09-15-2022 08:25 AM - edited 09-15-2022 08:45 AM
Hello,
I am attempting to create an IPSEC site to site tunnel between two sites. When i attempt to ping a host in the CoLo from Dover (192.168.10.239 pinging 192.168.190.200), the tunnel establishes, and i see bytes rx and tx on the Dover end of the tunnel, but on the other end just bytes Tx but 0 Rx.
The ASA 5508 on the Dover end is utilizing a Windstream SDWAN solution, and using BGP routing to route to our other 192.168.x.x /24 or /22 sites.
The tunnel however is configured to route through a seperate interface called Comcast_Test, on a completeley separate internet circuit, not associated with the SDWAN.
When i ping 192.168.190.200 from my Albany subnet, that has no tunnel to that subnet configured at all, it says Reply from 192.168.190.200: Destination net unreachable.
Now if i ping 192.168.190.200 from a host in Dover, where the tunnel is up but not passing traffic back, it says Reply from 70.43.126.128: Destination net unreachable.
However if i ping another subnet that is also NOT being directly advertised through BGP, 192.168.200.200 for example, the reply is Reply from 192.168.200.200: Destination net unreachable.
70.43.126.128 is a Windstream IP, and is being advertised to the Dover-ASA through BGP
I do believe the traffic is being picked up by the tunnel, hence the increasing Tx and Rx on the Dover side, and Tx on the CoLo side, but as you can see from the packet tracer output, it is going through the interface named MPLS. The NAT rule mentioned is a catch-all network Object nat, so shouldnt that be processed after the standard NAT rule for the VPN traffic to Comcast_outside?
Some possibly helpful info is below. Does anyone have an idea what is happening here?
A packet trace from Dover to CoLo:
Result of the command: "packet-tracer input inside tcp 192.168.10.239 80 192.168.190.200 80"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.252.13 using egress ifc mpls
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,any) after-auto source static Internal_RFC1918 Internal_RFC1918 destination static Internal_RFC1918 Internal_RFC1918 no-proxy-arp
Additional Information:
Static translate 192.168.10.239/80 to 192.168.10.239/80
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr_redirect
policy-map global_policy
class sfr
sfr fail-open
service-policy global_policy global
Additional Information:
Phase: 7
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,any) after-auto source static Internal_RFC1918 Internal_RFC1918 destination static Internal_RFC1918 Internal_RFC1918 no-proxy-arp
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 25514987, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: mpls
output-status: up
output-line-status: up
Action: allow
A packet trace from Colo to Dover:
Result of the command: "packet-tracer input inside tcp 192.168.190.200 80 192.168.10.239 80"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 63.254.156.9 using egress ifc Tierpoint
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,any) source static Internal_RFC1918 Internal_RFC1918 destination static Internal_RFC1918 Internal_RFC1918 no-proxy-arp
Additional Information:
NAT divert to egress interface Tierpoint
Untranslate 192.168.10.239/80 to 192.168.10.239/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,any) source static Internal_RFC1918 Internal_RFC1918 destination static Internal_RFC1918 Internal_RFC1918 no-proxy-arp
Additional Information:
Static translate 192.168.190.200/80 to 192.168.190.200/80
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,any) source static Internal_RFC1918 Internal_RFC1918 destination static Internal_RFC1918 Internal_RFC1918 no-proxy-arp
Additional Information:
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2746906, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: Tierpoint
output-status: up
output-line-status: up
Action: allow
Routes on the Dover-ASA:
Result of the command: "sho bgp"
BGP table version is 28320, local router ID is 192.168.254.58
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.0.0.0 192.168.252.13 1 0 65201 ?
*> 40.128.141.110/31
192.168.252.13 0 0 65201 65001 7029 ?
*> 40.131.64.0/24 192.168.252.13 1 0 65201 ?
*> 40.133.133.43/32 192.168.252.13 1 0 65201 ?
*> 40.133.213.74/31 192.168.252.13 0 0 65201 65001 7029 ?
*> 40.135.26.0/24 192.168.252.13 1 0 65201 ?
*> 40.137.250.225/32
192.168.252.13 0 0 65201 65001 7029 ?
*> 40.137.251.33/32 192.168.252.13 0 0 65201 65001 7029 ?
*> 40.138.93.97/32 192.168.252.13 0 0 65201 65001 7029 ?
*> 40.138.93.161/32 192.168.252.13 0 0 65201 65001 7029 ?
*> 64.196.20.67/32 192.168.252.13 0 0 65201 65001 7029 ?
*> 64.196.20.131/32 192.168.252.13 0 0 65201 65001 7029 ?
*> 64.197.193.143/32
192.168.252.13 0 0 65201 65001 7029 ?
*> 64.197.193.207/32
192.168.252.13 0 0 65201 65001 7029 ?
*> 66.16.70.136/31 192.168.252.13 0 0 65201 65001 7029 ?
*> 70.43.126.128/31 192.168.252.13 0 0 65201 65001 7029 ?
*> 162.40.21.253/32 192.168.252.13 1 0 65201 ?
*> 167.21.84.227/32 192.168.252.13 4 0 65201 65203 65103 ?
*> 167.21.128.83/32 192.168.252.13 4 0 65201 65203 65103 ?
*> 172.16.0.0/12 192.168.252.13 1 0 65201 ?
*> 172.20.43.0/24 192.168.252.13 4 0 65201 65203 65103 ?
*> 172.30.43.0/24 0.0.0.0 0 32768 i
*> 192.168.0.0/16 192.168.252.13 1 0 65201 ?
*> 192.168.4.0/22 192.168.252.13 4 0 65201 65200 65100 ?
*> 192.168.8.0/22 192.168.254.57 0 32768 i
*> 192.168.20.0/22 192.168.252.13 4 0 65201 65204 65104 ?
*> 192.168.28.0/22 192.168.252.13 0 0 65201 65001 7029 7029 65215 65115 ?
*> 192.168.40.0/22 192.168.252.13 0 0 65201 65001 7029 7029 65210 65110 ?
*> 192.168.48.0/22 192.168.252.13 0 0 65201 65001 7029 7029 65207 65107 ?
*> 192.168.60.0/22 192.168.252.13 4 0 65201 65211 65111 ?
*> 192.168.80.0/22 192.168.252.13 4 0 65201 65212 65112 ?
*> 192.168.100.0/22 192.168.252.13 4 0 65201 65213 65113 ?
*> 192.168.120.0/22 192.168.252.13 0 0 65201 65001 7029 7029 65206 65106 ?
*> 192.168.132.0/22 192.168.252.13 0 0 65201 65001 7029 7029 65209 65109 ?
*> 192.168.140.0/22 192.168.252.13 4 0 65201 65202 65102 ?
*> 192.168.148.0/22 192.168.252.13 0 0 65201 65001 7029 7029 65214 65114 ?
*> 192.168.152.0/22 192.168.252.13 0 0 65201 65001 7029 7029 65214 65114 ?
*> 192.168.160.0/22 192.168.252.13 0 0 65201 65001 7029 7029 65208 65108 ?
*> 192.168.168.0/22 192.168.252.13 4 0 65201 65203 65103 ?
*> 192.168.180.0/22 192.168.252.13 4 0 65201 65205 65105 ?
*> 192.168.252.4/30 192.168.252.13 4 0 65201 65203 ?
*> 192.168.252.8/30 192.168.252.13 4 0 65201 65200 ?
r> 192.168.252.12/30
192.168.252.13 0 0 65201 ?
*> 192.168.252.16/30
192.168.252.13 4 0 65201 65202 ?
*> 192.168.252.20/30
192.168.252.13 4 0 65201 65204 ?
*> 192.168.252.24/30
192.168.252.13 4 0 65201 65205 ?
*> 192.168.252.28/30
192.168.252.13 0 0 65201 65001 7029 7029 65206 ?
*> 192.168.252.32/30
192.168.252.13 0 0 65201 65001 7029 7029 65207 ?
*> 192.168.252.36/30
192.168.252.13 0 0 65201 65001 7029 7029 65208 ?
*> 192.168.252.40/30
192.168.252.13 0 0 65201 65001 7029 7029 65209 ?
*> 192.168.252.44/30
192.168.252.13 0 0 65201 65001 7029 7029 65210 ?
*> 192.168.252.48/30
192.168.252.13 4 0 65201 65211 ?
*> 192.168.252.52/30
192.168.252.13 4 0 65201 65212 ?
*> 192.168.252.56/30
192.168.252.13 4 0 65201 65213 ?
*> 192.168.252.60/30
192.168.252.13 0 0 65201 65001 7029 7029 65214 ?
*> 192.168.252.64/30
192.168.252.13 0 0 65201 65001 7029 7029 65215 ?
*> 206.246.207.208/31
192.168.252.13 0 0 65201 65001 7029 ?
*> 207.59.62.128/31 192.168.252.13 0 0 65201 65001 7029 ?
*> 207.170.57.3/32 192.168.252.13 0 0 65201 65001 7029 ?
*> 207.170.57.67/32 192.168.252.13 0 0 65201 65001 7029 ?
*> 209.156.205.79/32
192.168.252.13 0 0 65201 65001 7029 ?
*> 209.156.206.79/32
192.168.252.13 0 0 65201 65001 7029 ?
Result of the command: "sho route"
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 173.221.200.201 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 173.221.200.201, outside
B 10.0.0.0 255.0.0.0 [20/1] via 192.168.252.13, 4w6d
B 40.128.141.110 255.255.255.254 [20/0] via 192.168.252.13, 4w6d
B 40.131.64.0 255.255.255.0 [20/1] via 192.168.252.13, 4w6d
B 40.133.133.43 255.255.255.255 [20/1] via 192.168.252.13, 4w6d
B 40.133.213.74 255.255.255.254 [20/0] via 192.168.252.13, 4w6d
B 40.135.26.0 255.255.255.0 [20/1] via 192.168.252.13, 4w6d
B 40.137.250.225 255.255.255.255 [20/0] via 192.168.252.13, 4w6d
B 40.137.251.33 255.255.255.255 [20/0] via 192.168.252.13, 4w6d
B 40.138.93.97 255.255.255.255 [20/0] via 192.168.252.13, 4w6d
B 40.138.93.161 255.255.255.255 [20/0] via 192.168.252.13, 4w6d
B 64.196.20.67 255.255.255.255 [20/0] via 192.168.252.13, 4w6d
B 64.196.20.131 255.255.255.255 [20/0] via 192.168.252.13, 4w6d
B 64.197.193.143 255.255.255.255 [20/0] via 192.168.252.13, 4w6d
B 64.197.193.207 255.255.255.255 [20/0] via 192.168.252.13, 4w6d
B 66.16.70.136 255.255.255.254 [20/0] via 192.168.252.13, 4w6d
B 70.43.126.128 255.255.255.254 [20/0] via 192.168.252.13, 4w6d
B 162.40.21.253 255.255.255.255 [20/1] via 192.168.252.13, 4w6d
B 167.21.84.227 255.255.255.255 [20/4] via 192.168.252.13, 4w6d
B 167.21.128.83 255.255.255.255 [20/4] via 192.168.252.13, 4w6d
B 172.16.0.0 255.240.0.0 [20/1] via 192.168.252.13, 4w6d
B 172.20.43.0 255.255.255.0 [20/4] via 192.168.252.13, 4w6d
C 172.30.43.0 255.255.255.0 is directly connected, DMZ
L 172.30.43.21 255.255.255.255 is directly connected, DMZ
C 173.10.139.96 255.255.255.248 is directly connected, Comcast_Test
L 173.10.139.100 255.255.255.255 is directly connected, Comcast_Test
C 173.221.200.200 255.255.255.248 is directly connected, outside
L 173.221.200.202 255.255.255.255 is directly connected, outside
B 192.168.0.0 255.255.0.0 [20/1] via 192.168.252.13, 4w6d
B 192.168.4.0 255.255.252.0 [20/4] via 192.168.252.13, 4w6d
S 192.168.8.0 255.255.252.0 [1/0] via 192.168.254.57, inside
B 192.168.20.0 255.255.252.0 [20/4] via 192.168.252.13, 01:50:22
B 192.168.28.0 255.255.252.0 [20/0] via 192.168.252.13, 4w6d
B 192.168.40.0 255.255.252.0 [20/0] via 192.168.252.13, 1d11h
B 192.168.48.0 255.255.252.0 [20/0] via 192.168.252.13, 1d01h
B 192.168.60.0 255.255.252.0 [20/4] via 192.168.252.13, 00:06:21
B 192.168.80.0 255.255.252.0 [20/4] via 192.168.252.13, 3d04h
B 192.168.100.0 255.255.252.0 [20/4] via 192.168.252.13, 2w2d
B 192.168.120.0 255.255.252.0 [20/0] via 192.168.252.13, 4w6d
B 192.168.132.0 255.255.252.0 [20/0] via 192.168.252.13, 4w6d
B 192.168.140.0 255.255.252.0 [20/4] via 192.168.252.13, 2w5d
B 192.168.148.0 255.255.252.0 [20/0] via 192.168.252.13, 4w6d
B 192.168.152.0 255.255.252.0 [20/0] via 192.168.252.13, 4w6d
B 192.168.160.0 255.255.252.0 [20/0] via 192.168.252.13, 4w6d
B 192.168.168.0 255.255.252.0 [20/4] via 192.168.252.13, 4w6d
B 192.168.180.0 255.255.252.0 [20/4] via 192.168.252.13, 03:02:52
B 192.168.252.4 255.255.255.252 [20/4] via 192.168.252.13, 4w6d
B 192.168.252.8 255.255.255.252 [20/4] via 192.168.252.13, 4w6d
C 192.168.252.12 255.255.255.252 is directly connected, mpls
L 192.168.252.14 255.255.255.255 is directly connected, mpls
B 192.168.252.16 255.255.255.252 [20/4] via 192.168.252.13, 2w5d
B 192.168.252.20 255.255.255.252 [20/4] via 192.168.252.13, 01:50:22
B 192.168.252.24 255.255.255.252 [20/4] via 192.168.252.13, 03:02:52
B 192.168.252.28 255.255.255.252 [20/0] via 192.168.252.13, 4w6d
B 192.168.252.32 255.255.255.252 [20/0] via 192.168.252.13, 1d17h
B 192.168.252.36 255.255.255.252 [20/0] via 192.168.252.13, 4w6d
B 192.168.252.40 255.255.255.252 [20/0] via 192.168.252.13, 4w6d
B 192.168.252.44 255.255.255.252 [20/0] via 192.168.252.13, 4w6d
B 192.168.252.48 255.255.255.252 [20/4] via 192.168.252.13, 00:06:21
B 192.168.252.52 255.255.255.252 [20/4] via 192.168.252.13, 3d04h
B 192.168.252.56 255.255.255.252 [20/4] via 192.168.252.13, 2w2d
B 192.168.252.60 255.255.255.252 [20/0] via 192.168.252.13, 4w6d
B 192.168.252.64 255.255.255.252 [20/0] via 192.168.252.13, 4w6d
C 192.168.254.56 255.255.255.248 is directly connected, inside
L 192.168.254.58 255.255.255.255 is directly connected, inside
B 206.246.207.208 255.255.255.254 [20/0] via 192.168.252.13, 4w6d
B 207.59.62.128 255.255.255.254 [20/0] via 192.168.252.13, 4w6d
B 207.170.57.3 255.255.255.255 [20/0] via 192.168.252.13, 4w6d
B 207.170.57.67 255.255.255.255 [20/0] via 192.168.252.13, 4w6d
B 209.156.205.79 255.255.255.255 [20/0] via 192.168.252.13, 2w0d
B 209.156.206.79 255.255.255.255 [20/0] via 192.168.252.13, 2w0d
Dover ASA config with IPs scrubbed:
Result of the command: "sho run"
: Saved
:
: Serial Number: JAD23240PX7
: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)
!
hostname Dover-ASA
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet1/1
description Windstream
nameif mpls
security-level 90
ip address 192.168.252.14 255.255.255.252
!
interface GigabitEthernet1/2
description Windstream_internet
nameif outside
security-level 0
ip address WSSubnet.202 255.255.255.248
!
interface GigabitEthernet1/3
description LINK SW01:G1/0/20
nameif inside
security-level 100
ip address 192.168.254.58 255.255.255.248
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
nameif Comcast_Test
security-level 2
ip address Comcast_test_subnet.100 255.255.255.248
!
interface GigabitEthernet1/8
description Interface for the Dover DMZ
nameif DMZ
security-level 50
ip address 172.30.43.21 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name cogencyglobal.com
object network CGI-DMZ
subnet 172.20.43.0 255.255.255.0
object network CGI-Network
subnet 192.168.0.0 255.255.0.0
object network Office-Dover
subnet 192.168.8.0 255.255.252.0
description as supernet
object network DCIS
host 167.21.84.227
object network Internal_RFC1918-10
subnet 10.0.0.0 255.0.0.0
object network Internal_RFC1918-172.16
subnet 172.16.0.0 255.24.0.0
object network Internal_RFC1918-192.168
subnet 192.168.0.0 255.255.0.0
object network Server_RDGWA-Dov
host 192.168.10.208
object network Server_RDGWA-Dov-Outside
host WSSubnet.203
object network DCIS-Test
host 167.21.128.83
object network UTIL-SAC
host 192.168.50.239
description Test File Transfer bypassing SFR
object network FILE01-DOV
host 192.168.10.240
description Test File Transfer bypassing SFR
object network HV01-DOV
host 192.168.10.91
object network HV01-NYC
host 192.168.4.213
object network GP2016-DOV
host 192.168.10.46
object network SQL-GP
host 192.168.4.68
object network GP2016TS-NYC
host 192.168.4.67
object network GPTS-NYC
host 192.168.4.206
object network GP-NYC
host 192.168.4.205
object network NAS06-COLO-NIC1
host 192.168.170.159
description NIC1
object network NAS06-COLO-NIC2
host 192.168.170.160
description NIC2
object network NAS02-DOV
host 192.168.10.201
object network Server_Dover-DMZ-Test
host 172.30.43.210
description DMZ Test RRAS
object network DMZ-Network
subnet 172.30.43.0 255.255.255.0
object service 445
service tcp source eq 445 destination eq 445
object network NETWORK_OBJ_192.168.190.0_24
subnet 192.168.190.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network Dover_Data_Subnet
subnet 192.168.10.0 255.255.255.0
object network New_CoLo_Subnet
subnet 192.168.190.0 255.255.255.0
object network Colo_Subnet
subnet 192.168.170.0 255.255.255.0
object network Dover_252subnet
subnet 192.168.8.0 255.255.252.0
object-group network local-network
network-object object Office-Dover
network-object 192.168.254.56 255.255.255.248
object-group network remote-network
network-object object CGI-Network
network-object object CGI-DMZ
network-object object DCIS
object-group network Internal_RFC1918
network-object object Internal_RFC1918-10
network-object object Internal_RFC1918-172.16
network-object object Internal_RFC1918-192.168
object-group network NOG-RingCentral
description All RingCentral Networks a/o 20170919
network-object 103.44.68.0 255.255.252.0
network-object 66.81.240.0 255.255.240.0
network-object 80.81.128.0 255.255.240.0
network-object 104.245.56.0 255.255.248.0
network-object 185.23.248.0 255.255.252.0
network-object 192.209.24.0 255.255.248.0
network-object 199.255.120.0 255.255.252.0
network-object 199.68.212.0 255.255.252.0
network-object 208.87.40.0 255.255.252.0
object-group service SOG-RC-SIP
description RingCentral SIP service identifiers a/o 20170919
service-object tcp-udp source range sip 6000
service-object tcp-udp destination range sip 6000
object-group service SMTP-DNS
service-object tcp-udp destination eq domain
service-object tcp destination eq smtp
object-group service RDC
service-object tcp destination eq https
service-object udp destination eq 3391
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq https
service-object udp destination eq 3391
object-group network DCIS-Hosts
network-object object DCIS
network-object object DCIS-Test
object-group icmp-type ICMP-allowed
icmp-object echo
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
object-group service http-all tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RRAS_Services tcp
description The following ports need to be open from 172 network to 192 network
port-object eq 135
port-object eq 15000
port-object eq 3268
port-object eq 445
port-object eq 464
port-object range 49152 65535
port-object eq 88
port-object eq domain
port-object eq www
port-object eq https
port-object eq ldap
port-object eq ldaps
port-object eq netbios-ssn
port-object eq 3389
object-group service RRAS_Services_UDP udp
description The following ports need to be open from 172 network to 192 network
port-object eq 389
port-object eq 636
port-object eq domain
port-object eq netbios-dgm
port-object eq netbios-ns
port-object eq ntp
port-object eq 3389
object-group network VPN_Local
network-object 192.168.254.56 255.255.255.248
network-object object Dover_252subnet
object-group network VPN_Remote
network-object object New_CoLo_Subnet
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq 1427
service-object tcp destination eq 1433
service-object tcp destination eq 3539
service-object tcp destination eq 50733
service-object tcp destination eq 52345
service-object tcp destination eq 57168
service-object tcp destination eq 65228
service-object udp destination eq 1434
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq 1427
service-object tcp destination eq 1433
service-object tcp destination eq 3539
service-object tcp destination eq 50733
service-object tcp destination eq 52345
service-object tcp destination eq 57168
service-object tcp destination eq 65228
service-object udp destination eq 1434
object-group service DM_INLINE_SERVICE_4
service-object tcp destination eq 1427
service-object tcp destination eq 1433
service-object tcp destination eq 3539
service-object tcp destination eq 50733
service-object tcp destination eq 52345
service-object tcp destination eq 57168
service-object tcp destination eq 65228
service-object udp destination eq 1434
object-group service DM_INLINE_SERVICE_5
service-object tcp destination eq 1427
service-object tcp destination eq 1433
service-object tcp destination eq 3539
service-object tcp destination eq 50733
service-object tcp destination eq 52345
service-object tcp destination eq 57168
service-object tcp destination eq 65228
service-object udp destination eq 1434
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Colo_Subnet object DMZ-Network
access-list outside_access_in extended deny udp any4 any4 eq netbios-ns
access-list outside_access_in extended deny udp any4 any4 eq netbios-dgm
access-list outside_access_in extended deny tcp any4 any4 eq netbios-ssn
access-list outside_access_in extended deny tcp any4 any4 eq 445
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Server_RDGWA-Dov
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Colo_Subnet object DMZ-Network
access-list inside_access_in extended permit icmp any object DMZ-Network object-group ICMP-allowed
access-list inside_access_in extended permit tcp any4 object DMZ-Network object-group http-all
access-list inside_access_in extended permit ip any any
access-list Comcast_Test_cryptomap extended permit ip object-group VPN_Local object-group VPN_Remote
access-list sfr_redirect extended deny ip object FILE01-DOV object GPTS-NYC
access-list sfr_redirect extended deny ip object FILE01-DOV object GP-NYC
access-list sfr_redirect extended deny ip object FILE01-DOV object UTIL-SAC
access-list sfr_redirect extended deny ip object UTIL-SAC object FILE01-DOV
access-list sfr_redirect extended deny ip object HV01-DOV object HV01-NYC
access-list sfr_redirect extended deny ip object HV01-NYC object HV01-DOV
access-list sfr_redirect extended deny ip object GP2016-DOV object SQL-GP
access-list sfr_redirect extended deny ip object SQL-GP object GP2016-DOV
access-list sfr_redirect extended deny ip object FILE01-DOV object GP2016TS-NYC
access-list sfr_redirect extended deny ip object GP2016TS-NYC object FILE01-DOV
access-list sfr_redirect extended deny ip object NAS06-COLO-NIC2 object NAS02-DOV
access-list sfr_redirect extended deny ip object NAS06-COLO-NIC1 object NAS02-DOV
access-list sfr_redirect extended deny ip object NAS02-DOV object NAS06-COLO-NIC1
access-list sfr_redirect extended deny ip object NAS02-DOV object NAS06-COLO-NIC2
access-list sfr_redirect extended permit ip any any
access-list netflow-export extended permit ip any any
access-list mpls_access_in extended permit object-group DM_INLINE_SERVICE_3 object Colo_Subnet object DMZ-Network
access-list mpls_access_in extended permit ip any any
access-list mpls_access_in extended permit icmp object DMZ-Network object CGI-DMZ object-group ICMP-allowed
access-list ACL-RoutingProtocol extended permit udp any any eq rip
access-list ACL-RoutingProtocol extended permit udp any eq rip any
access-list ACL-RoutingProtocol extended permit eigrp any any
access-list ACL-RoutingProtocol extended permit ospf any any
access-list ACL-RoutingProtocol extended permit tcp any any eq bgp
access-list ACL-RoutingProtocol extended permit tcp any eq bgp any
access-list ACL-RTR-IB-RC-Voice-RTP extended permit udp object-group NOG-RingCentral range 9000 64999 any
access-list ACL-RTR-IB-RC-Video-RTP extended permit udp object-group NOG-RingCentral any range 8801 8802
access-list ACL-RTR-IB-RC-GeneralSIP extended permit object-group SOG-RC-SIP object-group NOG-RingCentral any
access-list ACL-RTR-IB-RC-Networks-All extended permit ip object-group NOG-RingCentral any
access-list ACL-RTR-IB-Cust-AF11 extended deny tcp any any
access-list ACL-RTR-IB-Cust-AF11 extended deny udp any any
access-list DMZ_access_in extended permit icmp object DMZ-Network any4 object-group ICMP-allowed
access-list DOVER_DMZ-Route-Map-ACL extended deny ip object Server_Dover-DMZ-Test object-group Internal_RFC1918
access-list DOVER_DMZ-Route-Map-ACL extended permit ip object Server_Dover-DMZ-Test any
access-list DMZ_access_in_1 extended permit icmp object DMZ-Network any4 object-group ICMP-allowed
access-list DMZ_access_in_1 extended permit tcp object DMZ-Network any4 eq https
access-list DMZ_access_in_1 extended permit tcp object DMZ-Network object CGI-Network object-group RRAS_Services
access-list DMZ_access_in_1 extended permit udp object DMZ-Network object CGI-Network object-group RRAS_Services_UDP
access-list DMZ_access_out extended permit icmp any any object-group ICMP-allowed
access-list DMZ_access_out extended permit tcp object CGI-Network object DMZ-Network object-group RRAS_Services
access-list DMZ_access_out extended permit udp object CGI-Network object DMZ-Network object-group RRAS_Services_UDP
access-list DMZ_access_out extended permit object-group DM_INLINE_SERVICE_2 object Colo_Subnet object DMZ-Network
access-list DMZ_access_out extended deny ip object CGI-Network object DMZ-Network
access-list Comcast_Test_access_in extended permit ip object New_CoLo_Subnet object Dover_Data_Subnet
access-list Comcast_Test_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging trap errors
logging asdm informational
logging facility 17
logging host mpls 192.168.170.250 17/49333
no logging message 106014
no logging message 106006
no logging message 106001
no logging message 313001
no logging message 710003
no logging message 106100
flow-export destination inside 192.168.170.250 2055
mtu mpls 1500
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu Comcast_Test 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any mpls
icmp permit any echo-reply outside
icmp permit host A_subnet.98 outside
icmp permit any outside
icmp permit any inside
icmp permit any Comcast_Test
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static Server_RDGWA-Dov Server_RDGWA-Dov-Outside
nat (DMZ,any) source static CGI-Network CGI-Network destination static DMZ-Network DMZ-Network no-proxy-arp route-lookup
nat (inside,any) source static CGI-Network CGI-Network destination static DMZ-Network DMZ-Network no-proxy-arp route-lookup
nat (DMZ,any) source static CGI-DMZ CGI-DMZ destination static DMZ-Network DMZ-Network no-proxy-arp route-lookup
nat (inside,any) source static CGI-DMZ CGI-DMZ destination static DMZ-Network DMZ-Network no-proxy-arp route-lookup
nat (inside,Comcast_Test) source static VPN_Local VPN_Local destination static VPN_Remote VPN_Remote no-proxy-arp route-lookup
!
nat (any,any) after-auto source static Internal_RFC1918 Internal_RFC1918 destination static Internal_RFC1918 Internal_RFC1918 no-proxy-arp
nat (any,any) after-auto source static Internal_RFC1918 Internal_RFC1918 destination static DCIS-Hosts DCIS-Hosts no-proxy-arp
nat (any,outside) after-auto source dynamic any interface
access-group mpls_access_in in interface mpls
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_in out interface inside
access-group DMZ_access_in_1 in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group Comcast_Test_access_in in interface Comcast_Test
router bgp 65101
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 192.168.252.13 remote-as 65201
neighbor 192.168.252.13 activate
network 192.168.8.0 mask 255.255.252.0
network 172.30.43.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
route outside 0.0.0.0 0.0.0.0 WSSubnet.201 1
route Comcast_Test 0.0.0.0 0.0.0.0 Comcast_test_subnet.102 2
route inside 192.168.8.0 255.255.252.0 192.168.254.57 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication login-history
http server enable
http 192.168.170.250 255.255.255.255 mpls
http A_subnet.98 255.255.255.255 outside
snmp-server group No_Authentication_No_Encryption v3 noauth
snmp-server user SolarWrite No_Authentication_No_Encryption v3 engineID
snmp-server host mpls 192.168.170.250 poll community ***** version 2c
snmp-server location Dover Server Room
snmp-server contact is@cogencyglobal.com
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map Comcast_Test_map0 1 match address Comcast_Test_cryptomap
crypto map Comcast_Test_map0 1 set peer Colo_subnet.12
crypto map Comcast_Test_map0 1 set ikev1 transform-set ESP-3DES-MD5
crypto map Comcast_Test_map0 interface Comcast_Test
crypto ca trustpool policy
crypto ikev1 enable Comcast_Test
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.170.250 255.255.255.255 mpls
ssh A_subnet.98 255.255.255.255 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.10.243 source inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 mpls
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 mpls vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 outside vpnlb-ip
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
dynamic-access-policy-record DfltAccessPolicy
tunnel-group Colo_subnet.12 type ipsec-l2l
tunnel-group Colo_subnet.12 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map CM-RTR-IB-RC-Other
description AllRingCentral Originated Traffic
match access-list ACL-RTR-IB-RC-Networks-All
class-map netflow-export-class
match access-list netflow-export
class-map global-class
match any
class-map CM-RTR-IB-RC-SIP
description RingCentral SIP Traffic
match access-list ACL-RTR-IB-RC-GeneralSIP
class-map CM-RTR-IB-Cust-AF12
description Customer AF13 class traffic
class-map sfr
match access-list sfr_redirect
class-map CM-RTR-IB-Cust-AF11
description Customer AF11 class traffic
class-map inspection_default
match default-inspection-traffic
class-map CM-RTR-IB-RC-Video-RT
description RingCentral Originated Traffic Video RTP
match access-list ACL-RTR-IB-RC-Video-RTP
class-map CM-RTR-IB-RC-Voice-RT
match access-list ACL-RTR-IB-RC-Voice-RTP
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class sfr
sfr fail-open
class netflow-export-class
flow-export event-type all destination 192.168.170.250
policy-map PM-RTR-IB-Standard-QoS
class CM-RTR-IB-RC-Voice-RT
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
: end
CoLo ASA 5516 config:
Result of the command: "sho run"
: Saved
:
: Serial Number: JAD22270DAF
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.9(2)
!
hostname Future-CoLo-ASA
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address asubnet.180 255.255.255.248
!
interface GigabitEthernet1/2
nameif Tierpoint
security-level 5
ip address Tierpoint_subnet.12 255.255.255.248
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 192.168.190.22 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
nameif DMZ
security-level 50
ip address 172.20.43.21 255.255.255.0
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
description LAN Failover Interface
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 0
ip address 192.168.33.22 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name cogencyglobal.com
object network Internal_RFC1918-10
subnet 10.0.0.0 255.0.0.0
object network Internal_RFC1918-172.16
subnet 172.16.0.0 255.240.0.0
object network Internal_RFC1918-192.168
subnet 192.168.0.0 255.255.0.0
object network New_CoLo-SW01
host 192.168.190.21
object network Office-CoLo
subnet 192.168.190.0 255.255.255.0
object network OldCoLo-DMZ
subnet 172.20.43.0 255.255.255.0
object network Office-OldCoLo
subnet 192.168.170.0 255.255.255.0
object network Office-dover
subnet 192.168.8.0 255.255.252.0
object network Dover_inside
subnet 192.168.254.56 255.255.255.248
object service SSH
service tcp source eq ssh destination eq ssh
object service 6758
service tcp source eq 6758 destination eq ssh
object network Office-Albany
subnet 192.168.20.0 255.255.255.0
object network Dover-test-data
subnet 192.168.110.0 255.255.255.0
object network dover-test-sub
subnet 192.168.254.224 255.255.255.248
object-group network Internal_RFC1918
network-object object Internal_RFC1918-10
network-object object Internal_RFC1918-192.168
network-object object Internal_RFC1918-172.16
object-group network local-network
network-object object Office-CoLo
object-group network remote-network
network-object object Office-OldCoLo
network-object object OldCoLo-DMZ
object-group network remote-dover
network-object object Dover_inside
network-object object Office-dover
object-group network Remote-dover-test
network-object object Dover-test-data
network-object object dover-test-sub
object-group network local-dover
network-object object Dover_inside
network-object object Office-dover
access-list mpls_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list Tierpoint_cryptomap_1 extended permit ip object-group local-network object-group remote-network
access-list Tierpoint_access_in extended permit tcp any object New_CoLo-SW01 eq ssh
access-list Tierpoint_access_in extended permit tcp any object New_CoLo-SW01 eq 6758
access-list Tierpoint_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list Tierpoint_cryptomap extended permit ip object-group local-network object-group Remote-dover-test
access-list Tierpoint_cryptomap_2 extended permit ip object-group local-network object-group remote-dover
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Tierpoint 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Tierpoint
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (any,any) source static Internal_RFC1918 Internal_RFC1918 destination static Internal_RFC1918 Internal_RFC1918 no-proxy-arp
nat (any,outside) source dynamic any interface inactive
nat (any,Tierpoint) source dynamic any interface
nat (inside,Tierpoint) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
nat (inside,Tierpoint) source static local-network local-network destination static Remote-dover-test Remote-dover-test no-proxy-arp route-lookup
nat (inside,Tierpoint) source static local-dover local-dover destination static remote-dover remote-dover no-proxy-arp route-lookup
nat (inside,Tierpoint) source static local-network local-network destination static remote-dover remote-dover no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group Tierpoint_access_in in interface Tierpoint
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route Tierpoint 0.0.0.0 0.0.0.0 Tierpoint_subnet.9 1
route outside 0.0.0.0 0.0.0.0 asubnet.177 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.33.49 255.255.255.255 management
http 0.0.0.0 0.0.0.0 inside
snmp-server group No_Authentication_No_Encryption v3 noauth
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map Tierpoint_map1 1 match address Tierpoint_cryptomap
crypto map Tierpoint_map1 1 set peer subnettoDover.101
crypto map Tierpoint_map1 1 set ikev1 transform-set ESP-3DES-MD5
crypto map Tierpoint_map1 2 match address Tierpoint_cryptomap_1
crypto map Tierpoint_map1 2 set peer Working_tunnel_subnet.251
crypto map Tierpoint_map1 2 set ikev1 transform-set ESP-3DES-MD5
crypto map Tierpoint_map1 3 match address Tierpoint_cryptomap_2
crypto map Tierpoint_map1 3 set peer subnettoDover.100
crypto map Tierpoint_map1 3 set ikev1 transform-set ESP-3DES-MD5
crypto map Tierpoint_map1 interface Tierpoint
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable Tierpoint
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 132.163.97.5
ssl cipher default custom "AES256-SHA"
ssl cipher tlsv1 custom "AES256-SHA"
ssl cipher tlsv1.1 low
ssl cipher tlsv1.2 low
ssl cipher dtlsv1 custom "AES256-SHA"
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
tunnel-group Working_tunnel_subnet.251 type ipsec-l2l
tunnel-group Working_tunnel_subnet.251 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group subnettoDover.101 type ipsec-l2l
tunnel-group subnettoDover.101 general-attributes
default-group-policy GroupPolicy1
tunnel-group subnettoDover.101 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group subnettoDover.100 type ipsec-l2l
tunnel-group subnettoDover.100 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
: end
Please help, i am stumped!
Jesse
Solved! Go to Solution.
09-15-2022 05:07 PM
Point1
object network Dover_252subnet
subnet 192.168.8.0 255.255.252.0 <<- this must be 255.255.255.0 not 255.255.252.0
point 2
route outside 0.0.0.0 0.0.0.0 WSSubnet.201 1
route Comcast_Test 0.0.0.0 0.0.0.0 Comcast_test_subnet.102 2
you config the crypto under the comcast-test but the default route point to outside because it have lover AD
09-15-2022 08:39 AM
just want to mention I will analysis this issue tonight
sorry for late replay
09-15-2022 08:46 AM
Thank you, i really appreciate the response. I also asked the question newly with a little more info, here: https://community.cisco.com/t5/network-security/ipsec-tunnel-up-but-one-side-tx-only-sdwan-or-bgp-interfering/td-p/4687973
I think it is a NAT issue on the Dover end but not sure...
09-15-2022 05:07 PM
Point1
object network Dover_252subnet
subnet 192.168.8.0 255.255.252.0 <<- this must be 255.255.255.0 not 255.255.252.0
point 2
route outside 0.0.0.0 0.0.0.0 WSSubnet.201 1
route Comcast_Test 0.0.0.0 0.0.0.0 Comcast_test_subnet.102 2
you config the crypto under the comcast-test but the default route point to outside because it have lover AD
09-17-2022 06:54 AM
You were right, it was the static route! Changed it from 0.0.0.0 to the specific IP of the other end of tunnel and boom! Thank you so much, you are awesome!
09-18-2022 08:19 AM
You are so so welcome Friend
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide