04-16-2018 05:07 AM - edited 02-21-2020 07:38 AM
Hello,
There are 2 internet links:
- SDSL : site to site VPN connection
- Fiber : Internet connection for all other stuff
The SDSL connection is used for VPN site to site and the fiber link for any other stuff.
The problem is that connecion site to site is working fine but not the connection on the Internet. The packets seems to work outsite (I can ping outside) but not inside. (The Internet cannot access to ASA).
Here is the configuration:
ASA Version 8.2(1) ! hostname ciscoasa enable password encrypted passwd encrypted names name AAA.AAA.AAA.AAA ABP-NAGIOS description ABP-NAGIOS name BBB.BBB.BBB.BBB ouside2 name 192.168.3.1 SDSL ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif Outside-SDSL security-level 0 ip address XXX.XXX.XXX.XXX 255.255.255.252 ! interface Vlan12 nameif Outside-Fibre security-level 0 ip address YYY.YYY.YYY.YYY 255.255.255.252 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 12 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 object-group service 12486 tcp port-object eq 12486 object-group service nagios tcp port-object eq 12486 object-group service NagiosABP tcp group-object nagios port-object eq 1249 access-list outside_access_in extended permit ip host VVV.VVV.VVV.VVV any access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit ip 195.1.1.0 255.255.255.0 any access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 195.1.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip any 195.1.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip any 10.1.1.0 255.255.255.0 access-list Outside-ADSL_access_in extended permit icmp any any access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any access-list Sojam_splitunel extended permit ip 192.168.1.0 255.255.255.0 any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu Outside-SDSL 1500 mtu Outside-Fibre 1500 ip local pool dealer 10.1.1.1-10.1.1.254 mask 255.255.255.0 ip verify reverse-path interface Outside-SDSL no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any Outside-SDSL no asdm history enable arp timeout 14400 global (Outside-SDSL) 2 interface global (Outside-Fibre) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 access-group inside_access_in in interface inside access-group outside_access_in in interface Outside-SDSL access-group Outside-ADSL_access_in in interface Outside-Fibre route Outside-Fibre 0.0.0.0 0.0.0.0 YYY.YYY.YYY.YYG 1 route Outside-SDSL VVV.VVV.VVV.VVV 255.255.255.255 XXX.XXX.XXX.XXG 1 route Outside-SDSL 195.1.1.0 255.255.255.255 XXX.XXX.XXX.XXG 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http AAA.AAA.AAA.AAB 255.255.255.255 Outside-SDSL http 0.0.0.0 0.0.0.0 Outside-SDSL snmp-server host Outside-SDSL ABP-NAGIOS community rqdnet version 2c no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer VVV.VVV.VVV.VVV crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 1 set reverse-route crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface Outside-SDSL crypto map Outside-ADSL_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Outside-ADSL_map interface Outside-Fibre crypto isakmp enable Outside-SDSL crypto isakmp enable Outside-Fibre crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 0 dhcpd auto_config inside ! dhcpd address 192.168.1.5-192.168.1.50 inside dhcpd dns 192.168.1.2 195.1.1.10 interface inside dhcpd option 6 ip 62.100.129.11 62.100.129.71 interface inside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn enable Outside-SDSL enable Outside-Fibre group-policy CGI-SFR internal group-policy CGI-SFR attributes dns-server value 192.168.1.2 8.8.8.8 vpn-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value Sojam_splitunel default-domain value CGI group-policy superteam internal group-policy superteam attributes dns-server value 192.168.1.2 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list none username sshacto password xIm4wgbJj/D0Jqo. encrypted privilege 15 tunnel-group VVV.VVV.VVV.VVV type ipsec-l2l tunnel-group VVV.VVV.VVV.VVV ipsec-attributes pre-shared-key * tunnel-group superteam type remote-access tunnel-group superteam general-attributes address-pool dealer default-group-policy superteam tunnel-group superteam ipsec-attributes pre-shared-key * tunnel-group CGI-SFR type remote-access tunnel-group CGI-SFR general-attributes address-pool dealer default-group-policy CGI-SFR tunnel-group CGI-SFR ipsec-attributes pre-shared-key * ! ! prompt hostname context Cryptochecksum:74bcca3b0aaba509bf76bf4db2ccadce : end
Thank you for your help.
Regards.
04-16-2018 06:42 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: