2 x ASA 5505 Site to Site VPN issues

nice2michu · ‎06-12-2018

Hi all,

I am trying to set up the Site to Site VPN for the first time. I have completed the wizard but am unable to ping the other side. The two networks have different masks, does this matter? Site A is 10.49.0.0/16, Site B is 192.168.1.0/24. Results of the sho run are below:

SITE A:

Result of the command: "sho run"

: Saved
:
ASA Version 9.2(4)
!
hostname ciscoasa1
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif Inside
security-level 100
ip address 10.49.23.1 255.255.0.0
!
interface Vlan2
nameif Outside
security-level 0
ip address 87.x.x.198 255.255.255.252
!
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
same-security-traffic permit inter-interface

object network Subnet_1_FW
subnet 10.49.0.0 255.255.0.0
object network Subnet_2_FW
subnet 192.168.1.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list basic extended permit icmp any any echo
access-list allow extended permit ip any any
access-list Outside_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_1 object Subnet_1_FW object Subnet_2_FW
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static Subnet_1_FW Subnet_1_FW destination static Subnet_2_FW Subnet_2_FW no-proxy-arp route-lookup
access-group allow in interface Inside
access-group allow out interface Inside
access-group basic in interface Outside
access-group allow out interface Outside
route Outside 0.0.0.0 0.0.0.0 87.x.x.197 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map Outside_map 1 match address Outside_cryptomap_1
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer 78.x.x.12
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map Outside_map interface Outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_78.x.x.12 internal
group-policy GroupPolicy_78.x.x.12 attributes
vpn-tunnel-protocol ikev1 ikev2
username admin password MXeW/52ii2l4R//j encrypted privilege 15
tunnel-group 78.x.x.12 type ipsec-l2l
tunnel-group 78.x.x.12 general-attributes
default-group-policy GroupPolicy_78.x.x.12
tunnel-group 78.x.x.12 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
!
prompt hostname context

-------------------
SITE B:
-------------------

Result of the command: "sho run"

: Saved
:
ASA Version 9.1(1)
!
hostname ciscoasa2
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif Outside
security-level 0
ip address 78.x.x.12 255.255.255.0
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
same-security-traffic permit inter-interface

object network Subnet_1_FW
subnet 10.49.0.0 255.255.0.0
object network Subnet_2_FW
subnet 192.168.1.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list basic extended permit icmp any4 any4 echo
access-list allow extended permit ip any4 any
access-list Outside_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_1 object Subnet_2_FW object Subnet_1_FW
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static Subnet_2_FW Subnet_2_FW destination static Subnet_1_FW Subnet_1_FW no-proxy-arp route-lookup
!
access-group allow in interface Inside
access-group allow out interface Inside
access-group basic in interface Outside
access-group allow out interface Outside
route Outside 0.0.0.0 0.0.0.0 78.x.x.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map Outside_map 1 match address Outside_cryptomap_1
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer 87.x.x.198
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map Outside_map interface Outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
ssh version 2
console timeout 0

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_87.x.x.198 internal
group-policy GroupPolicy_87.x.x.198 attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 87.x.x.198 type ipsec-l2l
tunnel-group 87.x.x.198 general-attributes
default-group-policy GroupPolicy_87.x.x.198
tunnel-group 87.x.x.198 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
!
prompt hostname context

Rob Ingram · ‎06-12-2018

Hi,
Your access-list look correct on both ASAs, when you ping across the tunnel what ip address are you pinging from? It needs to be from an IP address within the subnet you've defined in the access-list.

Can you provide the output from "show crypto isakmp sa" and "show crypto ipsec sa"

I assume the 2 ASAs can communicate and no routing issues?

nice2michu · ‎06-12-2018

Thanks for the reply RJI.

Yes, I am pinging from 10.49.50.51 so within the subnet defined. Output from the commands is:

Result of the command: "show crypto isakmp sa"

There are no IKEv1 SAs

There are no IKEv2 SAs

Result of the command: "show crypto ipsec sa"

There are no ipsec sas

Both ASA's can communicate with the internet, but not with each other as that was the purpose of the S2S VPN, or should there be some other route between the two set up, that I have missed?

Rob Ingram · ‎06-12-2018

Can you run "debug crypto isakmp" and then run the ping, upload the output here. I assume the ASA is the default gateway of the pc you are pinging from and therefore would route through the ASA?

nice2michu · ‎06-12-2018

Yes, the ASA is the default gateway of the computer than I am running the ping from.

Tried the debug command but got nothing at all. Tried pinging a server on the other ASA and the gateway of the other ASA.

Rob Ingram · ‎06-12-2018

Can you run packet tracer from the cli and upload the output please?

E.g - "packet-tracer input inside tcp 10.49.50.51 www 192.168.1.10 www"

nice2michu · ‎06-12-2018

No problem, see below:

Result of the command: "packet-tracer input inside tcp 10.49.50.51 www 192.168.1.150 www"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 87.x.x.197, Outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group allow in interface Inside
access-list allow extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) source static Re_Ky_Inside Re_Ky_Outside
Additional Information:
Static translate 10.49.50.51/80 to 78.x.x.207/80

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group allow out interface Outside
access-list allow extended permit ip any any
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Outside) source static Re_Ky_Inside Re_Ky_Outside
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4657601, packet dispatched to next module

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

Rob Ingram · ‎06-12-2018

The configuration you've provided above isn't the full config is it? I can see from the packet tracer output - "nat (Inside,Outside) source static Re_Ky_Inside Re_Ky_Outside" what object configuration do you have defined for Re_Ky_Inside and Re_Ky_Outside?

nice2michu · ‎06-12-2018

No I removed some of the access rules specific to servers thinking they wouldn't be relevant. The config in relation to this is:

bject network Re_Ky_Outside
host 78.x.x.207

object network Reactor_Kyle_Inside
host 10.49.50.51

object-group network DM_INLINE_NETWORK_1
network-object object Re_Ky_Inside
object-group network DM_INLINE_NETWORK_2
network-object object Re_Ky_Inside

object-group network DM_INLINE_NETWORK_3
network-object object Re_Ba_Server
network-object object Re_Te_Server
group-object SJ_Group

object-group network DM_INLINE_NETWORK_4
network-object object Re_Ba_Server
network-object object Re_Te_Server
group-object SJ_Group
object-group network DM_INLINE_NETWORK_7
network-object object Re_Ky_Inside

object-group service DM_INLINE_SERVICE_4
service-object object afp
service-object object apple_remote_desktop_vnc
service-object tcp destination eq ssh
object-group service DM_INLINE_SERVICE_5
service-object object afp
service-object object apple_remote_desktop_vnc
service-object tcp destination eq ssh

access-list basic extended permit tcp object Re2-SJ object Re_Ky_Inside eq ssh
access-list basic extended permit object-group DM_INLINE_SERVICE_5 object-group DM_INLINE_NETWORK_4 object Re_Ky_Inside
access-list basic extended permit tcp object Re_Ky_Outside object Va_OS_Inside eq https
access-list allow extended permit object-group DM_INLINE_SERVICE_4 object-group DM_INLINE_NETWORK_3 object Re_Ky_Inside
access-list allow extended permit tcp object Re_Ky_Outside object Va_OS_Inside eq https
access-list allow extended permit tcp object Re2-SJ object Re_Ky_Inside eq ssh
nat (Inside,Outside) source static Re_Ky_Inside Re_Ky_Outside

Rob Ingram · ‎06-12-2018

Can you run packet tracer again but specify a different source and destination IP address.

Can you provide the output of "show nat"

nice2michu · ‎06-12-2018

This is if I packet trace gateway (site A) to gateway (site B):

Result of the command: "packet-tracer input inside tcp 10.49.23.1 www 192.168.1.1 www"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 87.x.x.197, Outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static Subnet_1_FW Subnet_1_FW destination static Subnet_2_FW Subnet_2_FW no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside
Untranslate 192.168.1.1/80 to 192.168.1.1/80

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

nice2michu · ‎06-12-2018

Result of the command: "show nat"

Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source static OS_De_Inside OS_De_Outside
translate_hits = 266852, untranslate_hits = 1572645
2 (Inside) to (Outside) source static As_Bu_Inside As_Bu_Outside
translate_hits = 75243, untranslate_hits = 1574796
3 (Inside) to (Outside) source static AX_Da_Inside AX_Da_Outside
translate_hits = 1637131, untranslate_hits = 2398894
4 (Inside) to (Outside) source static BM_Bu_Inside BM_Bu_Outside
translate_hits = 47048, untranslate_hits = 1546327
5 (Inside) to (Outside) source static CC_Da_Inside CC_Da_Outside
translate_hits = 197257, untranslate_hits = 1501458
6 (Inside) to (Outside) source static Fa_Bu_Inside Fa_Bu_Outside
translate_hits = 44389, untranslate_hits = 1537505
7 (Inside) to (Outside) source static Ho_Lo_Inside Ho_Lo_Outside
translate_hits = 46143, untranslate_hits = 1546947
8 (Inside) to (Outside) source static In_Pr_Inside In_Pr_Outside
translate_hits = 910, untranslate_hits = 1502806
9 (Inside) to (Outside) source static Re_Ky_Inside Re_Ky_Outside
translate_hits = 68628, untranslate_hits = 1616841
10 (Inside) to (Outside) source static Re_Pr_Inside Re_Pr_Outside
translate_hits = 987586, untranslate_hits = 1997159
11 (Inside) to (Outside) source static Va_OS_Inside Va_OS_Outside
translate_hits = 5007, untranslate_hits = 1507675
12 (Inside) to (Outside) source static Vi_Server1_Inside Vi_Server1_Outside
translate_hits = 118174, untranslate_hits = 1607034
13 (Inside) to (Outside) source static Vi_Server2_Inside Vi_Server2_Outside
translate_hits = 520226, untranslate_hits = 1606093
14 (Inside) to (Outside) source static In_Pr2_Inside In_Pr2_Outside
translate_hits = 1766, untranslate_hits = 1500810
15 (Inside) to (Outside) source static GS_Ba_Inside GS_Ba_Outside
translate_hits = 1754, untranslate_hits = 1531031
16 (Inside) to (Outside) source static Subnet_1_FW Subnet_1_FW destination static Subnet_2_FW Subnet_2_FW no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 1

Rob Ingram · ‎06-12-2018

Move "nat (Inside,Outside) source static Subnet_1_FW Subnet_1_FW destination static Subnet_2_FW Subnet_2_FW no-proxy-arp route-lookup" to the top of the manual nat list.

Re-run the packet tracer but don't use the ASA IP addresses as source/destination, just pick another IP address.

nice2michu · ‎06-12-2018

Result of the command: "packet-tracer input inside tcp 10.49.50.222 www 192.168.1.110 www"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 87.x.x.197, Outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static Subnet_1_FW Subnet_1_FW destination static Subnet_2_FW Subnet_2_FW no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside
Untranslate 192.168.1.110/80 to 192.168.1.110/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group allow in interface Inside
access-list allow extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) source static Subnet_1_FW Subnet_1_FW destination static Subnet_2_FW Subnet_2_FW no-proxy-arp route-lookup
Additional Information:
Static translate 10.49.50.222/80 to 10.49.50.222/80

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

nice2michu · ‎06-12-2018

Hold on....I can now ping the inside IP address from Site A to Site B and Site B to Site A!

The nat movement to number 1 must have done it? Thank you very much RJI!