cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2086
Views
0
Helpful
19
Replies

Allow Communications Between Multi S2S

gal.avichid
Level 1
Level 1

Hi,

We had in our topology, 12 Cisco ASA 5506 connected S2S via 1x ASA 5506 HUB, which have had all the tunnel set there.

Last week we have upgraded to HUB to FPR-1010.

I am struggling with setting up the connectivity between to spoken ones.

Current status:

FPR-1010 can reach all

Remote sites - Cisco ASA 5506 can ping the HUB

Can't ping in between sites.

Not sure what I did missed.

FPR-1010

Spoiler

> show running-config
: Saved

:
: Serial Number: X.X.X
: Hardware: FPR-1010, 2851 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 co res)
:
NGFW Version 7.0.1
!
hostname FPR-1010
enable password ***** encrypted
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto
ip local pool FPR-1010_vpn_pool 10.0.78.2-10.0.78.254

 

!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/1
no switchport
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address dhcp setroute
ipv6 address autoconfig
ipv6 enable
!
interface Ethernet1/2
no switchport
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.0.254 255.255.255.0
!
interface Ethernet1/3
no switchport
nameif c2-integration
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.14.1 255.255.255.0
!
interface Ethernet1/4
no switchport
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/5
no switchport
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/6
no switchport
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/7
no switchport
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/8
no switchport
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.29.254 255.255.255.0
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup any
dns server-group CiscoUmbrellaDNSServerGroup
name-server 208.67.222.222
name-server 208.67.220.220
name-server 2620:119:35::35
dns server-group google
name-server 8.8.8.8
name-server 8.8.4.4
dns-group CiscoUmbrellaDNSServerGroup
object network any-ipv4
subnet 0.0.0.0 0.0.0.0
object network any-ipv6
subnet ::/0
object network IPv4-Private-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0
object network IPv4-Private-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0
object network IPv4-Private-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0
object network mgmt_access
subnet 192.168.21.0 255.255.255.0
object network inside_network
subnet 192.168.0.0 255.255.255.0
object network c2_network
subnet 10.10.10.0 255.255.255.0
object network c2_gateway
host 192.168.14.2
object network dc_integration
host 192.168.0.11
object network home
subnet 192.168.178.0 255.255.255.0
object network FPR-1010_nl_vpn_pool
range 10.0.78.2 10.0.78.254
object network FPR-1010_vpn_pool_network
subnet 10.0.78.0 255.255.255.0
object network thd-a78
subnet 192.168.2.0 255.255.255.0
object network thd-d
range 192.168.3.1 192.168.3.4
object network thd-d-network
subnet 192.168.3.0 255.255.255.0
object network rdl-c1
subnet 192.168.8.0 255.255.255.0
object-group network |s2sAclSrcNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569
network-object object FPR-1010_vpn_pool_network
network-object object home
object-group network IPv4-Private-All-RFC1918
network-object object IPv4-Private-10.0.0.0-8
network-object object IPv4-Private-172.16.0.0-12
network-object object IPv4-Private-192.168.0.0-16
object-group network site2site_networks
network-object object thd-d
network-object object thd-a78
object-group network |s2sAclDestNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569
network-object object thd-d-network
object-group network |s2sAclSrcNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8
network-object object bgra_nl_vpn_pool_network
network-object object home
object-group network remote-sites
network-object object rdl-c1
network-object object thd-d
network-object object thd-a78
object-group network NGFW-Remote-Access-VPN|natIpv4Grp
network-object object home
object-group network NGFW-Remote-Access-VPN|natIpv4PoolGrp
network-object object FPR-1010_vpn_pool
object-group network |s2sAclDestNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8
network-object object thd-a78
object-group network |s2sAclSrcNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b
network-object object bgra_nl_vpn_pool_network
network-object object home
object-group network |s2sAclDestNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b
network-object object rdl-c1
object-group service |acSvcg-268435462
service-object ip
object-group network |acSrcNwg-268435462
network-object object rdl-c1
network-object object thd-a78
network-object object thd-d-network
access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_ Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: s2s
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc ou tside object-group |acSrcNwg-268435462 ifc inside any rule-id 268435462
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
access-list DfltGrpPolicy|splitAcl extended permit ip object bgra_nl_vpn_pool_ne twork any
access-list DfltGrpPolicy|splitAcl extended permit ip object home any
access-list DfltGrpPolicy|splitAcl extended permit ip object rdl-c1 any
access-list DfltGrpPolicy|splitAcl extended permit ip object thd-a78 any
access-list DfltGrpPolicy|splitAcl extended permit ip object thd-d-network any
access-list |s2sAcl|1d94a3d4-7c12-11ee-a70b-4fe1dea81569 extended permit ip obje ct-group |s2sAclSrcNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569 object-group |s2sA clDestNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569
access-list |s2sAcl|ee02ae02-80db-11ee-a70b-af3b592dae3b extended permit ip obje ct-group |s2sAclSrcNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b object-group |s2sA clDestNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b
access-list |s2sAcl|0d37bbcc-81a4-11ee-a70b-2d566a78eee8 extended permit ip obje ct-group |s2sAclSrcNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8 object-group |s2sA clDestNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8
pager lines 24
logging enable
logging timestamp
logging buffer-size 5000
logging buffered informational
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu c2-integration 1500
mtu diagnostic 1500
no failover
no monitor-interface c2-integration
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static |s2sAclSrcNwgV4|ee02ae02-80db-11ee-a70b-af3b5 92dae3b |s2sAclSrcNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b destination static |s2sAclDestNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b |s2sAclDestNwgV4|ee02ae02- 80db-11ee-a70b-af3b592dae3b no-proxy-arp route-lookup
nat (inside,outside) source static |s2sAclSrcNwgV4|0d37bbcc-81a4-11ee-a70b-2d566 a78eee8 |s2sAclSrcNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8 destination static |s2sAclDestNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8 |s2sAclDestNwgV4|0d37bbcc- 81a4-11ee-a70b-2d566a78eee8 no-proxy-arp route-lookup
nat (inside,outside) source static |s2sAclSrcNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1d ea81569 |s2sAclSrcNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569 destination static |s2sAclDestNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569 |s2sAclDestNwgV4|1d94a3d4- 7c12-11ee-a70b-4fe1dea81569 no-proxy-arp route-lookup
nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote -Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
nat (inside,outside) source dynamic dc_integration interface
access-group NGFW_ONBOX_ACL global
route c2-integration 10.10.10.0 255.255.255.0 192.168.14.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.178.0 255.255.255.0 outside
http 10.0.78.0 255.255.255.0 outside
ip-client inside ipv6
ip-client inside
ip-client c2-integration ipv6
ip-client c2-integration
ip-client diagnostic ipv6
ip-client diagnostic
ip-client outside ipv6
ip-client outside
snmp-server group AUTH v3 auth
snmp-server group PRIV v3 priv
snmp-server group NOAUTH v3 noauth
snmp-server location null
snmp-server contact null
snmp-server community *****
sysopt connection tcpmss 0
no sysopt connection permit-vpn
crypto ipsec ikev2 ipsec-proposal AES-SHA
protocol esp encryption aes-256 aes-192 aes
protocol esp integrity sha-512 sha-384 sha-256 sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map s2sCryptoMap 1 match address |s2sAcl|1d94a3d4-7c12-11ee-a70b-4fe1dea8 1569
crypto map s2sCryptoMap 1 set peer 1.1.1.1
crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal AES-SHA
crypto map s2sCryptoMap 1 set security-association lifetime seconds 28800
crypto map s2sCryptoMap 1 set security-association lifetime kilobytes unlimited
crypto map s2sCryptoMap 2 match address |s2sAcl|ee02ae02-80db-11ee-a70b-af3b592d ae3b
crypto map s2sCryptoMap 2 set peer 2.2.2.2
crypto map s2sCryptoMap 2 set ikev2 ipsec-proposal AES-SHA
crypto map s2sCryptoMap 2 set security-association lifetime seconds 28800
crypto map s2sCryptoMap 2 set security-association lifetime kilobytes unlimited
crypto map s2sCryptoMap 3 match address |s2sAcl|0d37bbcc-81a4-11ee-a70b-2d566a78 eee8
crypto map s2sCryptoMap 3 set peer 3.3.3.3
crypto map s2sCryptoMap 3 set ikev2 ipsec-proposal AES-SHA
crypto map s2sCryptoMap 3 set security-association lifetime seconds 28800
crypto map s2sCryptoMap 3 set security-association lifetime kilobytes unlimited
crypto map s2sCryptoMap interface outside
crypto ca permit-weak-crypto
crypto ca trustpoint DefaultInternalCertificate
enrollment terminal
keypair DefaultInternalCertificate
crl configure
crypto ca trustpool policy
crypto ca certificate chain DefaultInternalCertificate
certificate XXXX
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 14
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 86400
telnet timeout 5
ssh 192.168.178.0 255.255.255.0 outside
ssh 10.0.78.0 255.255.255.0 outside
ssh 192.168.0.0 255.255.255.0 inside
console timeout 0
dhcp-client client-id interface outside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point DefaultInternalCertificate outside
webvpn
port 8888
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnpkgs/anyconnect-linux64-4.10.07073-webdeploy-k9. pkg 1
anyconnect image disk0:/anyconnpkgs/anyconnect-win-4.10.07073-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnpkgs/anyconnect-macos-4.10.07073-webdeploy-k9.pk g 3
anyconnect profiles FRP-1010-VPN disk0:/anyconncprofs/FRP-1010-VPN.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
dns-server value 208.67.222.222 208.67.220.220 2620:119:35::35
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DfltGrpPolicy|splitAcl
webvpn
anyconnect ssl dtls none
anyconnect profiles value FRP-1010-VPN type user
group-policy |s2sGP|1.1.1.1 internal
group-policy |s2sGP|1.1.1.1 attributes
vpn-tunnel-protocol ikev2
group-policy |s2sGP|2.2.2.2 internal
group-policy |s2sGP|2.2.2.2 attributes
vpn-tunnel-protocol ikev2
group-policy |s2sGP|3.3.3.3 internal
group-policy |s2sGP|3.3.3.3 attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
username XXXXX password *****
tunnel-group FRP-1010-VPN type remote-access
tunnel-group FRP-1010-VPN general-attributes
address-pool FRP-1010_vpn_pool
tunnel-group FRP-1010-VPN webvpn-attributes
group-alias FRP-1010-VPN enable
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy |s2sGP|1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy |s2sGP|2.2.2.2
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
default-group-policy |s2sGP|3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect xdmcp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname context
snort preserve-connection
no dp-tcp-proxy
Cryptochecksum:03c6a2bc5ab9d15baf05f340ade1fe08
: end

ASA 5506:

Spoiler

hostname FW-RDL
enable password xxxx pbkdf2
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 3.3.3.3 255.255.255.252
!
interface GigabitEthernet1/2
nameif admin
security-level 100
ip address 192.168.8.254 255.255.255.0
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
security-level 100
no ip address
!
interface Management1/1
management-only
nameif mgmt
security-level 0
ip address 192.168.21.254 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network xxxx
host 192.168.8.2
object network xxxxx
host 192.168.8.3
object network xxxxx
host 192.168.0.130
object network xxxx
host 192.168.8.4
object network FRP-1010-vpn
subnet 192.168.178.0 255.255.255.0
object network c3-1
subnet 192.168.11.0 255.255.255.0
object network c3-2
subnet 192.168.12.0 255.255.255.0
object network cbrn-sts
subnet 10.5.100.0 255.255.255.0
object network drn-c2
subnet 192.168.9.0 255.255.255.0
object network hvt-c1
subnet 192.168.7.0 255.255.255.0
object network oct-c1
subnet 192.168.6.0 255.255.255.0
object network sbn-b
subnet 192.168.4.0 255.255.255.0
object network sbn-c1
subnet 192.168.5.0 255.255.255.0
object network thd-a78
subnet 192.168.2.0 255.255.255.0
object network thd-a77
subnet 192.168.10.0 255.255.255.0
object network thd-d
subnet 192.168.3.0 255.255.255.0
object network vpn_pool
subnet 10.0.78.0 255.255.255.0
object network admin-network
subnet 192.168.8.0 255.255.255.0
object network xxxx
host 192.168.8.11
object network home
subnet 192.168.178.0 255.255.255.0
object-group network remote-sites
network-object object c3-1
network-object object c3-2
network-object object xxx
network-object object drn-c2
network-object object hvt-c1
network-object object oct-c1
network-object object sbn-b
network-object object sbn-c1
network-object object thd-a77
network-object object thd-a78
network-object object thd-d
network-object object vpn_pool
network-object object home
network-object object FRP-1010-vpn
access-list vpn-traffic extended permit ip object admin-network object-group remote-sites
pager lines 24
logging enable
logging list email-alerts level alerts
logging list email-alerts message 735001-735004
logging list email-alerts message 735007
logging list email-alerts message 735020
logging list email-alerts message 748008-748009
logging list email-alerts message 735022
logging list email-alerts message 806001-806008
logging list email-alerts message 735012
logging asdm informational

mtu outside 1500
mtu admin 1500
mtu inside 1500
mtu mgmt 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (admin,outside) source static admin-network admin-network destination static remote-sites remote-sites no-proxy-arp route-lookup
!
object network dc_internet_nat
nat (any,outside) dynamic interface
object network wsus_internet_nat
nat (any,outside) dynamic interface
object network milestone_internet_nat
nat (any,outside) dynamic interface
object network zabbix_internet_nat
nat (any,outside) dynamic interface
object network dc_rdl_internet
nat (any,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 99.999.99.99 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.21.0 255.255.255.0 mgmt
http 192.168.8.0 255.255.255.0 admin

no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change cpu-temperature chassis-temperature accelerator-temperature
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
snmp-server enable traps config
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set S2S-IKv1 esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal vpn-transform
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map CRYPTO-MAP 1 match address vpn-traffic
crypto map CRYPTO-MAP 1 set pfs group5
crypto map CRYPTO-MAP 1 set peer 9.9.9.9
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal vpn-transform
crypto map CRYPTO-MAP 2 set pfs group19
crypto map CRYPTO-MAP interface outside
crypto ca trustpool policy
crypto ikev2 policy 10
encryption aes-256
integrity sha
group 14
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.8.0 255.255.255.0 admin
ssh 192.168.21.0 255.255.255.0 mgmt
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn username xxxx password ***** store-local

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientless
dynamic-access-policy-record DfltAccessPolicy
tunnel-group FRP-1010-IP type ipsec-l2l
tunnel-group FRP-1010-IP ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global

prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e19fe00e7ff8cf8ced267cfac4cf3bf0
: end

Thanks

1 Accepted Solution

Accepted Solutions

gal.avichid
Level 1
Level 1

The solution was to add the local network of the HUB FW to each S2S connection.

Allowing communicate between all S2S.

Thanks all for the help!

View solution in original post

19 Replies 19

I think the issue could be related to some missing NAT hairpinning rules and maybe some missing rules on the crypto map access list. The traffic that will be coming from a branch to another passing through the hub would need to be defined in the hub crypto access lists and would need to be exempted from being NAT'ed.

Sorry, pressed mistakenly on the solution button.

I have set in the remote ASA's ACL for allow communications from the local network to the remote local networks.

In the HUB I can't find the crypto access list its FDM and i am new to this one

I have tried to exempt from NAT the remote local networks on the HUB but no luck.

On the HUB i did packet-tracer and ping is allowed from remote A to remote B.

What else i am missing?

My menu is different, I guess because I use FTD and not FMC?

Can I achieve the same result with FTD?

Thanks

Sorry, yes - FDM is the one running on the HUB

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215513-configure-site-to-site-vpn-on-ftd-manage.html

I see you are little confused'

Check these steps to config s2s to each spoke.

Note:- I check guide about hub and spoke in fdm it hard using dynamic so we will instead use s2s to each site.

For NAT you need to no-NAT for each spoke subnet to other spoke subnet 

""manual NAT Exempt rule needs to be created under the Policies > NAT.""

The last pieces is routing. Do you config routing for spoke in hub?

The tunnels are up and working.

From Site A to HUB

From Site B to HUB

When I am trying to packet-trace from Site A to B or vice versa:

Result of the command: "packet-tracer input admin icmp 192.168.8.2 8 0 192.168.3.2"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.x using egress ifc outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (admin,outside) source static admin-network admin-network destination static remote-sites remote-sites no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.3.2/0 to 192.168.3.2/0

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (admin,outside) source static admin-network admin-network destination static remote-sites remote-sites no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.8.2/0 to 192.168.8.2/0

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: admin
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

packet-tracer input admin icmp 192.168.8.2 8 0 192.168.3.2"

But the traffic come from outside and please add detail to packet tracer and do it twice.

Result of the command: "packet-tracer input outside icmp 192.168.3.2 8 0 192.168.8.2 detail"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.8.2 using egress ifc admin

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (admin,outside) source static admin-network admin-network destination static remote-sites remote-sites no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2d18691a20, priority=6, domain=nat, deny=false
hits=0, user_data=0x7f2d175c9890, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.3.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.8.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=admin

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2d16860c40, priority=0, domain=nat-per-session, deny=true
hits=133458, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2d17493de0, priority=0, domain=permit, deny=true
hits=650, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: admin
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 


Result of the command: "packet-tracer input outside icmp 192.168.3.2 8 0 192.168.8.2 detail"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.8.2 using egress ifc admin

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (admin,outside) source static admin-network admin-network destination static remote-sites remote-sites no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2d18691a20, priority=6, domain=nat, deny=false
hits=1, user_data=0x7f2d175c9890, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.3.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.8.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=admin

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2d16860c40, priority=0, domain=nat-per-session, deny=true
hits=133463, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2d17493de0, priority=0, domain=permit, deny=true
hits=651, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: admin
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

nat (outside,outside) source static remotesiteA reemotesiteA destination static remotesiteB remotesiteB no-proxy-arp route-lookup

add this nat 

that should be on the HUB or on SITE A+B?

 

on Hub it must hairpin traffic without nat

as far as i know "same-security-traffic permit intra-interface" is enabled by default on FTD?