Issue with Cisco ASA router VPN

Mike Hanson
Mike Hanson used Ask the Experts™
on
Any suggestions. Just added a site to site IPSEC tunnel from Cisco ASA running ASDM to a SonicWALL. Successfully got the tunnel live. However cannot reach anything in the cisco network from the SonicWALL. Also there was an existing Cisco AnyConnect SSL-VPN that was working and still connects. However that VPN can also no longer access anything in the network. So seems like a NAT issue or maybe an issue with the ACL? Strange that all the VPNs connect but can get to anything in the inside network... See the running-config below


ASA Version 8.6(1)
!
hostname xxxxxx-ASA
domain-name xxxxxxx.local
enable password xxxxxx
passwd xxxxxx
names
!
interface GigabitEthernet0/0
 description To Switch 1
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 description To Switch 2
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 description LAN Failover Interface
!
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 description To TWC
 nameif Outside
 security-level 0
 ip address 47.23.x.x 255.255.255.248 standby 47.23.x.x
!
interface GigabitEthernet0/5
 description To VZW
 nameif Backup
 security-level 0
 ip address 10.1.1.2 255.255.255.248 standby 10.1.1.3
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
interface Port-channel1
 description Inside
 nameif Inside
 security-level 100
 ip address 172.20.250.2 255.255.255.248 standby 172.20.250.3
!
boot system disk0:/asa861-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EST recurring
dns server-group DefaultDNS
 domain-name xxxx.local
object network NAT_OUTSIDE
 subnet 172.20.0.0 255.255.0.0
object network NAT_BACKUP
 subnet 172.20.0.0 255.255.0.0
object network RemoteVPNNetwork
 subnet 172.20.100.0 255.255.255.0
object network OLD
 subnet 192.168.1.0 255.255.255.0
object network OLD_BACKUP
 subnet 192.168.1.0 255.255.255.0
object network dvr1
 host 192.168.1.162
object network dvr2
 host 192.168.1.163
object network dvr3
 host 172.20.50.41
object network XXXX
 subnet 10.10.10.0 255.255.255.0
 description XXXX
object network Remote
 subnet 172.20.0.0 255.255.0.0
object network RemoteAppSvr
 host 172.20.20.23
object service HTTPS
 service tcp source eq https destination eq https
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any object dvr1 eq 1600
access-list outside_access_in extended permit tcp any object dvr2 eq 6100
access-list outside_access_in extended permit tcp any object dvr3 eq 6200
access-list backup_access_in extended permit icmp any any time-exceeded
access-list SplitTunnelNetworks standard permit 172.20.0.0 255.255.0.0
access-list SplitTunnelNetworks standard permit 192.168.1.0 255.255.255.0
access-list Outside_cryptomap extended permit ip object Remote object xxxxx
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
no logging message 106015
no logging message 305012
no logging message 305011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020
mtu Outside 1500
mtu Backup 1500
mtu Inside 1500
ip local pool RemoteVPNAddressPool 172.20.100.50-172.20.100.254 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/2
failover interface ip folink 172.20.255.1 255.255.255.252 standby 172.20.255.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-742.bin
no asdm history enable
arp timeout 14400
!
object network NAT_OUTSIDE
 nat (Inside,Outside) dynamic interface
object network NAT_BACKUP
 nat (Inside,Backup) dynamic interface
object network OLD
 nat (Inside,Outside) dynamic interface
object network OLD_BACKUP
 nat (Inside,Backup) dynamic interface
object network dvr1
 nat (Inside,Outside) static interface service tcp 1600 1600
object network dvr2
 nat (Inside,Outside) static interface service tcp 6100 6100
object network dvr3
 nat (Inside,Outside) static interface service tcp 6200 6200
access-group outside_access_in in interface Outside
access-group backup_access_in in interface Backup
route Outside 0.0.0.0 0.0.0.0 47.23.103.105 1 track 1
route Backup 0.0.0.0 0.0.0.0 10.1.1.1 2
route Inside 172.20.0.0 255.255.0.0 172.20.250.1 1
route Inside 192.168.1.0 255.255.255.0 172.20.250.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
http server enable
http 172.20.0.0 255.255.0.0 Inside
http 192.168.1.0 255.255.255.0 Inside
snmp-server host Inside 172.20.10.254 poll community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp Inside
sla monitor 123
 type echo protocol ipIcmpEcho 8.8.8.8 interface Outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec ikev1 transform-set AES_SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 71.244.x.x
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set ikev2 ipsec-proposal 3DES
crypto map Outside_map interface Outside
crypto ca trustpoint SSL-VPN
 enrollment self
 keypair SSL-VPN-SELF-SIGNED
 crl configure
crypto ca certificate chain SSL-VPN
 certificate a4fb6255
    308202d0
  quit
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 2
 prf sha
 lifetime seconds 28800
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 172.20.0.0 255.255.0.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 2
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.20.250.1
ssl encryption 3des-sha1 aes256-sha1
webvpn
 enable Outside
 enable Backup
 anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 2
 anyconnect enable
 tunnel-group-list enable
group-policy SplitTunnelGP internal
group-policy SplitTunnelGP attributes
 dns-server value 192.168.1.250
 vpn-simultaneous-logins 15
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunnelNetworks
 default-domain value xxxxx.local
 webvpn
  anyconnect ask none default anyconnect
group-policy GroupPolicy_71.244.x.x internal
group-policy GroupPolicy_71.244.x.x attributes
 vpn-tunnel-protocol ikev1 ikev2
username  encrypted privilege 1
username encrypted privilege 1
username attributes
 service-type remote-access
username  encrypted privilege 15
username  encrypted privilege 15
username  encrypted
username attributes
 service-type remote-access
username  encrypted privilege 1
tunnel-group SplitTunnelTG type remote-access
tunnel-group SplitTunnelTG general-attributes
 address-pool RemoteVPNAddressPool
 default-group-policy SplitTunnelGP
tunnel-group SplitTunnelTG webvpn-attributes
 group-alias SplitTunnel enable
tunnel-group 71.244.x.x type ipsec-l2l
tunnel-group 71.244.x.x general-attributes
 default-group-policy GroupPolicy_71.244.x.x
tunnel-group 71.244.x.x ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive disable
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
  inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:767b8df215943f6c3341c6ed4af59010
: end
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
You are missing the access-list authorizing the remote LAN Ip segment to access your 172.50.0.0/16

Unless you want to add the VPN to nat 0 rule to allow all VPN client to be exempt from ACL enforcement.

Author

Commented:
How do you do that in ASDM?

Author

Commented:
Here is the ACL. What rule needs to be created?

 Screen-Shot-2019-11-16-at-1.59.54-PM.png
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Distinguished Expert 2017

Commented:
look at the crrypto ,map.

See if the following is helpful.

Though your crypto map should not be using the external IP but actually should have the remote LAN as the object

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113290-add-new-vpn-peer-00.html

Author

Commented:
So in the cryptomap rule remote is local and blanked out is the remote site, so you are saying these need to be in reverse?
Distinguished Expert 2017

Commented:
Please look at an example VPN config in the posted link.

Your VPN sets up, but traffic is not being passed on your side.
Double check whether you are defining an overlap
172.20.0.0/16 ...

Author

Commented:
OK, so that ACL fixed the site-to-site VPN. However the SSL-VPN still does not all users to access the network. This was working before we created the site-to-site tunnel. What changes creating the site-to-site could have stopped traffic on the SSL-VPN? It still connects but cant get to anything. ACL?
Distinguished Expert 2017

Commented:
Further note that your 192.168.1.5 is rerouted internally to 172. ....
Distinguished Expert 2017

Commented:
It is difficult to say,
YOur spkitunnel has an all inclusive /16 block
You may have used the ACL of the SSL VPN to address the site to site one.

I can see you have two WAN

Your route inside seems peculiar.
If you want to insulate

Your VPN pool uses a segment on 10.20.0.0/16

Author

Commented:
Figured it out. NAT Issue:

nat (INSIDE,OUTSIDE) source static remote remote destination static RemoteVPNNetwork RemoteVPNNetwork no-proxy-arp
Distinguished Expert 2017

Commented:
Glad to hear your issue is resolved.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial