- Cisco Community
- Technology and Support
- Networking
- Switching
- Unable to Browse Secondary Subnet from Primary Subnet
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2017 04:42 PM - edited 03-08-2019 10:36 AM
I have two subnets, Inside (192.168.1.0) and Inside-2 (192.168.2.0) and when I am connected to the inside subnet I cannot browse the inside-2 subnet, windows does not show any of the machines on it, and the reverse is true if you are on the inside-2 subnet. I am sure that I have configured something wrong or maybe left something out so here is my running config.
Result of the command: "show running-config"
: Saved
:
: Serial Number: FCH16367LAK
: Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname ciscoasa
domain-name --REDACTED--.com
enable password --REDACTED-- encrypted
passwd --REDACTED-- encrypted
names
ip local pool SALES_POOL 192.168.20.100-192.168.20.200 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address --REDACTED--.220.205 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.253 255.255.255.0
!
interface GigabitEthernet0/2
description Secondary IPV4 Network .2 Subnet
nameif inside-2
security-level 100
ip address 192.168.2.253 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup inside-2
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.1.106 inside
name-server 192.168.1.222 inside
name-server 69.252.250.103 outside
name-server 68.87.85.102 outside
name-server 68.87.69.150 outside
domain-name --REDACTED--.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ftp_server
host 192.168.1.224
description FTP Server Port
object network sftp_server
host 192.168.1.224
description SFTP Server Port
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.30.0_24
subnet 192.168.30.0 255.255.255.0
description Additional Network for Superscope
object service IMAP_SSL_993
service tcp destination eq 993
description 993
object service SMTP_587
service tcp destination eq 587
object network MCDPR_SMTP_INTERNAL_RELAY
host 192.168.1.4
object service IMAPSSL
service tcp destination eq 993
object service IMAP4_SSL
service tcp destination eq 993
description SSL/TLS
object service IMAP4_TLS
service udp destination eq 995
description IMAP4 TLS/SSL
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
description SECONDARY IP ADDRESSES
object network v5_ps_ftp_server_9758
host 192.168.1.226
description PowerSell V5 External Port
object network v5_ps_ftp_server_9759
host 192.168.1.226
description PowerSell V5 External Port
object network v5_ps_ftp_server_9760
host 192.168.1.226
description PowerSell V5 External Port
object network v5_ps_ftp_server_9761
host 192.168.1.226
description PowerSell V5 External Port
object network v5_ps_ftp_server
host 192.168.1.226
description PS FTP Server Port
object service PS5_FTP
service tcp source eq 2121 destination eq 2121
description PowerSell 5 FTP
object network inside_network
subnet 192.168.1.0 255.255.255.0
object network local_network
subnet 192.168.74.0 255.255.255.0
object network remote_network
subnet 172.16.0.0 255.255.255.0
object service SMB_139
service tcp source eq netbios-ssn destination eq netbios-ssn
description Ricoh
object service SMB_445
service tcp source eq 445 destination eq 445
description Ricoh
object service SMB_137
service udp source eq netbios-ns destination eq netbios-ns
description Ricoh
object network Ricoh_Printer
host 192.168.1.80
description Printer
object service http
service tcp source eq www destination eq www
description Web
object network v5_ps_ftp_svr_9758
host 192.168.1.226
description MCDWEB
object network v5_ps_ftp_svr_9759
host 192.168.1.226
description MCDWEB
object network v5_ps_ftp_svr_9760
host 192.168.1.226
description MCDWEB
object network v5_ps_ftp_svr_9761
host 192.168.1.226
description MCDWEB
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service POP3S
description Secure IMAP4
service-object object IMAP4_SSL
service-object object IMAP4_TLS
object-group service DM_INLINE_SERVICE_1
service-object object SMB_139
service-object object SMB_445
service-object object SMB_137
object-group service DM_INLINE_SERVICE_2
service-object object SMB_139
service-object object SMB_445
service-object object SMB_137
access-list outside-in extended permit tcp any object v5_ps_ftp_server eq 2121
access-list outside-in extended permit tcp any object ftp_server eq ftp
access-list outside-in extended permit tcp any object sftp_server eq ssh
access-list outside-in extended permit tcp any object v5_ps_ftp_server_9758 eq 9758
access-list outside-in extended permit tcp any object v5_ps_ftp_server_9759 eq 9759
access-list outside-in extended permit tcp any object v5_ps_ftp_server_9760 eq 9760
access-list outside-in extended permit tcp any object v5_ps_ftp_server_9761 eq 9761
access-list outside-in extended permit ip 173.8.220.192 255.255.255.240 any
access-list outside-in extended deny tcp any any eq smtp
access-list outside_access_out extended permit ip any any
access-list SALES_splitTunnelAcl standard permit any4
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list Split_Tunnel_List remark Internal Network
access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
access-list Split_Tunnel_List remark Second Internal Network
access-list Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
access-list inside_access_in_1 extended permit ip any any
access-list policy_nat extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip --REDACTED--.0 255.255.255.0 --REDACTED--.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240
access-list outside_cryptomap extended permit ip --REDACTED--.0 255.255.255.0 --REDACTED--.0 255.255.255.0
access-list inside-2_access_in extended permit ip any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list ASA webtype permit url any log default
pager lines 24
logging enable
logging console emergencies
logging asdm debugging
logging from-address ciscoasa@--REDACTED--.com
logging recipient-address --REDACTED--.com level alerts
logging class auth console alerts asdm emergencies
logging class vpn asdm alerts
mtu outside 1500
mtu inside 1500
mtu inside-2 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762-150.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.30.0_24 NETWORK_OBJ_192.168.30.0_24 no-proxy-arp
nat (inside,inside-2) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 no-proxy-arp
nat (inside-2,inside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 no-proxy-arp route-lookup
nat (outside,inside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp
nat (outside,inside-2) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 no-proxy-arp
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.30.0_24 NETWORK_OBJ_192.168.30.0_24 no-proxy-arp
nat (outside,inside) source static NETWORK_OBJ_192.168.30.0_24 NETWORK_OBJ_192.168.30.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp
nat (inside,outside) source static inside_network local_network destination static remote_network remote_network
!
object network ftp_server
nat (inside,outside) static interface service tcp ftp ftp
object network sftp_server
nat (inside,outside) static interface service tcp ssh ssh
object network MCDPR_SMTP_INTERNAL_RELAY
nat (inside,outside) static interface service tcp smtp smtp
object network v5_ps_ftp_server
nat (inside,outside) static interface service tcp 2121 2121
object network v5_ps_ftp_svr_9758
nat (inside,outside) static interface service tcp 9758 9758
object network v5_ps_ftp_svr_9759
nat (inside,outside) static interface service tcp 9759 9759
object network v5_ps_ftp_svr_9760
nat (inside,outside) static interface service tcp 9760 9760
object network v5_ps_ftp_svr_9761
nat (inside,outside) static interface service tcp 9761 9761
!
nat (inside,outside) after-auto source dynamic any interface
nat (inside-2,outside) after-auto source dynamic any interface
access-group outside-in in interface outside
access-group inside_access_in in interface inside control-plane
access-group inside_access_in_1 in interface inside
access-group inside-2_access_in in interface inside-2
route outside 0.0.0.0 0.0.0.0 --REDACTED--.220.206 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server SALES protocol ldap
aaa-server SALES (inside) host 192.168.1.106
timeout 5
server-port 636
ldap-base-dn DC=--REDACTED--,DC=com
ldap-group-base-dn DC=--REDACTED--,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Cisco ASA,CN=Users,DC=--REDACTED--,DC=com
ldap-over-ssl enable
server-type microsoft
aaa-server SALES (inside) host 192.168.1.107
timeout 5
server-port 636
ldap-base-dn DC=--REDACTED--,DC=com
ldap-group-base-dn DC=--REDACTED--,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Cisco ASA,CN=Users,DC=--REDACTED--,DC=com
ldap-over-ssl enable
server-type microsoft
aaa-server SALES (inside) host 192.168.1.4
server-port 636
ldap-base-dn DC=--REDACTED--,DC=com
ldap-group-base-dn DC=--REDACTED--,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Cisco ASA,CN=Users,DC=--REDACTED--,DC=com
ldap-over-ssl enable
server-type microsoft
user-identity domain MCD aaa-server SALES
user-identity default-domain MCD
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 120
http 192.168.100.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside-2
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set retalixset esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 65.174.156.19
crypto map outside_map 1 set ikev1 transform-set retalixset
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map inside-2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside-2_map interface inside-2
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ciscoasa.--REDACTED--.com,O=McDonald Wholesale Co,C=US
keypair MCD5515asa
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 3c7b9988b20445920000000050dbf5d7
--REDACTED--
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca 0ee94cc30000000051d37785
--REDACTED--
quit
crypto ca certificate chain ASDM_TrustPoint3
certificate ca 51d34044
--REDACTED--
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable inside-2 client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 enable inside-2
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.20.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside-2
telnet 192.168.100.0 255.255.255.0 management
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.20.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside-2
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcp-client update dns server both
dhcpd dns 192.168.1.106 192.168.1.222 interface inside
dhcpd wins 192.168.1.106 192.168.1.222 interface inside
dhcpd ping_timeout 30 interface inside
dhcpd domain --REDACTED--.com interface inside
dhcpd update dns both override interface inside
!
dhcpd address 192.168.2.10-192.168.2.250 inside-2
dhcpd dns 192.168.1.106 192.168.1.222 interface inside-2
dhcpd wins 192.168.1.106 interface inside-2
dhcpd ping_timeout 30 interface inside-2
dhcpd domain --REDACTED--.com interface inside-2
dhcpd update dns both override interface inside-2
dhcpd option 3 ip 192.168.2.253 interface inside-2
dhcpd option 4 ip 192.168.1.106 interface inside-2
dhcpd option 5 ip 192.168.1.106 192.168.1.222 interface inside-2
dhcpd option 15 ascii --REDACTED--.com interface inside-2
dhcpd option 44 ip 192.168.1.106 interface inside-2
!
dhcpd address 192.168.100.2-192.168.100.254 management
!
dhcprelay server 192.168.1.106 inside
dhcprelay enable inside-2
dhcprelay timeout 60
ntp authenticate
ntp server 192.168.1.3 source inside
ntp server 192.168.1.106 source inside prefer
ntp server 24.56.178.140 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 inside-2
ssl trust-point ASDM_TrustPoint0 management
webvpn
enable outside
enable inside
enable inside-2
anyconnect-essentials
--REDACTED--
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
ssl-server-check warn-on-failure
group-policy SALES_SSL internal
group-policy SALES_SSL attributes
wins-server value 192.168.1.106 192.168.1.222
dns-server value 192.168.1.106 192.168.1.222
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout 120
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
group-lock value Sales_SSL
default-domain value --REDACTED--.com
vlan none
webvpn
url-list value Internal_WebSites
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect profiles value SALES_IPSEC_client_profile type user
group-policy DfltGrpPolicy attributes
wins-server value 192.168.1.106 192.168.1.222
dns-server value 192.168.1.106 192.168.1.222
vpn-session-timeout 120
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
default-domain value --REDACTED--.com
webvpn
url-list value Internal_WebSites
anyconnect ask enable default webvpn
hidden-shares visible
group-policy SALES internal
group-policy SALES attributes
wins-server value 192.168.1.106 192.168.1.222
dns-server value 192.168.1.106 192.168.1.222
vpn-idle-timeout 30
vpn-session-timeout 120
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value --REDACTED--.com
webvpn
anyconnect profiles value SALES_IPSEC_client_profile type user
group-policy GroupPolicy_SALES_IPSEC internal
group-policy GroupPolicy_SALES_IPSEC attributes
wins-server value 192.168.1.106 192.168.1.222
dns-server value 192.168.1.106 192.168.1.222
vpn-idle-timeout 30
vpn-session-timeout 120
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy excludespecified
split-tunnel-network-list value SALES_splitTunnelAcl
default-domain value --REDACTED--.com
webvpn
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect profiles value SALES_IPSEC_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
user-message "You are not authorized to access this Internal Domain!"
action terminate
dynamic-access-policy-record Sales
description "Allow Sales People Access to Network"
user-message "Welcome to the --REDACTED-- Internal Network!"
network-acl inside_access_in
network-acl outside_access_out
network-acl inside-2_access_in
network-acl inside_access_in_1
webvpn
appl-acl ASA
url-list value Internal_WebSites
file-browsing enable
file-entry enable
http-proxy enable
url-entry enable
svc ask enable default svc
username --REDACTED-- password --REDACTED-- encrypted privilege 15
username --REDACTED-- attributes
vpn-group-policy SALES_SSL
username --REDACTED-- password --REDACTED-- encrypted
username --REDACTED-- attributes
vpn-group-policy SALES_SSL
service-type remote-access
username --REDACTED-- password --REDACTED-- encrypted privilege 15
username --REDACTED-- attributes
vpn-group-policy SALES_SSL
username --REDACTED-- password --REDACTED-- encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group SALES
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias WebOnly disable
tunnel-group Sales_SSL type remote-access
tunnel-group Sales_SSL general-attributes
address-pool SALES_POOL
tunnel-group Sales_SSL webvpn-attributes
group-alias IT_ONLY disable
group-alias SALES disable
group-url https://173.8.220.201/SALES enable
tunnel-group SALES_IPSEC type remote-access
tunnel-group SALES_IPSEC general-attributes
address-pool SALES_POOL
authentication-server-group SALES
default-group-policy GroupPolicy_SALES_IPSEC
tunnel-group SALES_IPSEC webvpn-attributes
group-alias SALES_IPSEC disable
tunnel-group SALES type remote-access
tunnel-group SALES general-attributes
address-pool SALES_POOL
authentication-server-group SALES
default-group-policy SALES
tunnel-group SALES webvpn-attributes
group-alias SALES_TUNNEL enable
tunnel-group --REDACTED--.19 type ipsec-l2l
tunnel-group --REDACTED--.19 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map class_ftp_9758
match port tcp eq 9758
class-map class_ftp
match port tcp eq 2121
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class_ftp
inspect ftp
class class-default
user-statistics accounting
!
service-policy global_policy global
smtp-server 192.168.1.224
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cc3aed92b55cd05710b439ebe18bd37c
: end
Solved! Go to Solution.
- Labels:
-
Other Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2017 08:21 AM
Based on packet tracer output, firewall doesn't appear to be blocking this traffic. Did you do a trace route from a host in subnet 1 to subnet 2 and see where the traffic is dropping? because it might be a routing issue, you can create an acl on the firewall just for the specific source and destination address that you would be using to test and look at the hit counters to make sure if it is even hitting the firewall.
Anything in the firewall logs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2017 06:21 PM
Please share packet tracer output.
packet-tracer input inside tcp 192.168.1.10 12345 192.168.2.10 80 detailed
I am using 10 as an example, if you like you can replace the host address with a valid host in those subnets, but this should work as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2017 07:58 AM
Here are the results using the CLI feature in the ASDM
Result of the command: "packet-tracer input inside tcp 192.168.1.10 12345 192.168.2.10 80 detailed"
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,inside-2) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 no-proxy-arp
Additional Information:
NAT divert to egress interface inside-2
Untranslate 192.168.2.10/80 to 192.168.2.10/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in_1 in interface inside control-plane
access-list inside_access_in_1 extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f6ab429bad0, priority=13, domain=permit, deny=false
hits=1115023, user_data=0x7f6ab441b500, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,inside-2) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 no-proxy-arp
Additional Information:
Static translate 192.168.1.10/12345 to 192.168.1.10/12345
Forward Flow based lookup yields rule:
in id=0x7f6abe2359a0, priority=6, domain=nat, deny=false
hits=31380, user_data=0x7f6abe234c60, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=inside-2
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f6abd517610, priority=0, domain=nat-per-session, deny=false
hits=3036387, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f6abe0e0ac0, priority=0, domain=inspect-ip-options, deny=true
hits=1570673, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f6abeef7c80, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=1106689, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,inside-2) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 no-proxy-arp
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f6abe2366a0, priority=6, domain=nat-reverse, deny=false
hits=13513, user_data=0x7f6abe234d70, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=inside-2
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f6abf016430, priority=0, domain=user-statistics, deny=false
hits=992219, user_data=0x7f6ac06e7320, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=inside-2
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f6abd517610, priority=0, domain=nat-per-session, deny=false
hits=3036389, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f6abe13aca0, priority=0, domain=inspect-ip-options, deny=true
hits=1033084, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside-2, output_ifc=any
Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7f6abf015490, priority=0, domain=user-statistics, deny=false
hits=1541214, user_data=0x7f6ac06e7320, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=inside
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2149332, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
output-interface: inside-2
output-status: up
output-line-status: up
Action: allow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2017 08:21 AM
Based on packet tracer output, firewall doesn't appear to be blocking this traffic. Did you do a trace route from a host in subnet 1 to subnet 2 and see where the traffic is dropping? because it might be a routing issue, you can create an acl on the firewall just for the specific source and destination address that you would be using to test and look at the hit counters to make sure if it is even hitting the firewall.
Anything in the firewall logs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2017 08:53 AM
I did a trace route from my machine to the other subnet and it worked flawlessly, turns out that this is a "Windows Problem" apparently Microsoft has made changes that cause the browsing not to see other subnets in windows, so this issue is not an issue as far as my ASA goes and the problem lies in the Microsoft patches and upgrades! Go figure! LOL
Thanks for you help, it pointed me in the right direction!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2017 09:01 AM
Thanks for the update and rating. I am glad that you were to able to figure out the problem,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide