I'd probably try to fix this with DNS instead. Just have the profile point to a dns name ex: vpn.mycompany.com. When they're internal have the A record point to the dmz interface address, when they're external have it resolve to the outside interface address.
... View more
Hello, I setup a Hub & Spoke VPN configuration as a temporary solution to get phones working at a client with 5 Sites. Site A: HQ and main PBX System - Cisco ASA 5520 Sites B-E: Remote Sites with PBX systems with ASA 5505's I configured my crypto access-lists to allow all interesting traffic to/from all sites, and it's working for the most part. Refer to this short discussion for further reference https://supportforums.cisco.com/message/4162268#4162268 Recently the customer started saying sometimes the call forwarding between sites isn't working correctly. Upon further testing, it seems that you have to ping to/from both ends of the Spokes before traffic will start passing through properly. E.g. Site B wants to talk to Site C I need to initiate a ping on Site B to Site C which fails Initiate a ping on Site C to Site B and the first packet drops, then the rest go through Initiate Ping on Site B to Site C and all works just fine. Traffic going to/from Site A to/from any remote site (Sites B-E) works fine 100% of the time. This is happening for all remote sites. When traffic has been initiated on both ends, it works just fine, but after a specific timeout it appears to stop working. Probably something simple I'm missing. Any help is greatly appreciated. (Also, kind of silly but I realize that I didn't need same-security-traffic on each spoke, correct?)
... View more
Thanks m.kafka, and sorry about the delayed response! For anyone interested in exactly how it was done with a real world example, I've modified the subnets, but modify with your subnets. *** Site A - HQ *** same-security-traffic permit intra-interface same-security-traffic permit inter-interface object-group network VOIP-dst network-object 10.10.1.0 255.255.255.0 network-object 10.10.2.0 255.255.255.0 network-object 10.10.3.0 255.255.255.0 network-object 10.10.4.0 255.255.255.0 object-group network VOIP-src network-object 10.10.0.0 255.255.255.0 access-list outside_4_cryptomap extended permit ip object-group VOIP-dst 10.10.1.0 255.255.255.0 access-list outside_5_cryptomap extended permit ip object-group VOIP-dst 10.10.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip object-group VOIP-dst 10.10.3.0 255.255.255.0 access-list outside_3_cryptomap extended permit ip object-group VOIP-dst 10.10.4.0 255.255.255.0 ------------------------------------- *** Site B - Remote *** same-security-traffic permit intra-interface same-security-traffic permit inter-interface object-group network VOIP-dst network-object 10.10.1.0 255.255.255.0 network-object 10,10.2.0 255.255.255.0 network-object 10.10.3.0 255.255.255.0 object-group network VOIP-src network-object 10.10.4.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip object-group VOIP-src object-group VOIP-dst ------------------------------------------------ *** Site C - Remote *** same-security-traffic permit intra-interface same-security-traffic permit inter-interface object-group network VOIP-dst network-object 10.10.4.0 255.255.255.0 network-object 10.10.1.0 255.255.255.0 network-object 10.10.3.0 255.255.255.0 object-group network VOIP-src network-object 10.10.2.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip object-group VOIP-src object-group VOIP-dst ..... then repeated for additional sites. I then pinged across all sides, to and from each site. The ping requests failed at first, but once I pinged from each side to the other it works. Everything has been working fine, and the phones are now working. Albeit, a temporary solution but one that has been working for a few weeks now.
... View more
Hi, I think it might work. To be honest I have never done such a setup since we simply dont accept that a situation where a 3rd party would dictate us to make these kind of unusual setups just because they can't be bothered to make changes to their devices (which are pretty simple) What you will probably need in that "nat" command is the parameter "outside" in the end of the command. This is because you are doing Dynamic PAT from a lower "security-level" interface to a higher one. Check this section from ASA Command Reference http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1756533 Quote For policy dynamic NAT and NAT exemption:
nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]
(Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.
Again, this is not something I have done other than to test it in some labs so I am not 100% sure how it acts with the other NAT configurations. I can't see a problem at the moment atleast since its specifically made to be a Policy type of NAT. To my understanding this Dynamic Policy PAT should work as the ASA the ASA should do NAT operations before sending traffic towards the Remote Site (would untranslate the PAT to the real IP address before VPN rules matched) and when traffic is coming from the L2L VPN towards Main Office I would imagine that when the packet is decapsulated/decrypted it would then be PATed to the correct IP address. - Jouni
... View more