached two edited configs.
Regards,
Dennis
Site A:
: Saved
:
: Serial Number:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname CISCOASA02
names
!
interface GigabitEthernet1/1
nameif outside1
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1/2
nameif outside2
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface GigabitEthernet1/3
nameif outside3
security-level 0
ip address 213.160.13.154 255.255.255.252
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
nameif guest-wlan
security-level 50
ip address 192.168.111.1 255.255.255.0
!
interface GigabitEthernet1/8
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
policy-route route-map PBR
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa961-lfbff-k8.SPA
boot system disk0:/asa952-2-lfbff-k8.S
boot system disk0:/asa951-lfbff-k8.spa
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside1
dns domain-lookup outside3
dns server-group DefaultDNS
name-server 192.168.5.20
name-server 217.237.150.115
name-server 217.237.148.70
name-server 217.237.150.188
object network RAVPN_Hosts-192.168.20.0
subnet 192.168.20.0 255.255.255.0
object network Inside_Network-192.168.11.
subnet 192.168.11.0 255.255.255.0
object network Inside_Network-192.168.11.
subnet 192.168.11.0 255.255.255.0
object network Inside_Network-192.168.11.
subnet 192.168.11.0 255.255.255.0
object network Guest-WLAN_Network-192.168
subnet 192.168.111.0 255.255.255.0
object network Remote_Network-192.168.10.
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.11.0_2
subnet 192.168.11.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
object-group network DM_INLINE_NETWORK_2
object-group network DM_INLINE_NETWORK_3
network-object object RAVPN_Hosts-192.168.20.0
object-group network PBR1
network-object host 192.168.11.85
network-object host 192.168.11.86
object-group network PBR2
network-object host 192.168.11.11
network-object host 192.168.11.13
network-object host 192.168.11.15
network-object host 192.168.11.17
network-object host 192.168.11.20
network-object host 192.168.11.25
network-object host 192.168.11.26
network-object host 192.168.11.3
network-object host 192.168.11.40
network-object host 192.168.11.41
network-object host 192.168.11.42
network-object host 192.168.11.43
network-object host 192.168.11.44
network-object host 192.168.11.45
network-object host 192.168.11.46
network-object host 192.168.11.47
network-object host 192.168.11.48
network-object host 192.168.11.49
network-object host 192.168.11.4
network-object host 192.168.11.10
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3712
port-object eq 8010
object-group network PBR3
network-object host 192.168.11.14
network-object host 192.168.11.16
access-list RAVPN-Client_splitTunnelAc
access-list outside1_access_out remark Domain
access-list outside1_access_out extended permit udp any any eq domain
access-list outside1_access_out remark NTP
access-list outside1_access_out extended permit udp any any eq ntp
access-list outside1_access_out remark FTP
access-list outside1_access_out extended permit tcp any any eq ftp
access-list outside1_access_out remark Remote VPN
access-list outside1_access_out extended permit udp any any eq 1701
access-list outside1_access_out remark Remote VPN
access-list outside1_access_out extended permit udp any any eq isakmp
access-list outside1_access_out remark Remote VPN
access-list outside1_access_out extended permit udp any any eq 4500
access-list outside1_access_out remark IMAP
access-list outside1_access_out extended permit tcp any any eq imap4
access-list outside1_access_out remark IMAP4S
access-list outside1_access_out extended permit tcp any any eq 993
access-list outside1_access_out remark POP3S
access-list outside1_access_out extended permit tcp any any eq 995
access-list outside1_access_out remark Ping
access-list outside1_access_out extended permit icmp any any
access-list outside1_access_out remark POP3
access-list outside1_access_out extended permit tcp any any eq pop3
access-list outside1_access_out remark SMTP
access-list outside1_access_out extended permit tcp any any eq smtp
access-list outside1_access_out remark HTTP
access-list outside1_access_out extended permit tcp any any eq www
access-list outside1_access_out remark HTTPS
access-list outside1_access_out extended permit tcp any any eq https
access-list outside1_access_out remark SMTPS
access-list outside1_access_out extended permit tcp any any eq 465
access-list outside1_access_out remark HBCI
access-list outside1_access_out extended permit tcp any any eq 3000
access-list outside1_access_out remark Remotedesktop
access-list outside1_access_out extended permit tcp any any eq 3389
access-list outside1_access_out remark SMTPS
access-list outside1_access_out extended permit tcp any any eq 587
access-list outside1_access_out remark DynDNS
access-list outside1_access_out extended permit udp any any eq 3544
access-list outside1_access_out remark Remote VPN
access-list ACL-PBR-1 extended permit ip object-group PBR1 any
access-list outside2_access_out remark DNS
access-list outside2_access_out extended permit udp any any eq domain
access-list outside2_access_out remark NTP
access-list outside2_access_out extended permit udp any any eq ntp
access-list outside2_access_out remark FTP
access-list outside2_access_out extended permit tcp any any eq ftp
access-list outside2_access_out remark Remote VPN
access-list outside2_access_out extended permit udp any any eq 1701
access-list outside2_access_out remark Remote VPN
access-list outside2_access_out extended permit udp any any eq isakmp
access-list outside2_access_out remark Remote VPN
access-list outside2_access_out extended permit udp any any eq 4500
access-list outside2_access_out remark IMAP
access-list outside2_access_out extended permit tcp any any eq imap4
access-list outside2_access_out remark IMAP4S
access-list outside2_access_out extended permit tcp any any eq 993
access-list outside2_access_out remark POP3S
access-list outside2_access_out extended permit tcp any any eq 995
access-list outside2_access_out remark Ping
access-list outside2_access_out extended permit icmp any any
access-list outside2_access_out remark POP3
access-list outside2_access_out extended permit tcp any any eq pop3
access-list outside2_access_out remark SMTP
access-list outside2_access_out extended permit tcp any any eq smtp
access-list outside2_access_out remark HTTP
access-list outside2_access_out extended permit tcp any any eq www
access-list outside2_access_out remark HTTPS
access-list outside2_access_out extended permit tcp any any eq https
access-list outside2_access_out remark SMTPS
access-list outside2_access_out extended permit tcp any any eq 465
access-list outside2_access_out remark Remotedesktop
access-list outside2_access_out extended permit tcp any any eq 3389
access-list outside2_access_out remark SMTPS
access-list outside2_access_out extended permit tcp any any eq 587
access-list outside2_access_out remark DynDNS
access-list outside2_access_out extended permit udp any any eq 3544
access-list outside2_access_out remark HTTPS
access-list outside2_cryptomap_65535.6
access-list outside1_cryptomap_65535.6
access-list ACL-PBR-2 extended permit ip object-group PBR2 any
access-list ACL-PBR-3 extended permit ip object-group PBR3 any
access-list outside3_cryptomap_1 extended permit ip object NETWORK_OBJ_192.168.11.0_2
access-list outside3_access_out remark DNS
access-list outside3_access_out extended permit udp any any eq domain
access-list outside3_access_out remark NTP
access-list outside3_access_out extended permit udp any any eq ntp
access-list outside3_access_out remark FTP
access-list outside3_access_out extended permit tcp any any eq ftp
access-list outside3_access_out remark Remote VPN
access-list outside3_access_out extended permit udp any any eq 1701
access-list outside3_access_out remark Remote VPN
access-list outside3_access_out extended permit udp any any eq isakmp
access-list outside3_access_out remark Remote VPN
access-list outside3_access_out extended permit udp any any eq 4500
access-list outside3_access_out remark IMAP
access-list outside3_access_out extended permit tcp any any eq imap4
access-list outside3_access_out remark IMAP4S
access-list outside3_access_out extended permit tcp any any eq 993
access-list outside3_access_out remark POP3S
access-list outside3_access_out extended permit tcp any any eq 995
access-list outside3_access_out remark Ping
access-list outside3_access_out extended permit icmp any any
access-list outside3_access_out remark POP3
access-list outside3_access_out extended permit tcp any any eq pop3
access-list outside3_access_out remark SMTP
access-list outside3_access_out extended permit tcp any any eq smtp
access-list outside3_access_out remark HTTP
access-list outside3_access_out extended permit tcp any any eq www
access-list outside3_access_out remark HTTPS
access-list outside3_access_out extended permit tcp any any eq https
access-list outside3_access_out remark SMTPS
access-list outside3_access_out extended permit tcp any any eq 465
access-list outside3_access_out remark Remotedesktop
access-list outside3_access_out extended permit tcp any any eq 3389
access-list outside3_access_out remark DynDNS
access-list outside3_access_out extended permit udp any any eq 3544
access-list outside3_access_out extended permit ip object Inside_Network-192.168.11.
access-list outside3_access_out remark HTTPS
pager lines 24
logging enable
logging asdm informational
mtu outside1 1500
mtu outside2 1500
mtu outside3 1500
mtu guest-wlan 1500
mtu inside 1500
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside1) source static Inside_Network-192.168.11.
nat (inside,outside3) source static NETWORK_OBJ_192.168.11.0_2
!
object network Inside_Network-192.168.11.
nat (inside,outside1) dynamic interface
object network Inside_Network-192.168.11.
nat (inside,outside2) dynamic interface
object network Inside_Network-192.168.11.
nat (inside,outside3) dynamic interface
object network Guest-WLAN_Network-192.168
nat (inside,outside1) dynamic interface
access-group outside1_access_out out interface outside1
access-group outside2_access_out out interface outside2
access-group outside3_access_in in interface outside3
access-group outside3_access_out out interface outside3
!
route-map PBR permit 10
match ip address ACL-PBR-1
set ip next-hop 192.168.1.1
!
route-map PBR permit 20
match ip address ACL-PBR-2
set ip next-hop 192.168.2.1
!
route-map PBR permit 30
match ip address ACL-PBR-3
set ip next-hop AAA.AAA.AAA.AAA
!
route outside1 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside2 0.0.0.0 0.0.0.0 192.168.2.1 2
route outside3 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA 3
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.11.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside1_map interface outside1
crypto map outside2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside2_map interface outside2
crypto map outside3_map 1 match address outside3_cryptomap_1
crypto map outside3_map 1 set peer DDD.DDD.DDD.DDD
crypto map outside3_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside3_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside3_map interface outside3
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside1
crypto ikev2 enable outside3
crypto ikev1 enable outside1
crypto ikev1 enable outside3
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.11.0 255.255.255.0 inside
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd auto_config outside1
!
dhcpd address 192.168.111.10-192.168.111
dhcpd dns 217.237.150.115 217.237.148.70 interface guest-wlan
dhcpd lease 86400 interface guest-wlan
dhcpd enable guest-wlan
!
ntp server 130.149.17.21 source outside1
ssl cipher tlsv1.2 custom "AES256-SHA AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA DES-CBC-SHA RC4-SHA RC4-MD5"
group-policy RAVPN-Client internal
group-policy RAVPN-Client attributes
dns-server value 192.168.11.12
vpn-tunnel-protocol ikev1
password-storage disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN-Client_splitTunnelAc
group-policy GroupPolicy_DDD.DDD.DDD.DD
group-policy GroupPolicy_DDD.DDD.DDD.DD
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-reco
tunnel-group RAVPN-Client type remote-access
tunnel-group RAVPN-Client general-attributes
default-group-policy RAVPN-Client
tunnel-group RAVPN-Client ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DDD.DDD.DDD.DDD type ipsec-l2l
tunnel-group DDD.DDD.DDD.DDD general-attributes
default-group-policy GroupPolicy_DDD.DDD.DDD.DD
tunnel-group DDD.DDD.DDD.DDD ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:ea4f3674884
: end
asdm image disk0:/asdm-761.bin
no asdm history enable
SITE B:
: Saved
:
: Serial Number:
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(6)11
!
hostname ciscoasa01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool RAVPN 192.168.20.100-192.168.20.
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address DDD.DDD.DDD.DDD 255.255.255.252
!
boot system disk0:/asa916-11-k8.bin
boot system disk0:/asa917-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network RAVPN_Hosts-192.168.20.0
subnet 192.168.20.0 255.255.255.0
object network Guest-WLAN_Network-192.168
subnet 192.168.110.0 255.255.255.0
object network Inside_Network-192.168.10.
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_2
subnet 192.168.10.0 255.255.255.0
object network test
subnet 192.168.10.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_out remark Domain
access-list outside_access_out extended permit udp any any eq domain
access-list outside_access_out remark NTP
access-list outside_access_out extended permit udp any any eq ntp
access-list outside_access_out remark FTP
access-list outside_access_out extended permit tcp any any eq ftp
access-list outside_access_out remark Remote VPN
access-list outside_access_out extended permit udp any any eq 1701
access-list outside_access_out remark Remote VPN
access-list outside_access_out extended permit udp any any eq isakmp
access-list outside_access_out remark POP3
access-list outside_access_out extended permit tcp any any eq pop3
access-list outside_access_out remark SMTP
access-list outside_access_out extended permit tcp any any eq smtp
access-list outside_access_out remark IMAP
access-list outside_access_out extended permit tcp any any eq imap4
access-list outside_access_out remark HTTP
access-list outside_access_out extended permit tcp any any eq www
access-list outside_access_out remark HTTPS
access-list outside_access_out extended permit tcp any any eq https
access-list outside_access_out remark Remote Desktop
access-list outside_access_out extended permit tcp any any eq 3389
access-list outside_access_out remark Ping
access-list outside_access_out extended permit icmp any any
access-list outside_access_out remark SSL
access-list outside_access_out extended permit tcp any any eq 993
access-list outside_access_out remark POP3S
access-list outside_access_out extended permit tcp any any eq 995
access-list outside_access_out remark SIP Telefonie
access-list outside_access_out extended permit ip object Inside_Network-192.168.10.
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 object RAVPN_Hosts-192.168.20.0
access-list RAVPN-Client_splitTunnelAc
access-list outside_cryptomap_3 extended permit ip object NETWORK_OBJ_192.168.10.0_2
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside
asdm image disk0:/asdm-752-153.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside_Network-192.168.10.
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_2
!
object network Inside_Network-192.168.10.
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 CCC.CCC.CCC.CCC 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
http server enable
http 192.168.20.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set ikev1 transform-set ESP-AES-256-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 40 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 40 set ikev1 transform-set ESP-AES-256-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 40 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 60 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 60 set ikev1 transform-set ESP-AES-256-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 60 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer BBB.BBB.BBB.BBB
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.10.100-192.168.10.
dhcpd dns 212.202.215.1 212.202.215.2 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 130.149.17.21 source outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
ip-comp enable
re-xauth enable
secure-unit-authentication
user-authentication enable
user-authentication-idle-t
group-policy RAVPN-Client internal
group-policy RAVPN-Client attributes
dns-server value 192.168.10.12
vpn-tunnel-protocol ikev1 ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN-Client_splitTunnelAc
group-policy GroupPolicy_BBB.BBB.BBB.BB
group-policy GroupPolicy_BBB.BBB.BBB.BB
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
tunnel-group RAVPN-Client type remote-access
tunnel-group RAVPN-Client general-attributes
address-pool RAVPN
default-group-policy RAVPN-Client
tunnel-group RAVPN-Client ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group BBB.BBB.BBB.BBB type ipsec-l2l
tunnel-group BBB.BBB.BBB.BBB general-attributes
default-group-policy GroupPolicy_BBB.BBB.BBB.BB
tunnel-group BBB.BBB.BBB.BBB ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:665bb1830be
: end
asdm image disk0:/asdm-752-153.bin
no asdm history enable
Looks like Remote_Network-192.168.11. 0 is not defined on the second ASA. This will make the no-NAT rule not work.
ASKER
Maybe I have removed too much from the config while posting it here. I have tested the setup without policy based routing and used outside1 for vpn. That setup works without any problem. It seems that pbr is responsible.
Can you clarify what you've tested, then? That information doesn't appear to jibe with your original post, so I'm not sure what I'm missing.
ASKER
Yes, first I tried that and it didn't worked without PBR. At evening I have tested it again, and it worked.
Here is my summary:
Site A: Outside 1-> ASDL 16.000; Outside 2-> ASDL 6.000; Outside3-> Leased Line
PBR checks against different internal source IP addresses (i.e. 192.168.11.14->Outside3), when source ip address matches against ACL then traffic is forwarded to Outside 1, 2 or 3. VPN is establishing from Site B to Outside3 of Site A.
Now when Site B connects to Site A there is no traffic flow between them. Next try was to disable PBR (assigned to Inside) completely. Then I have configured site to site vpn to establish over Outside1 instead Outside3. VPN traffic flows between both sites.
So my conlusion is, that PBR is responsable for the problem. It seems that ASA of Site A doesn't know how to send VPN traffic back to Site B because of PBR.
Here is my summary:
Site A: Outside 1-> ASDL 16.000; Outside 2-> ASDL 6.000; Outside3-> Leased Line
PBR checks against different internal source IP addresses (i.e. 192.168.11.14->Outside3), when source ip address matches against ACL then traffic is forwarded to Outside 1, 2 or 3. VPN is establishing from Site B to Outside3 of Site A.
Now when Site B connects to Site A there is no traffic flow between them. Next try was to disable PBR (assigned to Inside) completely. Then I have configured site to site vpn to establish over Outside1 instead Outside3. VPN traffic flows between both sites.
So my conlusion is, that PBR is responsable for the problem. It seems that ASA of Site A doesn't know how to send VPN traffic back to Site B because of PBR.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There are three routes on Site A (PBR):
route outside1 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside2 0.0.0.0 0.0.0.0 192.168.2.1 2
route outside3 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA 3
PBR is used because different devices (i.e. PC) get Access over different Internet Connections (outside1: vdsl 16000, outside2: adsl 6000, outside3: leasedline, 8000).
From outside all vpn traffic connects over outside3. So Site B is connection to Site A on outside3 but no traffic flow back over vpn.
My guess is because of PBR the vpn traffic which should go back to Site B doesn't use outside3.
route outside1 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside2 0.0.0.0 0.0.0.0 192.168.2.1 2
route outside3 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA 3
PBR is used because different devices (i.e. PC) get Access over different Internet Connections (outside1: vdsl 16000, outside2: adsl 6000, outside3: leasedline, 8000).
From outside all vpn traffic connects over outside3. So Site B is connection to Site A on outside3 but no traffic flow back over vpn.
My guess is because of PBR the vpn traffic which should go back to Site B doesn't use outside3.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It doesn't seem to work, have I misunderstood you?
Site A:
route outside1 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside2 0.0.0.0 0.0.0.0 192.168.2.1 2
route outside3 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA 3
route outside3 192.168.10.0 AAA.AAA.AAA.AAA 1
Site B:
route outside 0.0.0.0 0.0.0.0 CCC.CCC.CCC.CCC 1
route outside 192.168.11.0 CCC.CCC.CCC.CCC 1
Site A:
route outside1 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside2 0.0.0.0 0.0.0.0 192.168.2.1 2
route outside3 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA 3
route outside3 192.168.10.0 AAA.AAA.AAA.AAA 1
Site B:
route outside 0.0.0.0 0.0.0.0 CCC.CCC.CCC.CCC 1
route outside 192.168.11.0 CCC.CCC.CCC.CCC 1
Site B does not need the static route, as it only has one interface and the default route will suffice.
Site A needs an additional static route.
Assuming the IP address of site B is DDD.DDD.DDD.DDD, you need:
Site A:
route outside3 DDD.DDD.DDD.DDD AAA.AAA.AAA.AAA 1
The reason for this is that the VPN traffic is actually sourced from an outside interface, and so is unaffected by your PBR rules. You need a static address so that traffic to the Site B firewall is using Site A's outside3 interface as the source interface.
Site A needs an additional static route.
Assuming the IP address of site B is DDD.DDD.DDD.DDD, you need:
Site A:
route outside3 DDD.DDD.DDD.DDD AAA.AAA.AAA.AAA 1
The reason for this is that the VPN traffic is actually sourced from an outside interface, and so is unaffected by your PBR rules. You need a static address so that traffic to the Site B firewall is using Site A's outside3 interface as the source interface.
ASKER
Now it works! Wow I am impressed!
Now my question, why does the ASA at Side A don't know where to forward vpn traffic from Site B (192.168.10.0) back? Is the reason because i.e. 192.168.11.14 will forward to outside3 because of the acl from pbr but incoming traffic from Site B is from 192.168.10.0?
In other Environments without pbr I don't need the additional route (like Site A with pbr).
Now my question, why does the ASA at Side A don't know where to forward vpn traffic from Site B (192.168.10.0) back? Is the reason because i.e. 192.168.11.14 will forward to outside3 because of the acl from pbr but incoming traffic from Site B is from 192.168.10.0?
In other Environments without pbr I don't need the additional route (like Site A with pbr).
ASKER
I haven't seen your last comment while I was succesfully testing it and writing my last comment. Your first hint regarding addtional route was succesfull.
Thank you for your great help!
Thank you for your great help!