So I thought I had this all figured out. Everything is working beautifully except for the remote VPN network can't access the networks at the ends of either configured tunnels. Networks behind the interface have no issue access "dr" and "office-s". When I remote into colo1 and get an address on the 10.16.94.0/23 I can't access "dr" or "office-s". Packet-tracer tells me it is failing due to NAT so I've tried a variety of NAT rules to remedy this with no effect. My google-fu is failing me as well...
What have I got configured wrong?
ASA Version 9.1(7)23 ! hostname colo1-asa5510 domain-name domain.com xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names dns-guard ip local pool ipool1-mfa-vpn 10.16.94.5-10.16.94.254 mask 255.255.254.0 ip local pool ipool2-mfa-vpn 10.16.95.2-10.16.95.249 mask 255.255.254.0 ! interface Ethernet0/0 nameif outside security-level 0 ip address i.s.p.133 255.255.255.248 standby i.s.p.134 ! interface Ethernet0/1 description inside no nameif no security-level no ip address ! interface Ethernet0/1.201 vlan 201 nameif inside-vlan201 security-level 100 ip address 10.16.64.254 255.255.255.0 standby 10.16.64.253 ! interface Ethernet0/2 description dmz no nameif no security-level no ip address ! interface Ethernet0/2.208 vlan 208 nameif dmz-vlan208 security-level 50 ip address 10.16.70.1 255.255.255.0 standby 10.16.70.2 ! interface Ethernet0/3 description LAN/STATE Failover Interface ! interface Management0/0 description ##OPEN shutdown no nameif no security-level no ip address ! boot system disk0:/asa917-23-k8.bin ftp mode passive dns domain-lookup inside-vlan201 dns server-group DefaultDNS name-server 10.6.5.10 name-server 10.6.5.11 domain-name domain.com same-security-traffic permit intra-interface object network on-mfa-vpn subnet 10.16.94.0 255.255.254.0 object network on-dmz-10.16.70.0 subnet 10.16.70.0 255.255.255.0 object network on-inside-10.16.64.0 subnet 10.16.64.0 255.255.255.0 object network on-10.50.2.0-24 subnet 10.50.2.0 255.255.255.0 object-group network ogn-office-b network-object 10.6.4.0 255.255.255.0 network-object 10.6.6.0 255.255.255.0 network-object 10.6.7.0 255.255.255.0 network-object 10.6.22.0 255.255.254.0 network-object 10.6.24.0 255.255.254.0 network-object 10.6.26.0 255.255.255.0 network-object 10.6.48.0 255.255.255.0 network-object 10.6.49.0 255.255.255.0 network-object 10.6.51.0 255.255.255.0 network-object 10.6.57.0 255.255.255.0 network-object 10.6.99.0 255.255.255.0 network-object 10.6.245.0 255.255.255.0 network-object 10.6.252.0 255.255.255.0 network-object 172.29.2.0 255.255.255.0 network-object 172.29.8.0 255.255.255.0 network-object 172.29.14.0 255.255.255.0 network-object 172.29.15.0 255.255.255.0 network-object 172.29.16.0 255.255.255.0 network-object 172.29.23.0 255.255.255.0 network-object 10.6.144.0 255.255.254.0 object-group network ogn-colo1 network-object 10.6.3.0 255.255.255.0 network-object 10.6.5.0 255.255.255.0 network-object 10.16.64.0 255.255.224.0 network-object 172.29.2.0 255.255.255.0 network-object 172.29.4.0 255.255.255.0 network-object 172.29.6.0 255.255.255.0 network-object 172.29.7.0 255.255.255.0 network-object 172.29.9.0 255.255.255.0 network-object 172.29.10.0 255.255.255.0 network-object 172.29.11.0 255.255.255.0 network-object 172.29.21.0 255.255.255.0 object-group network ogn-office-d network-object 10.2.0.0 255.255.0.0 network-object 10.5.0.0 255.255.0.0 network-object 10.8.0.0 255.255.0.0 network-object 10.11.0.0 255.255.0.0 network-object 10.33.0.0 255.255.0.0 network-object 10.50.6.0 255.255.255.0 network-object 10.50.7.0 255.255.255.0 network-object 10.64.70.0 255.255.255.0 network-object 10.64.78.0 255.255.255.0 network-object 192.168.200.0 255.255.255.0 object-group network ogn-office-e network-object 10.50.13.0 255.255.255.0 network-object 10.50.15.0 255.255.255.0 object-group network ogn-office-h network-object 10.4.0.0 255.255.0.0 object-group network ogn-sas network-object 10.16.70.92 255.255.255.255 network-object 10.16.70.93 255.255.255.255 object-group network ogn-office-n network-object 10.1.0.0 255.255.0.0 object-group network ogn-office-s network-object 10.50.2.0 255.255.255.0 object-group network ogn-office-t network-object 10.50.6.0 255.255.255.0 network-object 10.50.7.0 255.255.255.0 object-group network ogn-cloud1 network-object 10.36.0.0 255.255.0.0 object-group network ogn-dr network-object 10.6.151.0 255.255.255.0 network-object 10.6.205.0 255.255.255.0 network-object 10.6.248.0 255.255.255.0 network-object 10.6.250.0 255.255.255.0 network-object 172.29.206.0 255.255.255.0 network-object 172.29.214.0 255.255.255.0 network-object 172.29.215.0 255.255.255.0 object-group network ogn-mfa-vpn-split group-object ogn-office-b group-object ogn-office-d group-object ogn-office-e group-object ogn-office-h group-object ogn-office-n group-object ogn-office-s group-object ogn-office-t group-object ogn-cloud1 group-object ogn-dr group-object ogn-colo1 object-group network ogn-rfc1918 network-object 192.168.0.0 255.255.0.0 network-object 172.16.0.0 255.240.0.0 network-object 10.0.0.0 255.0.0.0 object-group network ogn-pbx network-object 10.6.6.124 255.255.255.255 network-object 10.16.64.59 255.255.255.255 network-object 10.16.64.61 255.255.255.255 network-object 10.16.64.62 255.255.255.255 network-object 10.16.64.63 255.255.255.255 network-object 10.16.64.64 255.255.255.255 network-object 10.16.64.65 255.255.255.255 network-object 10.16.64.66 255.255.255.255 network-object 10.16.64.67 255.255.255.255 network-object 10.16.64.68 255.255.255.255 network-object 10.16.64.122 255.255.255.255 network-object 10.16.64.123 255.255.255.255 object-group network ogn-colo1-to-dr-remote network-object 10.6.151.0 255.255.255.0 network-object 10.6.205.0 255.255.255.0 network-object 10.6.248.0 255.255.255.0 network-object 10.6.250.0 255.255.255.0 network-object 172.29.206.0 255.255.255.0 network-object 172.29.214.0 255.255.255.0 network-object 172.29.215.0 255.255.255.0 object-group network ogn-colo1-to-dr-local network-object 10.6.3.0 255.255.255.0 network-object 10.6.5.0 255.255.255.0 network-object 10.16.64.0 255.255.224.0 network-object 172.29.6.0 255.255.255.0 network-object 172.29.10.0 255.255.255.0 network-object 172.29.21.0 255.255.255.0 object-group network ogn-colo1-office-s-local network-object object on-mfa-vpn object-group network ogn-colo1-office-s-remote network-object object on-10.50.2.0-24 access-list acl-mfa-vpn-split extended permit ip object-group ogn-mfa-vpn-split object on-mfa-vpn access-list acl-colo1-to-dr extended permit ip object-group ogn-colo1-to-dr-local object-group ogn-colo1-to-dr-remote access-list acl-dmz-inside-vlan201 extended permit ip object-group ogn-sas object-group ogn-pbx access-list acl-dmz-inside-vlan201 extended deny ip any4 object-group ogn-rfc1918 access-list acl-dmz-inside-vlan201 extended permit ip any4 any4 access-list acl-colo1-office-s extended permit ip object-group ogn-colo1-office-s-local object-group ogn-colo1-office-s-remote access-list cap extended permit ip any4 any4 pager lines 24 logging enable logging monitor debugging logging asdm informational mtu outside 1500 mtu inside-vlan201 1500 mtu dmz-vlan208 1500 failover failover lan unit secondary failover lan interface fo-link Ethernet0/3 failover key *** failover timeout -1 failover link fo-link Ethernet0/3 failover interface ip fo-link 10.255.255.100 255.255.255.0 standby 10.255.255.200 monitor-interface inside-vlan201 icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any inside-vlan201 asdm image disk0:/asdm-791.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside-vlan201,any) source static ogn-colo1-to-dr-local ogn-colo1-to-dr-local destination static ogn-colo1-to-dr-remote ogn-colo1-to-dr-remote no-proxy-arp route-lookup nat (inside-vlan201,outside) source dynamic ogn-rfc1918 interface nat (outside,outside) source dynamic on-mfa-vpn interface nat (outside,inside-vlan201) source static on-mfa-vpn on-mfa-vpn nat (dmz-vlan208,outside) source dynamic on-dmz-10.16.70.0 interface access-group acl-dmz-inside-vlan201 in interface dmz-vlan208 route outside 0.0.0.0 0.0.0.0 i.s.p.129 1 route inside-vlan201 10.6.0.0 255.255.0.0 10.16.64.1 1 route outside 10.6.151.0 255.255.255.0 i.s.p.129 1 route outside 10.6.205.0 255.255.255.0 i.s.p.129 1 route outside 10.6.248.0 255.255.255.0 i.s.p.129 1 route outside 10.6.250.0 255.255.255.0 i.s.p.129 1 route inside-vlan201 10.16.0.0 255.255.0.0 10.16.64.1 1 route inside-vlan201 10.36.0.0 255.255.0.0 10.16.64.1 1 route inside-vlan201 172.29.0.0 255.255.0.0 10.16.64.1 1 route outside 172.29.206.0 255.255.255.0 i.s.p.129 1 route outside 172.29.214.0 255.255.255.0 i.s.p.129 1 route outside 172.29.215.0 255.255.255.0 i.s.p.129 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server aaa-mfa-vpn protocol radius aaa-server aaa-mfa-vpn (inside-vlan201) host 10.16.64.6 key *** no mschapv2-capable aaa-server aaa-mfa-vpn (inside-vlan201) host 10.6.6.6 key *** no mschapv2-capable user-identity default-domain LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL aaa authorization command LOCAL crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map outside_dynmap 65535 set ikev1 transform-set ESP-AES-256-SHA crypto dynamic-map outside_dynmap 65535 set ikev2 ipsec-proposal AES256 AES192 AES crypto map outside_map 10 match address acl-colo1-to-dr crypto map outside_map 10 set pfs crypto map outside_map 10 set peer dr.36 crypto map outside_map 10 set ikev1 transform-set ESP-AES-256-SHA crypto map outside_map 10 set security-association lifetime seconds 2147483640 crypto map outside_map 10 set security-association lifetime kilobytes 2147483646 crypto map outside_map 20 match address acl-colo1-office-s crypto map outside_map 20 set pfs group5 crypto map outside_map 20 set peer office-s.130 crypto map outside_map 20 set ikev1 transform-set ESP-AES-128-SHA crypto map outside_map 20 set security-association lifetime seconds 28800 crypto map outside_map 20 set security-association lifetime kilobytes 4608000 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dynmap crypto map outside_map interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment terminal fqdn fqdnvpn.com subject-name CN=fqdnvpn.com,O=office-b,C=office-b,St=office-b,L=office-b keypair fqdnvpn.com crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 certificate *** quit crypto ikev2 policy 10 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside client-services port 443 crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication pre-share encryption aes hash sha group 5 lifetime 86400 ssh stricthostkeycheck ssh timeout 60 ssh version 2 ssh key-exchange group dh-group14-sha1 console timeout 0 management-access inside-vlan201 threat-detection basic-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 10.6.3.1 source inside-vlan201 prefer ssl encryption aes256-sha1 aes128-sha1 rc4-sha1 ssl trust-point ASDM_TrustPoint0 outside webvpn enable outside anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05160-k9.pkg 2 anyconnect enable tunnel-group-list enable cache disable group-policy gp-mfa-vpn internal group-policy gp-mfa-vpn attributes wins-server none dns-server value 10.6.5.10 10.6.5.11 vpn-idle-timeout 60 vpn-session-timeout 600 vpn-tunnel-protocol ikev1 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value acl-mfa-vpn-split default-domain value domain.com split-dns value domain.com webvpn anyconnect keep-installer installed anyconnect ask none default anyconnect tunnel-group mfa-VPN type remote-access tunnel-group mfa-VPN general-attributes address-pool ipool1-mfa-vpn address-pool ipool2-mfa-vpn authentication-server-group aaa-mfa-vpn default-group-policy gp-mfa-vpn tunnel-group mfa-VPN webvpn-attributes group-alias mfa-VPN enable tunnel-group mfa-VPN ipsec-attributes ikev1 pre-shared-key d3w0FMTN tunnel-group dr.36 type ipsec-l2l tunnel-group dr.36 ipsec-attributes ikev1 pre-shared-key 3baaGvIzF%tg#6^K tunnel-group office-s.130 type ipsec-l2l tunnel-group office-s.130 ipsec-attributes ikev1 pre-shared-key ahNg9Aev"u7uigah ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect h323 h225 inspect h323 ras inspect ip-options inspect rsh inspect sunrpc inspect xdmcp inspect icmp class class-default user-statistics accounting ! service-policy global_policy global privilege cmd level 3 mode exec command perfmon privilege cmd level 5 mode exec command more privilege cmd level 5 mode exec command dir privilege cmd level 3 mode exec command ping privilege cmd level 3 mode exec command who privilege cmd level 3 mode exec command logging privilege cmd level 3 mode exec command failover privilege cmd level 3 mode exec command vpn-sessiondb privilege cmd level 3 mode exec command packet-tracer privilege cmd level 5 mode exec command export privilege show level 5 mode exec command import privilege show level 5 mode exec command running-config privilege show level 3 mode exec command reload privilege show level 3 mode exec command mode privilege show level 3 mode exec command firewall privilege show level 3 mode exec command asp privilege show level 3 mode exec command cpu privilege show level 3 mode exec command interface privilege show level 3 mode exec command clock privilege show level 3 mode exec command dns-hosts privilege show level 3 mode exec command access-list privilege show level 3 mode exec command logging privilege show level 3 mode exec command vlan privilege show level 3 mode exec command ip privilege show level 3 mode exec command failover privilege show level 3 mode exec command asdm privilege show level 3 mode exec command arp privilege show level 3 mode exec command ipv6 privilege show level 3 mode exec command route privilege show level 3 mode exec command ospf privilege show level 3 mode exec command aaa-server privilege show level 3 mode exec command aaa privilege show level 3 mode exec command eigrp privilege show level 3 mode exec command crypto privilege show level 3 mode exec command ssh privilege show level 3 mode exec command vpn-sessiondb privilege show level 3 mode exec command vpn privilege show level 3 mode exec command dhcpd privilege show level 3 mode exec command blocks privilege show level 3 mode exec command wccp privilege show level 3 mode exec command dynamic-filter privilege show level 3 mode exec command webvpn privilege show level 3 mode exec command service-policy privilege show level 3 mode exec command module privilege show level 3 mode exec command uauth privilege show level 3 mode exec command compression privilege show level 3 mode configure command interface privilege show level 3 mode configure command clock privilege show level 3 mode configure command access-list privilege show level 3 mode configure command logging privilege show level 3 mode configure command ip privilege show level 3 mode configure command failover privilege show level 5 mode configure command asdm privilege show level 3 mode configure command arp privilege show level 3 mode configure command route privilege show level 3 mode configure command aaa-server privilege show level 3 mode configure command aaa privilege show level 3 mode configure command crypto privilege show level 3 mode configure command ssh privilege show level 3 mode configure command dhcpd privilege show level 5 mode configure command privilege privilege clear level 3 mode exec command crypto privilege clear level 3 mode exec command dns-hosts privilege clear level 3 mode exec command logging privilege clear level 3 mode exec command arp privilege clear level 3 mode exec command aaa-server privilege clear level 3 mode exec command dynamic-filter privilege cmd level 3 mode configure command failover privilege clear level 3 mode configure command logging privilege clear level 3 mode configure command crypto privilege clear level 3 mode configure command arp privilege clear level 3 mode configure command aaa-server prompt hostname priority state no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily hpm topN enable
No comments:
Post a Comment