10-07-2011 07:52 AM - edited 03-07-2019 02:40 AM
I have an ASA with 2 networks locally communicating with a remote PIX through a VPN connection. The ASA network 172.16.10.x is communicating through the tunnel to the PIX network 172.16.11.0 just fine as desired. The 2nd network on the ASA is 10.168.30.0 and this network cannot get through to the PIX 172.16.11.0 network. I need trafic to flow from both ASA networks to the PIX network through the tunnel. It appears there is a routing issue, but I cannot figure out which side to apply the route command to. The symptoms are:
1. From the 172.16.10.0 network on the ASA I can ping all devices on the 172.16.11.0 network, as desired
2. From the 10.168.30.0 network on the ASA I cannot ping anything on the inside network of the 172.16.11.0 PIX network, but I can ping the outside public interface of the PIX.
3. From the 172.16.11.0 PIX network I can ping all devices on the ASA 172.16.10.0 network as desired, but only the inside interface of the 10.168.30.0 network, no further.
Configs of both devices follow:
ASA
Result of the command: "show running-config"
: Saved
:
ASA Version 7.0(8)
!
hostname fw
domain-name DOMAIN
enable password ****** encrypted
passwd ****** encrypted
no names
dns-guard
!
interface Ethernet0/0
description Outside interface for 159.87.64.x network
nameif outside1
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/1
description First inside interface for 172.16.10.x network
nameif inside1
security-level 100
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/2
description Interface for OPM Server farm
nameif Inside2
security-level 100
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone MST -7
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Hosts
network-object 172.16.10.19 255.255.255.255
network-object 172.16.10.22 255.255.255.255
network-object 172.16.10.23 255.255.255.255
network-object 172.16.10.17 255.255.255.255
network-object 172.16.10.21 255.255.255.255
network-object 172.16.10.254 255.255.255.255
object-group network All_VPN
network-object 172.16.11.0 255.255.255.0
network-object 172.16.12.0 255.255.255.0
network-object 172.16.17.0 255.255.255.0
network-object 172.16.18.0 255.255.255.0
network-object 172.16.14.0 255.255.255.0
network-object 172.16.15.0 255.255.255.0
object-group service ActiveDir tcp
port-object eq ldap
port-object eq kerberos
port-object eq netbios-ssn
port-object eq 88
port-object eq 3269
port-object eq domain
port-object eq 3268
port-object eq ldaps
port-object eq 445
object-group service DNS tcp-udp
port-object eq domain
port-object eq 88
port-object eq 389
object-group network insideDNS
network-object 172.16.10.17 255.255.255.255
network-object 172.16.10.18 255.255.255.255
network-object 172.16.10.24 255.255.255.255
object-group network insideDC
network-object 172.16.10.17 255.255.255.255
network-object 172.16.10.18 255.255.255.255
object-group network ITManagers
network-object 172.16.10.13 255.255.255.255
network-object 172.16.10.16 255.255.255.255
object-group service Mail tcp
port-object eq 691
port-object eq pop3
port-object eq imap4
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 995
port-object eq 993
port-object eq aol
port-object range 1024 65535
port-object eq 135
port-object eq netbios-ssn
object-group network CiscoClients
network-object 172.16.10.224 255.255.255.240
object-group network CiscoClients_Outside
network-object 172.16.10.224 255.255.255.240
object-group network Remote_switches
network-object 10.0.0.0 255.0.0.0
object-group service Citrix tcp
port-object range citrix-ica citrix-ica
port-object eq www
port-object eq https
object-group service Webports tcp
port-object eq www
port-object eq https
object-group network OPM_HTTP
network-object 10.168.30.106 255.255.255.255
network-object 10.168.30.65 255.255.255.255
network-object 10.168.30.60 255.255.255.255
network-object 10.168.30.5 255.255.255.255
network-object 10.168.30.7 255.255.255.255
object-group network OPM_HTTPS
network-object 10.168.30.106 255.255.255.255
network-object 10.168.30.5 255.255.255.255
network-object 10.168.30.60 255.255.255.255
network-object 10.168.30.65 255.255.255.255
object-group network OPM_SSH
network-object 10.168.30.5 255.255.255.255
network-object 10.168.30.65 255.255.255.255
network-object 10.168.30.60 255.255.255.255
object-group network OPM_HTTP_ref_1
network-object 159.87.64.106 255.255.255.255
network-object 159.87.64.31 255.255.255.255
network-object 159.87.64.60 255.255.255.255
network-object 159.87.64.5 255.255.255.255
network-object 159.87.64.7 255.255.255.255
object-group network OPM_HTTPS_ref_1
network-object 159.87.64.106 255.255.255.255
network-object 159.87.64.5 255.255.255.255
network-object 159.87.64.60 255.255.255.255
network-object 159.87.64.31 255.255.255.255
access-list outside1_cryptomap_10 extended permit ip 172.16.10.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list outside1_cryptomap_10 extended permit ip 10.168.30.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list Net standard permit 172.16.10.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.9.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.18.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.15.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.17.0 255.255.255.0
access-list outside1_access_in extended deny ip host 203.229.126.240 any
access-list outside1_access_in extended deny ip host 208.85.53.26 any
access-list outside1_access_in extended deny ip host 66.231.80.236 any
access-list outside1_access_in extended deny ip host 208.69.101.152 any
access-list outside1_access_in extended deny ip host 208.85.51.96 any
access-list outside1_access_in extended deny ip host 69.25.202.44 any
access-list outside1_access_in extended deny ip host 69.25.202.43 any
access-list outside1_access_in extended permit ip 172.16.18.0 255.255.255.0 any
access-list outside1_access_in extended permit icmp host 159.87.222.1 any
access-list outside1_access_in extended permit ip 159.87.0.0 255.255.0.0 159.87.64.0 255.255.255.0 log notifications
access-list outside1_access_in extended permit tcp object-group All_VPN gt 1024 host 172.16.10.21 log
access-list outside1_access_in extended permit tcp object-group All_VPN object-group insideDNS log
access-list outside1_access_in extended permit tcp object-group All_VPN object-group insideDNS object-group ActiveDir log
access-list outside1_access_in extended permit udp object-group All_VPN object-group insideDNS log
access-list outside1_access_in extended permit tcp object-group All_VPN object-group ActiveDir object-group insideDC log
access-list outside1_access_in extended permit ip object-group CiscoClients_Outside any
access-list outside1_access_in extended permit tcp any object-group Mail host x.x.x.x log
access-list outside1_access_in extended permit tcp host 198.151.212.32 host 159.87.64.6 eq 1433
access-list outside1_access_in extended permit tcp any object-group Webports host 159.87.64.6
access-list outside1_access_in extended permit tcp any object-group Mail host 159.87.64.241 log
access-list outside1_access_in extended permit ip object-group All_VPN host 172.16.10.28 inactive
access-list outside1_access_in extended permit icmp host 209.181.122.61 any
access-list outside1_access_in extended deny ip host 124.120.232.250 any
access-list outside1_access_in extended permit tcp any host x.x.x.x object-group Citrix log
access-list outside1_access_in extended permit ip any host x.x.x.x
access-list outside1_access_in extended permit tcp any object-group DNS x.x.x.x 255.255.255.0
access-list outside1_access_in extended permit tcp any object-group OPM_HTTP_ref_1 eq www
access-list outside1_access_in extended permit tcp any object-group OPM_HTTPS_ref_1 eq https
access-list outside1_access_in extended permit tcp any object-group OPM_SSH_ref_1 eq ssh
access-list outside1_access_in extended deny tcp host 178.73.217.168 any
access-list outside1_access_in extended deny tcp host 82.192.88.2 any
access-list outside1_access_in extended deny tcp host 75.88.23.33 any
access-list outside1_access_in extended permit icmp 172.16.11.0 255.255.255.0 any
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 64.202.160.40 eq https
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 64.202.160.40 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 149.5.128.0 255.255.255.0 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 149.5.128.0 255.255.255.0 eq https
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 24.248.61.65 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 216.161.172.34 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 63.245.209.10 range 1024 65535
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 66.135.33.47 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 184.168.239.1 eq www
access-list inside1_access_in extended permit ip host 172.16.10.62 172.16.10.0 255.255.255.0
access-list inside1_access_in extended permit ip host 172.16.10.62 10.168.30.0 255.255.255.0
access-list inside1_access_in extended deny ip host 172.16.10.62 any
access-list inside1_access_in extended permit ip any any log warnings
access-list inside1_access_in extended permit icmp any any log warnings inactive
access-list inside1_access_in extended permit tcp host 172.16.10.19 eq smtp any
access-list inside1_access_in extended deny tcp any eq smtp any
access-list capin extended permit ip host 172.16.10.12 any
access-list capin extended permit ip any host 172.16.10.12
access-list outside1_cryptomap_dyn_40 extended permit ip any 172.16.10.224 255.255.255.240
access-list outside1_nat0_inbound extended permit ip object-group CiscoClients_Outside object-group ****_Hosts
access-list outside1_cryptomap_30 extended permit ip 172.16.10.0 255.255.255.0 172.16.18.0 255.255.255.0
access-list cout extended permit ip host x.x.x.x host 159.87.70.66
access-list cout extended permit ip host x.x.x.x host 159.87.64.30
access-list inside2_access_in extended permit ip any any log
access-list outside1_cryptomap_30_1 extended permit ip 172.16.10.0 255.255.255.0 172.16.18.0 255.255.255.0
access-list cin extended permit ip host 172.16.10.110 host 159.87.70.66
access-list cin extended permit ip host x.x.x.x host 172.16.10.110
access-list outside1_cryptomap_80 extended permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list outside1_cryptomap105 extended permit ip any 172.16.15.0 255.255.255.0
access-list outside1_cryptomap_20 extended permit ip 172.16.10.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list outside1_cryptomap_40_1 extended permit ip 172.16.10.0 255.255.255.0 172.16.15.0 255.255.255.0
access-list Inside2_access_in extended permit tcp 10.168.30.0 255.255.255.0 172.16.0.0 255.255.0.0 log warnings
access-list Inside2_access_in extended permit tcp any any log warnings
access-list Inside2_access_in extended permit ip any any
access-list Inside2_access_in extended permit tcp any x.x.x.x 255.255.255.128
access-list nonat2 extended permit ip 10.168.30.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list outside1_cryptomap_60 extended permit ip 172.16.10.0 255.255.255.0 172.16.17.0 255.255.255.0
!
http-map http-map
strict-http action allow log
!
pager lines 24
logging enable
logging timestamp
logging buffer-size 40960
logging console warnings
logging trap warnings
logging asdm informational
logging device-id hostname
logging host inside1 172.16.10.12
logging debug-trace
mtu outside1 1500
mtu inside1 1500
mtu Inside2 1500
mtu management 1500
ip local pool DefaultRSPool 172.16.10.224-172.16.10.239 mask 255.255.255.0
no failover
monitor-interface outside1
monitor-interface inside1
monitor-interface Inside2
monitor-interface management
icmp permit any outside1
icmp permit any inside1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside1) 1 interface
nat (outside1) 0 access-list outside1_nat0_inbound outside
nat (outside1) 1 172.16.0.0 255.255.0.0
nat (inside1) 0 access-list nonat
nat (inside1) 1 172.16.10.0 255.255.255.0
nat (Inside2) 0 access-list nonat2
nat (Inside2) 1 10.168.30.0 255.255.255.0
static (inside1,outside1) x.x.x.x 172.16.10.21 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.19 netmask 255.255.255.255
static (inside1,inside1) 172.16.11.0 159.87.60.146 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.22 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.10 netmask 255.255.255.255
static (inside1,inside1) 172.16.12.0 209.181.122.61 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.254 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.32 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.39 netmask 255.255.255.255
static (inside1,inside1) 172.16.18.0 x.x.x.x netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.26 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.44 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.34 netmask 255.255.255.255
static (inside1,inside1) 172.16.14.0 x.x.x.x netmask 255.255.255.255
static (inside1,inside1) 172.16.15.0 x.x.x.x netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.53 netmask 255.255.255.255
static (inside1,Inside2) 172.16.10.0 172.16.10.0 netmask 255.255.255.0
static (Inside2,inside1) 10.168.30.0 10.168.30.0 netmask 255.255.255.0
static (inside1,Inside2) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
static (Inside2,outside1) x.x.x.x 10.168.30.7 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.106 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.5 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.60 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.65 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.22 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.3 netmask 255.255.255.255
static (inside1,inside1) 172.16.17.0 x.x.x.x netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.67 netmask 255.255.255.255
access-group outside1_access_in in interface outside1
access-group inside1_access_in in interface inside1
access-group Inside2_access_in in interface Inside2
route outside1 0.0.0.0 0.0.0.0 159.87.64.1 1
timeout xlate 10:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 9:05:00 absolute uauth 9:00:00 inactivity
aaa-server vpn protocol kerberos
aaa-server vpn (inside1) host 172.16.10.17
kerberos-realm DOMAIN
aaa-server protocol radius
aaa-server (inside1) host 172.16.10.17
key *****
radius-common-pw ****
group-policy DfltGrpPolicy attributes
wins-server none
dns-server value 172.16.10.24 172.16.10.18
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value DOMAIN
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy CiscoClient internal
group-policy CiscoClient attributes
dns-server value 172.16.10.24 172.16.10.18
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
password-storage enable
group-lock value CiscoClient
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Net
default-domain value DOMAIN
webvpn
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http x.x.x.x 255.255.255.255 outside1
http x.x.x.x 255.255.255.255 outside1
http x.x.x.x 255.255.255.0 outside1
http 172.16.10.16 255.255.255.255 inside1
http 172.16.10.13 255.255.255.255 inside1
http 172.16.10.0 255.255.255.0 inside1
http 192.168.1.0 255.255.255.0 management
snmp-server host inside1 172.16.10.16 community public
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Please type your username and password
auth-prompt reject Invalid redentials
crypto ipsec transform-set Set esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set **** esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DynMap 20 set transform-set ****Set
crypto dynamic-map DynMap 20 set security-association lifetime seconds 28800
crypto dynamic-map DynMap 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map DynMap 25 set transform-set ****Set
crypto dynamic-map DynMap 25 set security-association lifetime seconds 28800
crypto dynamic-map DynMap 25 set security-association lifetime kilobytes 4608000
crypto map ****Map 10 match address outside1_cryptomap_10
crypto map ****Map 10 set peer x.x.x.x
crypto map ****Map 10 set transform-set ****Set
crypto map ****Map 10 set security-association lifetime seconds 28800
crypto map ****Map 10 set security-association lifetime kilobytes 4608000
crypto map ****Map 20 match address outside1_cryptomap_20
crypto map ****Map 20 set peer x.x.x.x
crypto map ****Map 20 set transform-set ****Set
crypto map ****Map 20 set security-association lifetime seconds 28800
crypto map ****Map 20 set security-association lifetime kilobytes 4608000
crypto map ****Map 30 match address outside1_cryptomap_30_1
crypto map ****Map 30 set peer x.x.x.x
crypto map ****Map 30 set transform-set ****Set
crypto map ****Map 30 set security-association lifetime seconds 28800
crypto map ****Map 30 set security-association lifetime kilobytes 4608000
crypto map ****Map 40 match address outside1_cryptomap_40_1
crypto map ****Map 40 set peer x.x.x.x
crypto map ****Map 40 set transform-set ****Set
crypto map ****Map 40 set security-association lifetime seconds 28800
crypto map ****Map 40 set security-association lifetime kilobytes 4608000
crypto map ****Map 60 match address outside1_cryptomap_60
crypto map ****Map 60 set peer x.x.x.x
crypto map ****Map 60 set transform-set ****Set
crypto map ****Map 60 set security-association lifetime seconds 28800
crypto map ****Map 60 set security-association lifetime kilobytes 4608000
crypto map ****Map 80 match address outside1_cryptomap_80
crypto map ****Map 80 set peer x.x.x.x
crypto map ****Map 80 set transform-set ****Set
crypto map ****Map 80 set security-association lifetime seconds 28800
crypto map ****Map 80 set security-association lifetime kilobytes 4608000
crypto map ****Map 65535 ipsec-isakmp dynamic ****DynMap
crypto map ****Map interface outside1
isakmp identity address
isakmp enable outside1
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal 21
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group DefaultRAGroup general-attributes
address-pool (outside1) DefaultRSPool
authentication-server-group azdavpn
authentication-server-group (inside1) vpn
authentication-server-group (outside1) vpn
dhcp-server 172.16.10.24
dhcp-server 172.16.10.18
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group CiscoClient type ipsec-ra
tunnel-group CiscoClient general-attributes
address-pool (outside1) DefaultRSPool
address-pool DefaultRSPool
authentication-server-group ****
authentication-server-group (outside1) ****
default-group-policy CiscoClient
tunnel-group CiscoClient ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group-map enable rules
tunnel-group-map default-group DefaultL2LGroup
no vpn-addr-assign aaa
telnet 172.16.10.0 255.255.255.0 inside1
telnet timeout 1440
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 outside1
ssh 172.16.10.0 255.255.255.0 inside1
ssh timeout 60
console timeout 0
management-access Inside2
!
class-map outside1-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect esmtp
policy-map outside1-policy
description FTP
class outside1-class
inspect rtsp
inspect ftp
!
service-policy global_policy global
service-policy outside1-policy interface outside1
ntp server 204.123.2.5 source outside1
ntp server 18.26.4.105 source outside1
ntp server 209.81.9.7 source outside1
tftp-server inside1 172.16.10.13 /
smtp-server 172.16.10.19
client-update enable
Cryptochecksum:0c40ecbc8f7802eba1caf35ee7e2e091
: end
PIX
Result of the command: "show running-config"
: Saved
:
PIX Version 7.1(2)
!
hostname fw
domain-name DOMAIN
enable password ***** encrypted
no names
!
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.11.1 255.255.255.0
!
passwd **** encrypted
ftp mode passive
clock timezone MST -7
dns server-group DefaultDNS
domain-name DOMAIN
object-group network DOMAIN
network-object 159.87.64.0 255.255.255.0
network-object 172.16.10.0 255.255.255.0
object-group network Tucson
network-object 172.16.11.0 255.255.255.0
object-group network Inside_DNS-DomainController
network-object DOMAIN-dc0 255.255.255.255
network-object DOMAIN-dc1 255.255.255.255
object-group network Outside_DNS
object-group service ActiveDir tcp
port-object eq kerberos
port-object eq ldap
access-list outside_access_in_V2 extended permit ip 172.16.0.0 255.255.0.0 any
access-list outside_access_in_V2 extended permit icmp 10.168.30.0 255.255.255.0 any
access-list outside_access_in extended permit ip 172.16.10.0 255.255.255.0 any
access-list outside_access_in extended permit tcp object-group Inside_DNS-DomainController any
access-list outside_access_in extended permit tcp object-group Inside_DNS-DomainController object-group ActiveDir any
access-list outside_access_in extended permit ip host Nogales_PIX any
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit udp any any eq 4500
access-list outside_access_in extended permit esp any any
access-list outside_cryptomap_10 extended permit ip any any
access-list outside_cryptomap_10 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list nonat extended permit ip 172.16.11.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.11.0 255.255.255.0 object-group DOMAIN
access-list inside_nat0_outbound extended permit ip 172.16.11.0 255.255.255.0 10.168.30.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0 255.255.255.0 Nogales_Inside 255.255.255.0
access-list outside_cryptomap_10_1 extended permit ip 172.16.11.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list outside_cryptomap_10_1 extended permit ip 172.16.11.0 255.255.255.0 10.168.30.0 255.255.255.0
access-list outside_access_in_V1 extended permit ip 159.87.0.0 255.255.0.0 any
access-list 1 standard permit 172.16.10.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging trap debugging
logging asdm informational
logging queue 0
logging host inside 172.16.11.2
mtu outside 1500
mtu inside 1500
ip local pool RemoteVPNPool 172.16.11.200-172.16.11.210 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
icmp permit any outside
icmp permit any inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
access-group outside_access_in_V2 in interface outside
route outside 10.168.30.0 255.255.255.0 159.87.60.146 1
route outside PhxPIX 255.255.255.255 Gateway 1
route outside 0.0.0.0 0.0.0.0 Gateway 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server DOMAIN protocol radius
aaa-server DOMAIN host 172.16.11.2
key ******
radius-common-pw ******
group-policy CiscoClient internal
group-policy CiscoClient attributes
dns-server value 172.16.11.2
vpn-tunnel-protocol IPSec
password-storage enable
group-lock value CiscoClient
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value DOMAIN
username user password ***** encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http PhxPIX 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 172.16.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set DOMAINSet esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10_1
crypto map outside_map 10 set peer PhxPIX
crypto map outside_map 10 set transform-set DOMAINSet
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group CiscoClient type ipsec-ra
tunnel-group CiscoClient general-attributes
address-pool (outside) RemoteVPNPool
address-pool RemoteVPNPool
authentication-server-group DOMAIN
authentication-server-group (outside) DOMAIN
tunnel-group CiscoClient ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet PhxPIX 255.255.255.255 outside
telnet 172.16.11.0 255.255.255.0 inside
telnet timeout 60
ssh PhxPIX 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.16.11.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain DOMAIN
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect tftp
!
service-policy global_policy global
Cryptochecksum:234b403d99b4def70d0b266de6f2ed29
: end
Solved! Go to Solution.
10-07-2011 11:18 AM
Presumably the inside1 interface is the default-roite for your internal network then. If so you have 2 choices -
1) If you have routing device internally that does inter-vlan routing and it supports PBR then you could setup PBR to make sure traffic from 10.168.30.0/24 to 172.16.11.0 is sent to the inside2 interface
or
2) you can NAT the incoing source of IPs of 172.16.11.x to the inside2 interface IP address so that traffic is automatically sent back to the right interface eg.
nat (outside) 1 172.16.11.0 255.255.255.0 outside
global (inside2) 1 interface
be careful with this though. You need to make sure you are not conflicting with any other NAT so check your configs carefully.
Jon
10-07-2011 11:31 AM
No, it shouldn't do as because you are only applying the NAT to the inside2 interface with the corresponding global statement. Just to make sure you could do -
access-list PNAT permit ip 172.16.11.0 255.255.255.0 10.168.30.0 255.255.255.0
nat (outside) 1 access-list PNAT outside <-- from memory i believe you can use policy NAT with the "outside" keyword at the end but you need to test it.
global (inside2) 1 interface
Personally i would test any of these changes out of hours anyway because you're firewall config is fairly complex anyway.
Jon
10-07-2011 11:05 AM
More info..when initializing a ping from the remote 172.16.11.0 network to the 10.168.30.0 network, the following lines are logged on the ASA firewall:
Oct 07 2011 10:48:10 fw-phoenix : %ASA-7-711001: ICMP echo request from outside1:172.16.11.217 to Inside2:10.168.30.3 ID=8521 seq=176 len=56
Oct 07 2011 10:48:10 fw-phoenix : %ASA-7-711001: ICMP echo reply from Inside2:10.168.30.3 to inside1:172.16.11.217 ID=8521 seq=176 len=56
It appears that the incoming ICMP request is processed from the outside interface and sent to the inside2 interface as it should be, but the reply is being sent from the inside2 interface to the inside1 interface, which is incorrect, it should go to the outside.
How do I fix this??
10-07-2011 11:18 AM
Presumably the inside1 interface is the default-roite for your internal network then. If so you have 2 choices -
1) If you have routing device internally that does inter-vlan routing and it supports PBR then you could setup PBR to make sure traffic from 10.168.30.0/24 to 172.16.11.0 is sent to the inside2 interface
or
2) you can NAT the incoing source of IPs of 172.16.11.x to the inside2 interface IP address so that traffic is automatically sent back to the right interface eg.
nat (outside) 1 172.16.11.0 255.255.255.0 outside
global (inside2) 1 interface
be careful with this though. You need to make sure you are not conflicting with any other NAT so check your configs carefully.
Jon
10-07-2011 11:25 AM
Would the NAT solution also render any traffic from the inside1 interface to the 172.16.11.x network to reply to the inside2 interface? I still need the traffic from inside1 to continue normally to that 172.16.11.x network. There's a VPN connection utilizing that network.
10-07-2011 11:31 AM
No, it shouldn't do as because you are only applying the NAT to the inside2 interface with the corresponding global statement. Just to make sure you could do -
access-list PNAT permit ip 172.16.11.0 255.255.255.0 10.168.30.0 255.255.255.0
nat (outside) 1 access-list PNAT outside <-- from memory i believe you can use policy NAT with the "outside" keyword at the end but you need to test it.
global (inside2) 1 interface
Personally i would test any of these changes out of hours anyway because you're firewall config is fairly complex anyway.
Jon
10-07-2011 12:10 PM
So..using the NAT solution, it dropped the VPN tunnel immediately, so that won't work. Have not tried th PNAT yet.
10-07-2011 12:16 PM
Which VPN tunnel did it drop ? The one that isn't working ?
Jon
10-07-2011 01:17 PM
The tunnel indicated by the outside1_cryptomap_10 lines on the ASA config. This tunnel works fine, except it will not pass traffic between the inside2 interface of the ASA and the PIX inside network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide