topic Here goes: in Network Security

ASA 5506X Traffic flow between interfaces

OldSchoolTechie — Tue, 12 Mar 2019 08:00:07 GMT

Dear all,

I am on 9.6 and trying to get traffic flowing between two interfaces. These have the same security level and are permitted to talk
using same-sec intra|inter. There is no routing in place, meaning everything is directly connected. To cut it short, here's the layout:
inside=192.168.1.254; LTE=192.168.5.1; outside has public WAN IP. I want to establish traffic between inside and LTE as a
prerequisite for PBR.

Symptom:

I seem to be unable to get past the interface, that is - i CAN ping from "LTE" to hosts in that segment (and of course within "inside" as well).ICMP is permitted, yes - but I cannot get a ping across these.

There is no ACL on any interface (as per the docs, you don't need it if you have the same sec-level in place).
There is NAT exemption in place for 192.168.5.0 against the inside and outside and itself in place, as well for a few VPN pools and subnets (all fine). The packet tracer reveals the following, and I am at my wits end......perhaps s/o can have a look into it.

packet-tracer input inside tcp 192.168.1.254 http 192.168.5.10 http......

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.5.10 using egress ifc LTE

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,LTE) source static inside_net inside_net destination static LTE LTE no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface LTE
Untranslate 192.168.5.10/80 to 192.168.5.10/80

Phase: 3
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information:
ifc selected is not same as preferred ifc
Doing route lookup again on ifc inside

Phase: 4
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.254 using egress ifc inside

Result:
output-interface: LTE
output-status: up
output-line-status: up
Action: drop

TIA+Brgds,

Dan

First off, you do not need to

Marius Gunnerud — Thu, 07 Jul 2016 20:19:51 GMT

First off, you do not need to have the NAT exempt, infact I would remove the inside to LTE NAT exempt all together.

Could you post a full running config (remember to remove any public IPs, usernames and passwords)?

you are correct in stating that you should not need an ACL on the interface if you have the same-security-traffic permit inter-interface (between two interfaces with same security level) and same-security-traffic permit intra-interface (hairpinning traffic on a single interface regardless of security level).

do the two subnets connect to the same switch?

does the switch have vlans configured with IPs in the two VLANs? If so are these VLANs in different VRFs?

Please remember to select a correct answer and rate helpful posts

Marius,

OldSchoolTechie — Fri, 08 Jul 2016 06:59:28 GMT

Marius,

first off, thanks for taking your time for looking into that, really appreciate it.

Here's a sanitized running config. I posted the main Networking part which I suspect to contain the culprit. The crypto stuff and the likes of ssh etc. were omitted for reasons of clarity. I initially spoke of PBR which is configured here but not "switched on" an Interface because I lack the requirements for it; PBR would direct packets to a dead end.

Background Info, also answering your questions:

192.168.[3,4,7].0 are remote VPN Networks.

192.168.1.0/24 is the inside. Hangs off a small GiE Switch.

192.168.5.0 is the LTE Segment.

The LTE unit is wired using CAT6 cable straight 1:1 to giE3/1. No switching here.

ASA Version 9.5(2)
!
hostname ******

domain-name *******

enable password ******************

[snip]

ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.2
domain-name armato.de
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any
subnet 0.0.0.0 0.0.0.0
object network *****
host 192.168.1.2
object network inside_net
subnet 192.168.1.0 255.255.255.0
object network vpn_clientpool
subnet 172.16.4.0 255.255.255.0
object network jt_net
subnet 192.168.2.0 255.255.255.0
object network cg_net
subnet 192.168.4.0 255.255.255.0
object network cg_net_li
subnet 192.168.7.0 255.255.255.0
object network LTE
subnet 192.168.5.0 255.255.255.0
object network *******************

host 192.168.1.1

access-list VPN_Inside remark *****
access-list VPN_Inside standard permit 192.168.1.0 255.255.255.0
access-list L2l extended permit ip object inside_net object jt_net
access-list L2l extended permit ip object inside_net object cg_net
access-list L2l extended permit ip object inside_net object cg_net_li
access-list LocalLanAccess standard permit 192.168.4.0 255.255.255.0
access-list LocalLanAccess standard permit 172.16.4.0 255.255.255.0
access-list LocalLanAccess standard permit 192.168.1.0 255.255.255.0
access-list LocalLanAccess standard permit 192.168.7.0 255.255.255.0
access-list LocalLanAccess standard permit 192.168.5.0 255.255.255.0
access-list LTE_WAN extended permit tcp host 192.168.1.1 any eq www
access-list LTE_WAN extended permit tcp host 192.168.1.1 any eq https
pager lines 24

nat (inside,outside) source static inside_net inside_net destination static vpn_clientpool vpn_clientpool no-proxy-arp route-lookup
nat (inside,outside) source static inside_net inside_net destination static jt_net jt_net no-proxy-arp route-lookup
nat (inside,outside) source static inside_net inside_net destination static cg_net cg_net no-proxy-arp route-lookup
nat (inside,outside) source static inside_net inside_net destination static cg_net_li cg_net_li no-proxy-arp route-lookup
nat (inside,LTE) source static inside_net inside_net destination static LTE LTE no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
object network inside_net
nat (inside,outside) dynamic interface dns
!
route-map LTE permit 10
match ip address LTE_WAN
set ip next-hop verify-availability 192.168.5.10 1 track 1
set interface LTE

You have some accessories

Marius Gunnerud — Fri, 08 Jul 2016 09:59:21 GMT

You have some accessories lists configured. Are you sure that the LTE-WAN acl is not assigned to the LTE interface?

Please remember to select a correct answer and rate helpful posts

As you can see, there is no

OldSchoolTechie — Fri, 08 Jul 2016 10:42:02 GMT

As you can see, there is no access-group on the Interface - that means no ACL is in effect. The LTE_WAN ACL you see is intended for PBR control.

your packet-tracer is

Marius Gunnerud — Fri, 08 Jul 2016 14:52:57 GMT

your packet-tracer is incorrect. You are using a source IP of the inside interface which is why it is failing. try it using 192.168.1.10 for example.

How are you testing traffic between the two subnets? Ping?

Please remember to select a correct answer and rate helpful posts

Marius, you cannot use the PT

OldSchoolTechie — Sat, 09 Jul 2016 08:59:41 GMT

Marius, you cannot use the PT on Interfaces other than those you have on the Hardware; to my Knowledge it is unable to intercept stuff coming thru the ASA.

Anyway, testing back and forth using ping between LTE and inside -> no avail.

And yes, ICMP is permitted.

First off packet-tracer only

Marius Gunnerud — Sat, 09 Jul 2016 09:22:17 GMT

First off packet-tracer only simulates a packet passing through the ASA and because traffic can not be simulated using an ASA asigned IP you need to use a different IP than that is configured on the ASA interface.

If these are Windows machines have you turned off the windows firewall while testing?

Please post the packet tracer output using IPs other than that is configured on the ASA interfaces.

If this still fails and windows firewall is turned off please post a full running config of your ASA.

Please remember to select a correct answer and rate helpful posts

Sorry for being late re. the

OldSchoolTechie — Mon, 11 Jul 2016 14:31:09 GMT

Sorry for being late re. the weekend.

Please find below what the PT yields. Interesting enough - upon pinging manually - I can observe (using deb ic tr ) only the request from .1.2 to 5.10 but nothing comes back. Pinging from 5.1. to 5.10 yields request and reply. And yes, the windows F/W is of course off (deactivated) and no other security software is out there.

packet-tracer input inside icmp 192.168.1.2 8 0 192.168.5.10 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.5.10 using egress ifc LTE

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,LTE) source static inside_net inside_net destination static LTE LTE no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface LTE
Untranslate 192.168.5.10/0 to 192.168.5.10/0

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.2 using egress ifc inside

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,LTE) source static inside_net inside_net destination static LTE LTE no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.1.2/0 to 192.168.1.2/0
Forward Flow based lookup yields rule:
in id=0x7fe99f7d2a60, priority=6, domain=nat, deny=false
        hits=14, user_data=0x7fe9a0f68610, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=192.168.5.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=LTE

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9a0e40510, priority=2, domain=permit, deny=false
        hits=26, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe99ec89c40, priority=0, domain=nat-per-session, deny=true
        hits=624702, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe99f77c9c0, priority=0, domain=inspect-ip-options, deny=true
        hits=258460, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe99f77c1d0, priority=66, domain=inspect-icmp-error, deny=false
        hits=3717, user_data=0x7fe99f77b740, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 9
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9a0cf3030, priority=13, domain=debug-icmp-trace, deny=false
        hits=3715, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,LTE) source static inside_net inside_net destination static LTE LTE no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fe9a1123a50, priority=6, domain=nat-reverse, deny=false
        hits=15, user_data=0x7fe9a0f6c0a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=192.168.5.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=LTE

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fe9a0ce3330, priority=0, domain=user-statistics, deny=false
        hits=111, user_data=0x7fe9a06910d0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=LTE

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 308937, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
output-interface: LTE
output-status: up
output-line-status: up
Action: allow

Please post a full running

Marius Gunnerud — Mon, 11 Jul 2016 20:32:31 GMT

Please post a full running config (please remember to remove any public IPs, usernames and passwords).

Please remember to select a correct answer and rate helpful posts

Here goes; crypto certs

OldSchoolTechie — Tue, 12 Jul 2016 08:38:13 GMT

Here goes; crypto certs omitted, remainder is anonymized.

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool vpn_clientpool 172.16.4.1-172.16.4.10 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
pppoe client vpdn group [SNIP]
ip address pppoe setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet1/3
nameif LTE
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.2
domain-name [SNIP].de
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network W2K8SBS
host 192.168.1.2
object network inside_net
subnet 192.168.1.0 255.255.255.0
object network vpn_clientpool
subnet 172.16.4.0 255.255.255.0
object network jt_net
subnet 192.168.2.0 255.255.255.0
object network cg_net
subnet 192.168.4.0 255.255.255.0
object network cg_net_li
subnet 192.168.7.0 255.255.255.0
object network LTE
subnet 192.168.5.0 255.255.255.0
object network W2K8TSSERV
host 192.168.1.1
object-group service [SNIP]_Outside tcp
port-object eq https
port-object eq www
access-list VPN_Inside remark [SNIP] Userland
access-list VPN_Inside standard permit 192.168.1.0 255.255.255.0
access-list L2l extended permit ip object inside_net object jt_net
access-list L2l extended permit ip object inside_net object cg_net
access-list L2l extended permit ip object inside_net object cg_net_li
access-list LocalLanAccess standard permit 192.168.4.0 255.255.255.0
access-list LocalLanAccess standard permit 172.16.4.0 255.255.255.0
access-list LocalLanAccess standard permit 192.168.1.0 255.255.255.0
access-list LocalLanAccess standard permit 192.168.7.0 255.255.255.0
access-list LocalLanAccess standard permit 192.168.5.0 255.255.255.0
access-list LTE_WAN extended permit tcp host 192.168.1.1 any eq www
access-list LTE_WAN extended permit tcp host 192.168.1.1 any eq https
pager lines 24
logging enable
logging timestamp
logging console debugging
logging trap errors
logging asdm notifications
mtu outside 1492
mtu inside 1500
mtu LTE 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name [SNIP]_Outside attack action alarm drop
ip audit interface outside [SNIP]_Outside
ip audit attack action alarm drop
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any LTE
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside_net inside_net destination static vpn_clientpool vpn_clientpool no-proxy-arp route-lookup
nat (inside,outside) source static inside_net inside_net destination static jt_net jt_net no-proxy-arp route-lookup
nat (inside,outside) source static inside_net inside_net destination static cg_net cg_net no-proxy-arp route-lookup
nat (inside,outside) source static inside_net inside_net destination static cg_net_li cg_net_li no-proxy-arp route-lookup
nat (inside,LTE) source static inside_net inside_net destination static LTE LTE no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
object network inside_net
nat (inside,outside) dynamic interface dns
!
route-map LTE permit 10
match ip address LTE_WAN
set ip next-hop verify-availability 192.168.5.10 1 track 1
set interface LTE

!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server [SNIP] protocol radius
aaa-server [SNIP] (inside) host 192.168.1.2
key *****
radius-common-pw [SNIP]
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
sysopt noproxyarp inside
sla monitor 1
type echo protocol ipIcmpEcho 192.168.5.1 interface LTE
frequency 10
sla monitor schedule 1 life forever start-time now
service sw-reset-button
crypto ipsec ikev1 transform-set ARM_0 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ARM_1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ARM_2 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ARM_3 esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map ARM_MAP 65535 set pfs
crypto dynamic-map ARM_MAP 65535 set ikev1 transform-set ARM_0 ARM_1 ARM_2 ARM_3
crypto dynamic-map ARM_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic ARM_MAP
crypto map outside_map interface outside
crypto ca trustpoint [SNIP].[SNIP].de
fqdn [SNIP].[SNIP].de
subject-name CN=[SNIP].[SNIP].de,OU=IT,O=[SNIP] ... [SNIP]
keypair [SNIP].[SNIP].de
crl configure
crypto ca trustpoint primary_rootca
enrollment terminal
crl configure
crypto ca trustpoint secondary_rootca
enrollment terminal
fqdn [SNIP].[SNIP].[SNIP]
crl configure
crypto ca trustpool policy

crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
client-update enable
!
track 1 rtr 1 reachability
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.3.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh 192.168.7.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpdn group [SNIP] request dialout pppoe
vpdn group [SNIP] localname [SNIP]
vpdn group [SNIP] ppp authentication pap
vpdn username [SNIP] password [SNIP] store-local
no vpn-addr-assign aaa

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 206.246.122.250 source outside prefer
ssl cipher default custom "RC4-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES256-SHA:DES-CBC3-SHA"
ssl trust-point [SNIP].[SNIP].de outside
ssl trust-point [SNIP].[SNIP].de inside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.12020-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy [SNIP]policy internal
group-policy [SNIP]policy attributes
dns-server value 192.168.1.2
vpn-simultaneous-logins 5
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
group-lock value [SNIP]_mobility
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LocalLanAccess
split-dns value firma.local
intercept-dhcp enable
webvpn
anyconnect modules value dart vpngina
anyconnect ask none default anyconnect
dynamic-access-policy-record DfltAccessPolicy
username [SNIP] password [SNIP] encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group [SNIP]_mobility type remote-access
tunnel-group [SNIP]_mobility general-attributes
address-pool vpn_clientpool
authentication-server-group [SNIP]
authentication-server-group (outside) [SNIP]
default-group-policy [SNIP]policy
password-management
tunnel-group [SNIP]_mobility webvpn-attributes
group-alias 1 disable
group-alias [SNIP]_mobility enable
tunnel-group [SNIP]_mobility ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group [SNIP]_mobility ppp-attributes
no authentication chap
no authentication ms-chap-v1
tunnel-group 192.168.2.0 type ipsec-l2l
tunnel-group 192.168.2.0 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 192.168.7.0 type ipsec-l2l
tunnel-group 192.168.7.0 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
id-randomization
id-mismatch action log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Add the following:

Marius Gunnerud — Tue, 12 Jul 2016 19:15:50 GMT

Add the following:

policy-map global_policy
class inspection_default

inspect icmp

Then you should be able to ping between the two subnets.

Please remember to select a correct answer and rate helpful posts

FAIL. Same behavior as before

OldSchoolTechie — Tue, 12 Jul 2016 20:00:36 GMT

FAIL. Same behavior as before. Can observe request, no echo (from 192.168.1.1 -> 5.10 ), can observe request AND echo from 5.1. to 5.10

set up a capture on the LTE

Marius Gunnerud — Tue, 12 Jul 2016 20:16:02 GMT

set up a capture on the LTE interface.

cap CAPLTE interface LTE match ip host 192.168.1.1 host 192.168.5.10

If you see the the packet exit the LTE inter face i.e you see an entry for 192.168.1.1 towards 192.168.5.10 but nothing coming back then the issue is on 192.168.5.10 or the network between this PC/server and the ASA.

Please remember to select a correct answer and rate helpful posts

Here goes:

OldSchoolTechie — Tue, 12 Jul 2016 20:31:36 GMT

Here goes:

4 packets captured

   1: 22:27:29.674907       192.168.1.1 > 192.168.5.10: icmp: echo request
   2: 22:27:34.244814       192.168.1.1 > 192.168.5.10: icmp: echo request
   3: 22:27:39.252809       192.168.1.1 > 192.168.5.10: icmp: echo request
   4: 22:27:44.244387       192.168.1.1 > 192.168.5.10: icmp: echo request

Makes me go bonkers, Marius. Never observed anything similar before.

And there I fixed it.

OldSchoolTechie — Tue, 12 Jul 2016 23:00:34 GMT

And there I fixed it.

The culprit was:

recursive next hop statement on policy

missing dynamic NAT entry from inside_net object to LTE.

Complete IP Stack works, 80/443 nicely separated and delivering a fair 120 MBit downstream as opposed to 3 before.