Setting up a lab microhard to send all remote site traffic through the asa in the datacenter. Goal is to get the traffic into firepower. On a PC connected through the microhard and the ipsec tunnel to the ASA, I can ping the internal interfaces on the ASA, the ASAs public ip, and the public ip upstream gateway, but I can't ping, say 8.8.8.8
Edit: Seems i'm not able to ping the ASAs public IP or gateway. The tunnel is dropping "Session is being torn down. Reason: Lost Service" and i'm able to access the internet normally from the Microhard
I'm assuming i'm missing a nat or ACL somewhere. I'll post commands or configs as requested. Here is the ASA config:
same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network TEST subnet 10.0.0.0 255.255.255.0 object network TEST nat (outside,outside) dynamic interface access-list VPN-ACLTestSite extended permit ip any object-group TEST crypto ipsec ikev1 transform-set TRANSFORM esp-aes-256 esp-sha-hmac crypto map outside_map 6 match address VPN-ACLTestSite crypto map outside_map 6 set peer 1.1.1.1 crypto map outside_map 6 set ikev1 transform-set TRANSFORM crypto map outside_map 6 set reverse-route tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 ipsec-attributes ikev1 pre-shared-key Password
Edit: I can see Firepower doing some blocking? I added an access control rule that should cover it but it doesn't seem to be working. FP 6.3 something.
%ASA-0-434002: SFR requested to drop UDP back from outside:10.0.0.199/38938 to outside:8.8.8.8/53
No comments:
Post a Comment