Solved: Allow Communications Between Multi S2S

gal.avichid · ‎11-13-2023

Hi,

We had in our topology, 12 Cisco ASA 5506 connected S2S via 1x ASA 5506 HUB, which have had all the tunnel set there.

Last week we have upgraded to HUB to FPR-1010.

I am struggling with setting up the connectivity between to spoken ones.

Current status:

FPR-1010 can reach all

Remote sites - Cisco ASA 5506 can ping the HUB

Can't ping in between sites.

Not sure what I did missed.

FPR-1010

Spoiler

> show running-config
: Saved

:
: Serial Number: X.X.X
: Hardware: FPR-1010, 2851 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 co res)
:
NGFW Version 7.0.1
!
hostname FPR-1010
enable password ***** encrypted
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto
ip local pool FPR-1010_vpn_pool 10.0.78.2-10.0.78.254

!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/1
no switchport
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address dhcp setroute
ipv6 address autoconfig
ipv6 enable
!
interface Ethernet1/2
no switchport
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.0.254 255.255.255.0
!
interface Ethernet1/3
no switchport
nameif c2-integration
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.14.1 255.255.255.0
!
interface Ethernet1/4
no switchport
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/5
no switchport
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/6
no switchport
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/7
no switchport
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/8
no switchport
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.29.254 255.255.255.0
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup any
dns server-group CiscoUmbrellaDNSServerGroup
name-server 208.67.222.222
name-server 208.67.220.220
name-server 2620:119:35::35
dns server-group google
name-server 8.8.8.8
name-server 8.8.4.4
dns-group CiscoUmbrellaDNSServerGroup
object network any-ipv4
subnet 0.0.0.0 0.0.0.0
object network any-ipv6
subnet ::/0
object network IPv4-Private-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0
object network IPv4-Private-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0
object network IPv4-Private-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0
object network mgmt_access
subnet 192.168.21.0 255.255.255.0
object network inside_network
subnet 192.168.0.0 255.255.255.0
object network c2_network
subnet 10.10.10.0 255.255.255.0
object network c2_gateway
host 192.168.14.2
object network dc_integration
host 192.168.0.11
object network home
subnet 192.168.178.0 255.255.255.0
object network FPR-1010_nl_vpn_pool
range 10.0.78.2 10.0.78.254
object network FPR-1010_vpn_pool_network
subnet 10.0.78.0 255.255.255.0
object network thd-a78
subnet 192.168.2.0 255.255.255.0
object network thd-d
range 192.168.3.1 192.168.3.4
object network thd-d-network
subnet 192.168.3.0 255.255.255.0
object network rdl-c1
subnet 192.168.8.0 255.255.255.0
object-group network |s2sAclSrcNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569
network-object object FPR-1010_vpn_pool_network
network-object object home
object-group network IPv4-Private-All-RFC1918
network-object object IPv4-Private-10.0.0.0-8
network-object object IPv4-Private-172.16.0.0-12
network-object object IPv4-Private-192.168.0.0-16
object-group network site2site_networks
network-object object thd-d
network-object object thd-a78
object-group network |s2sAclDestNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569
network-object object thd-d-network
object-group network |s2sAclSrcNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8
network-object object bgra_nl_vpn_pool_network
network-object object home
object-group network remote-sites
network-object object rdl-c1
network-object object thd-d
network-object object thd-a78
object-group network NGFW-Remote-Access-VPN|natIpv4Grp
network-object object home
object-group network NGFW-Remote-Access-VPN|natIpv4PoolGrp
network-object object FPR-1010_vpn_pool
object-group network |s2sAclDestNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8
network-object object thd-a78
object-group network |s2sAclSrcNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b
network-object object bgra_nl_vpn_pool_network
network-object object home
object-group network |s2sAclDestNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b
network-object object rdl-c1
object-group service |acSvcg-268435462
service-object ip
object-group network |acSrcNwg-268435462
network-object object rdl-c1
network-object object thd-a78
network-object object thd-d-network
access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_ Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: s2s
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc ou tside object-group |acSrcNwg-268435462 ifc inside any rule-id 268435462
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
access-list DfltGrpPolicy|splitAcl extended permit ip object bgra_nl_vpn_pool_ne twork any
access-list DfltGrpPolicy|splitAcl extended permit ip object home any
access-list DfltGrpPolicy|splitAcl extended permit ip object rdl-c1 any
access-list DfltGrpPolicy|splitAcl extended permit ip object thd-a78 any
access-list DfltGrpPolicy|splitAcl extended permit ip object thd-d-network any
access-list |s2sAcl|1d94a3d4-7c12-11ee-a70b-4fe1dea81569 extended permit ip obje ct-group |s2sAclSrcNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569 object-group |s2sA clDestNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569
access-list |s2sAcl|ee02ae02-80db-11ee-a70b-af3b592dae3b extended permit ip obje ct-group |s2sAclSrcNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b object-group |s2sA clDestNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b
access-list |s2sAcl|0d37bbcc-81a4-11ee-a70b-2d566a78eee8 extended permit ip obje ct-group |s2sAclSrcNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8 object-group |s2sA clDestNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8
pager lines 24
logging enable
logging timestamp
logging buffer-size 5000
logging buffered informational
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu c2-integration 1500
mtu diagnostic 1500
no failover
no monitor-interface c2-integration
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static |s2sAclSrcNwgV4|ee02ae02-80db-11ee-a70b-af3b5 92dae3b |s2sAclSrcNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b destination static |s2sAclDestNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b |s2sAclDestNwgV4|ee02ae02- 80db-11ee-a70b-af3b592dae3b no-proxy-arp route-lookup
nat (inside,outside) source static |s2sAclSrcNwgV4|0d37bbcc-81a4-11ee-a70b-2d566 a78eee8 |s2sAclSrcNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8 destination static |s2sAclDestNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8 |s2sAclDestNwgV4|0d37bbcc- 81a4-11ee-a70b-2d566a78eee8 no-proxy-arp route-lookup
nat (inside,outside) source static |s2sAclSrcNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1d ea81569 |s2sAclSrcNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569 destination static |s2sAclDestNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569 |s2sAclDestNwgV4|1d94a3d4- 7c12-11ee-a70b-4fe1dea81569 no-proxy-arp route-lookup
nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote -Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
nat (inside,outside) source dynamic dc_integration interface
access-group NGFW_ONBOX_ACL global
route c2-integration 10.10.10.0 255.255.255.0 192.168.14.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.178.0 255.255.255.0 outside
http 10.0.78.0 255.255.255.0 outside
ip-client inside ipv6
ip-client inside
ip-client c2-integration ipv6
ip-client c2-integration
ip-client diagnostic ipv6
ip-client diagnostic
ip-client outside ipv6
ip-client outside
snmp-server group AUTH v3 auth
snmp-server group PRIV v3 priv
snmp-server group NOAUTH v3 noauth
snmp-server location null
snmp-server contact null
snmp-server community *****
sysopt connection tcpmss 0
no sysopt connection permit-vpn
crypto ipsec ikev2 ipsec-proposal AES-SHA
protocol esp encryption aes-256 aes-192 aes
protocol esp integrity sha-512 sha-384 sha-256 sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map s2sCryptoMap 1 match address |s2sAcl|1d94a3d4-7c12-11ee-a70b-4fe1dea8 1569
crypto map s2sCryptoMap 1 set peer 1.1.1.1
crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal AES-SHA
crypto map s2sCryptoMap 1 set security-association lifetime seconds 28800
crypto map s2sCryptoMap 1 set security-association lifetime kilobytes unlimited
crypto map s2sCryptoMap 2 match address |s2sAcl|ee02ae02-80db-11ee-a70b-af3b592d ae3b
crypto map s2sCryptoMap 2 set peer 2.2.2.2
crypto map s2sCryptoMap 2 set ikev2 ipsec-proposal AES-SHA
crypto map s2sCryptoMap 2 set security-association lifetime seconds 28800
crypto map s2sCryptoMap 2 set security-association lifetime kilobytes unlimited
crypto map s2sCryptoMap 3 match address |s2sAcl|0d37bbcc-81a4-11ee-a70b-2d566a78 eee8
crypto map s2sCryptoMap 3 set peer 3.3.3.3
crypto map s2sCryptoMap 3 set ikev2 ipsec-proposal AES-SHA
crypto map s2sCryptoMap 3 set security-association lifetime seconds 28800
crypto map s2sCryptoMap 3 set security-association lifetime kilobytes unlimited
crypto map s2sCryptoMap interface outside
crypto ca permit-weak-crypto
crypto ca trustpoint DefaultInternalCertificate
enrollment terminal
keypair DefaultInternalCertificate
crl configure
crypto ca trustpool policy
crypto ca certificate chain DefaultInternalCertificate
certificate XXXX
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 14
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 86400
telnet timeout 5
ssh 192.168.178.0 255.255.255.0 outside
ssh 10.0.78.0 255.255.255.0 outside
ssh 192.168.0.0 255.255.255.0 inside
console timeout 0
dhcp-client client-id interface outside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point DefaultInternalCertificate outside
webvpn
port 8888
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnpkgs/anyconnect-linux64-4.10.07073-webdeploy-k9. pkg 1
anyconnect image disk0:/anyconnpkgs/anyconnect-win-4.10.07073-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnpkgs/anyconnect-macos-4.10.07073-webdeploy-k9.pk g 3
anyconnect profiles FRP-1010-VPN disk0:/anyconncprofs/FRP-1010-VPN.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
dns-server value 208.67.222.222 208.67.220.220 2620:119:35::35
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DfltGrpPolicy|splitAcl
webvpn
anyconnect ssl dtls none
anyconnect profiles value FRP-1010-VPN type user
group-policy |s2sGP|1.1.1.1 internal
group-policy |s2sGP|1.1.1.1 attributes
vpn-tunnel-protocol ikev2
group-policy |s2sGP|2.2.2.2 internal
group-policy |s2sGP|2.2.2.2 attributes
vpn-tunnel-protocol ikev2
group-policy |s2sGP|3.3.3.3 internal
group-policy |s2sGP|3.3.3.3 attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
username XXXXX password *****
tunnel-group FRP-1010-VPN type remote-access
tunnel-group FRP-1010-VPN general-attributes
address-pool FRP-1010_vpn_pool
tunnel-group FRP-1010-VPN webvpn-attributes
group-alias FRP-1010-VPN enable
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy |s2sGP|1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy |s2sGP|2.2.2.2
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
default-group-policy |s2sGP|3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect xdmcp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname context
snort preserve-connection
no dp-tcp-proxy
Cryptochecksum:03c6a2bc5ab9d15baf05f340ade1fe08
: end

> show running-config: Saved :: Serial Number: X.X.X: Hardware: FPR-1010, 2851 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 co res):NGFW Version 7.0.1!hostname FPR-1010enable password ***** encryptedservice-module 0 keepalive-timeout 4service-module 0 keepalive-counter 6namesno mac-address autoip local pool FPR-1010_vpn_pool 10.0.78.2-10.0.78.254 !interface Vlan1shutdownno nameifno security-levelno ip address!interface Ethernet1/1no switchportnameif outsidects manualpropagate sgt preserve-untagpolicy static sgt disabled trustedsecurity-level 0ip address dhcp setrouteipv6 address autoconfigipv6 enable!interface Ethernet1/2no switchportnameif insidects manualpropagate sgt preserve-untagpolicy static sgt disabled trustedsecurity-level 0ip address 192.168.0.254 255.255.255.0!interface Ethernet1/3no switchportnameif c2-integrationcts manualpropagate sgt preserve-untagpolicy static sgt disabled trustedsecurity-level 0ip address 192.168.14.1 255.255.255.0!interface Ethernet1/4no switchportshutdownno nameifno security-levelno ip address!interface Ethernet1/5no switchportshutdownno nameifno security-levelno ip address!interface Ethernet1/6no switchportshutdownno nameifno security-levelno ip address!interface Ethernet1/7no switchportshutdownno nameifno security-levelno ip address!interface Ethernet1/8no switchportshutdownno nameifno security-levelno ip address!interface Management1/1management-onlynameif diagnosticcts manualpropagate sgt preserve-untagpolicy static sgt disabled trustedsecurity-level 0ip address 192.168.29.254 255.255.255.0!ftp mode passivengips conn-match vlan-iddns domain-lookup anydns server-group CiscoUmbrellaDNSServerGroupname-server 208.67.222.222name-server 208.67.220.220name-server 2620:119:35::35dns server-group googlename-server 8.8.8.8name-server 8.8.4.4dns-group CiscoUmbrellaDNSServerGroupobject network any-ipv4subnet 0.0.0.0 0.0.0.0object network any-ipv6subnet ::/0object network IPv4-Private-10.0.0.0-8subnet 10.0.0.0 255.0.0.0object network IPv4-Private-172.16.0.0-12subnet 172.16.0.0 255.240.0.0object network IPv4-Private-192.168.0.0-16subnet 192.168.0.0 255.255.0.0object network mgmt_accesssubnet 192.168.21.0 255.255.255.0object network inside_networksubnet 192.168.0.0 255.255.255.0object network c2_networksubnet 10.10.10.0 255.255.255.0object network c2_gatewayhost 192.168.14.2object network dc_integrationhost 192.168.0.11object network homesubnet 192.168.178.0 255.255.255.0object network FPR-1010_nl_vpn_poolrange 10.0.78.2 10.0.78.254object network FPR-1010_vpn_pool_networksubnet 10.0.78.0 255.255.255.0object network thd-a78subnet 192.168.2.0 255.255.255.0object network thd-drange 192.168.3.1 192.168.3.4object network thd-d-networksubnet 192.168.3.0 255.255.255.0object network rdl-c1subnet 192.168.8.0 255.255.255.0object-group network |s2sAclSrcNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569network-object object FPR-1010_vpn_pool_networknetwork-object object homeobject-group network IPv4-Private-All-RFC1918network-object object IPv4-Private-10.0.0.0-8network-object object IPv4-Private-172.16.0.0-12network-object object IPv4-Private-192.168.0.0-16object-group network site2site_networksnetwork-object object thd-dnetwork-object object thd-a78object-group network |s2sAclDestNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569network-object object thd-d-networkobject-group network |s2sAclSrcNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8network-object object bgra_nl_vpn_pool_networknetwork-object object homeobject-group network remote-sitesnetwork-object object rdl-c1network-object object thd-dnetwork-object object thd-a78object-group network NGFW-Remote-Access-VPN|natIpv4Grpnetwork-object object homeobject-group network NGFW-Remote-Access-VPN|natIpv4PoolGrpnetwork-object object FPR-1010_vpn_poolobject-group network |s2sAclDestNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8network-object object thd-a78object-group network |s2sAclSrcNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3bnetwork-object object bgra_nl_vpn_pool_networknetwork-object object homeobject-group network |s2sAclDestNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3bnetwork-object object rdl-c1object-group service |acSvcg-268435462service-object ipobject-group network |acSrcNwg-268435462network-object object rdl-c1network-object object thd-a78network-object object thd-d-networkaccess-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_ Policyaccess-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: s2saccess-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc ou tside object-group |acSrcNwg-268435462 ifc inside any rule-id 268435462access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policyaccess-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRuleaccess-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1access-list DfltGrpPolicy|splitAcl extended permit ip object bgra_nl_vpn_pool_ne twork anyaccess-list DfltGrpPolicy|splitAcl extended permit ip object home anyaccess-list DfltGrpPolicy|splitAcl extended permit ip object rdl-c1 anyaccess-list DfltGrpPolicy|splitAcl extended permit ip object thd-a78 anyaccess-list DfltGrpPolicy|splitAcl extended permit ip object thd-d-network anyaccess-list |s2sAcl|1d94a3d4-7c12-11ee-a70b-4fe1dea81569 extended permit ip obje ct-group |s2sAclSrcNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569 object-group |s2sA clDestNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569access-list |s2sAcl|ee02ae02-80db-11ee-a70b-af3b592dae3b extended permit ip obje ct-group |s2sAclSrcNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b object-group |s2sA clDestNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3baccess-list |s2sAcl|0d37bbcc-81a4-11ee-a70b-2d566a78eee8 extended permit ip obje ct-group |s2sAclSrcNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8 object-group |s2sA clDestNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8pager lines 24logging enablelogging timestamplogging buffer-size 5000logging buffered informationallogging permit-hostdownmtu outside 1500mtu inside 1500mtu c2-integration 1500mtu diagnostic 1500no failoverno monitor-interface c2-integrationno monitor-interface insideno monitor-interface service-moduleicmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400no arp permit-nonconnectedarp rate-limit 16384nat (inside,outside) source static |s2sAclSrcNwgV4|ee02ae02-80db-11ee-a70b-af3b5 92dae3b |s2sAclSrcNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b destination static |s2sAclDestNwgV4|ee02ae02-80db-11ee-a70b-af3b592dae3b |s2sAclDestNwgV4|ee02ae02- 80db-11ee-a70b-af3b592dae3b no-proxy-arp route-lookupnat (inside,outside) source static |s2sAclSrcNwgV4|0d37bbcc-81a4-11ee-a70b-2d566 a78eee8 |s2sAclSrcNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8 destination static |s2sAclDestNwgV4|0d37bbcc-81a4-11ee-a70b-2d566a78eee8 |s2sAclDestNwgV4|0d37bbcc- 81a4-11ee-a70b-2d566a78eee8 no-proxy-arp route-lookupnat (inside,outside) source static |s2sAclSrcNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1d ea81569 |s2sAclSrcNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569 destination static |s2sAclDestNwgV4|1d94a3d4-7c12-11ee-a70b-4fe1dea81569 |s2sAclDestNwgV4|1d94a3d4- 7c12-11ee-a70b-4fe1dea81569 no-proxy-arp route-lookupnat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote -Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookupnat (inside,outside) source dynamic dc_integration interfaceaccess-group NGFW_ONBOX_ACL globalroute c2-integration 10.10.10.0 255.255.255.0 192.168.14.2 1timeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00timeout conn-holddown 0:00:15timeout igp stale-route 0:01:10user-identity default-domain LOCALaaa authentication login-historyhttp server enablehttp 192.168.0.0 255.255.255.0 insidehttp 192.168.178.0 255.255.255.0 outsidehttp 10.0.78.0 255.255.255.0 outsideip-client inside ipv6ip-client insideip-client c2-integration ipv6ip-client c2-integrationip-client diagnostic ipv6ip-client diagnosticip-client outside ipv6ip-client outsidesnmp-server group AUTH v3 authsnmp-server group PRIV v3 privsnmp-server group NOAUTH v3 noauthsnmp-server location nullsnmp-server contact nullsnmp-server community *****sysopt connection tcpmss 0no sysopt connection permit-vpncrypto ipsec ikev2 ipsec-proposal AES-SHAprotocol esp encryption aes-256 aes-192 aesprotocol esp integrity sha-512 sha-384 sha-256 sha-1crypto ipsec security-association pmtu-aging infinitecrypto map s2sCryptoMap 1 match address |s2sAcl|1d94a3d4-7c12-11ee-a70b-4fe1dea8 1569crypto map s2sCryptoMap 1 set peer 1.1.1.1crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal AES-SHAcrypto map s2sCryptoMap 1 set security-association lifetime seconds 28800crypto map s2sCryptoMap 1 set security-association lifetime kilobytes unlimitedcrypto map s2sCryptoMap 2 match address |s2sAcl|ee02ae02-80db-11ee-a70b-af3b592d ae3bcrypto map s2sCryptoMap 2 set peer 2.2.2.2crypto map s2sCryptoMap 2 set ikev2 ipsec-proposal AES-SHAcrypto map s2sCryptoMap 2 set security-association lifetime seconds 28800crypto map s2sCryptoMap 2 set security-association lifetime kilobytes unlimitedcrypto map s2sCryptoMap 3 match address |s2sAcl|0d37bbcc-81a4-11ee-a70b-2d566a78 eee8crypto map s2sCryptoMap 3 set peer 3.3.3.3crypto map s2sCryptoMap 3 set ikev2 ipsec-proposal AES-SHAcrypto map s2sCryptoMap 3 set security-association lifetime seconds 28800crypto map s2sCryptoMap 3 set security-association lifetime kilobytes unlimitedcrypto map s2sCryptoMap interface outsidecrypto ca permit-weak-cryptocrypto ca trustpoint DefaultInternalCertificateenrollment terminalkeypair DefaultInternalCertificatecrl configurecrypto ca trustpool policycrypto ca certificate chain DefaultInternalCertificatecertificate XXXXquitcrypto ikev2 policy 1encryption aes-256integrity shagroup 14prf shalifetime seconds 86400crypto ikev2 enable outsidecrypto ikev1 policy 2authentication pre-shareencryption aes-256hash shagroup 14lifetime 86400telnet timeout 5ssh 192.168.178.0 255.255.255.0 outsidessh 10.0.78.0 255.255.255.0 outsidessh 192.168.0.0 255.255.255.0 insideconsole timeout 0dhcp-client client-id interface outsidedhcprelay timeout 60threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptssl trust-point DefaultInternalCertificate outsidewebvpnport 8888enable outsidehttp-headershsts-serverenablemax-age 31536000include-sub-domainsno preloadhsts-clientenablex-content-type-optionsx-xss-protectioncontent-security-policyanyconnect image disk0:/anyconnpkgs/anyconnect-linux64-4.10.07073-webdeploy-k9. pkg 1anyconnect image disk0:/anyconnpkgs/anyconnect-win-4.10.07073-webdeploy-k9.pkg 2anyconnect image disk0:/anyconnpkgs/anyconnect-macos-4.10.07073-webdeploy-k9.pk g 3anyconnect profiles FRP-1010-VPN disk0:/anyconncprofs/FRP-1010-VPN.xmlanyconnect enabletunnel-group-list enablecachedisableerror-recovery disablegroup-policy DfltGrpPolicy attributesdns-server value 208.67.222.222 208.67.220.220 2620:119:35::35vpn-tunnel-protocol ssl-clientsplit-tunnel-policy tunnelspecifiedsplit-tunnel-network-list value DfltGrpPolicy|splitAclwebvpnanyconnect ssl dtls noneanyconnect profiles value FRP-1010-VPN type usergroup-policy |s2sGP|1.1.1.1 internalgroup-policy |s2sGP|1.1.1.1 attributesvpn-tunnel-protocol ikev2group-policy |s2sGP|2.2.2.2 internalgroup-policy |s2sGP|2.2.2.2 attributesvpn-tunnel-protocol ikev2group-policy |s2sGP|3.3.3.3 internalgroup-policy |s2sGP|3.3.3.3 attributesvpn-tunnel-protocol ikev2dynamic-access-policy-record DfltAccessPolicyusername XXXXX password *****tunnel-group FRP-1010-VPN type remote-accesstunnel-group FRP-1010-VPN general-attributesaddress-pool FRP-1010_vpn_pooltunnel-group FRP-1010-VPN webvpn-attributesgroup-alias FRP-1010-VPN enabletunnel-group 1.1.1.1 type ipsec-l2ltunnel-group 1.1.1.1 general-attributesdefault-group-policy |s2sGP|1.1.1.1tunnel-group 1.1.1.1 ipsec-attributesikev2 remote-authentication pre-shared-key *****ikev2 local-authentication pre-shared-key *****tunnel-group 2.2.2.2 type ipsec-l2ltunnel-group 2.2.2.2 general-attributesdefault-group-policy |s2sGP|2.2.2.2tunnel-group 2.2.2.2 ipsec-attributesikev2 remote-authentication pre-shared-key *****ikev2 local-authentication pre-shared-key *****tunnel-group 3.3.3.3 type ipsec-l2ltunnel-group 3.3.3.3 general-attributesdefault-group-policy |s2sGP|3.3.3.3tunnel-group 3.3.3.3 ipsec-attributesikev2 remote-authentication pre-shared-key *****ikev2 local-authentication pre-shared-key *****!class-map inspection_defaultmatch default-inspection-trafficclass-map class_snmpmatch port udp eq 4161!!policy-map type inspect dns preset_dns_mapparametersmessage-length maximum client automessage-length maximum 512no tcp-inspectionpolicy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect rshinspect rtspinspect sqlnetinspect skinnyinspect sunrpcinspect sipinspect netbiosinspect tftpinspect ip-optionsinspect icmpinspect icmp errorinspect xdmcpclass class_snmpinspect snmp!service-policy global_policy globalprompt hostname contextsnort preserve-connectionno dp-tcp-proxyCryptochecksum:03c6a2bc5ab9d15baf05f340ade1fe08: end

ASA 5506:

Spoiler

hostname FW-RDL
enable password xxxx pbkdf2
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 3.3.3.3 255.255.255.252
!
interface GigabitEthernet1/2
nameif admin
security-level 100
ip address 192.168.8.254 255.255.255.0
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
security-level 100
no ip address
!
interface Management1/1
management-only
nameif mgmt
security-level 0
ip address 192.168.21.254 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network xxxx
host 192.168.8.2
object network xxxxx
host 192.168.8.3
object network xxxxx
host 192.168.0.130
object network xxxx
host 192.168.8.4
object network FRP-1010-vpn
subnet 192.168.178.0 255.255.255.0
object network c3-1
subnet 192.168.11.0 255.255.255.0
object network c3-2
subnet 192.168.12.0 255.255.255.0
object network cbrn-sts
subnet 10.5.100.0 255.255.255.0
object network drn-c2
subnet 192.168.9.0 255.255.255.0
object network hvt-c1
subnet 192.168.7.0 255.255.255.0
object network oct-c1
subnet 192.168.6.0 255.255.255.0
object network sbn-b
subnet 192.168.4.0 255.255.255.0
object network sbn-c1
subnet 192.168.5.0 255.255.255.0
object network thd-a78
subnet 192.168.2.0 255.255.255.0
object network thd-a77
subnet 192.168.10.0 255.255.255.0
object network thd-d
subnet 192.168.3.0 255.255.255.0
object network vpn_pool
subnet 10.0.78.0 255.255.255.0
object network admin-network
subnet 192.168.8.0 255.255.255.0
object network xxxx
host 192.168.8.11
object network home
subnet 192.168.178.0 255.255.255.0
object-group network remote-sites
network-object object c3-1
network-object object c3-2
network-object object xxx
network-object object drn-c2
network-object object hvt-c1
network-object object oct-c1
network-object object sbn-b
network-object object sbn-c1
network-object object thd-a77
network-object object thd-a78
network-object object thd-d
network-object object vpn_pool
network-object object home
network-object object FRP-1010-vpn
access-list vpn-traffic extended permit ip object admin-network object-group remote-sites
pager lines 24
logging enable
logging list email-alerts level alerts
logging list email-alerts message 735001-735004
logging list email-alerts message 735007
logging list email-alerts message 735020
logging list email-alerts message 748008-748009
logging list email-alerts message 735022
logging list email-alerts message 806001-806008
logging list email-alerts message 735012
logging asdm informational

mtu outside 1500
mtu admin 1500
mtu inside 1500
mtu mgmt 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (admin,outside) source static admin-network admin-network destination static remote-sites remote-sites no-proxy-arp route-lookup
!
object network dc_internet_nat
nat (any,outside) dynamic interface
object network wsus_internet_nat
nat (any,outside) dynamic interface
object network milestone_internet_nat
nat (any,outside) dynamic interface
object network zabbix_internet_nat
nat (any,outside) dynamic interface
object network dc_rdl_internet
nat (any,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 99.999.99.99 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.21.0 255.255.255.0 mgmt
http 192.168.8.0 255.255.255.0 admin

no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change cpu-temperature chassis-temperature accelerator-temperature
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
snmp-server enable traps config
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set S2S-IKv1 esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal vpn-transform
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map CRYPTO-MAP 1 match address vpn-traffic
crypto map CRYPTO-MAP 1 set pfs group5
crypto map CRYPTO-MAP 1 set peer 9.9.9.9
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal vpn-transform
crypto map CRYPTO-MAP 2 set pfs group19
crypto map CRYPTO-MAP interface outside
crypto ca trustpool policy
crypto ikev2 policy 10
encryption aes-256
integrity sha
group 14
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.8.0 255.255.255.0 admin
ssh 192.168.21.0 255.255.255.0 mgmt
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn username xxxx password ***** store-local

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientless
dynamic-access-policy-record DfltAccessPolicy
tunnel-group FRP-1010-IP type ipsec-l2l
tunnel-group FRP-1010-IP ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global

prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e19fe00e7ff8cf8ced267cfac4cf3bf0
: end

hostname FW-RDLenable password xxxx pbkdf2names !interface GigabitEthernet1/1nameif outsidesecurity-level 0ip address 3.3.3.3 255.255.255.252!interface GigabitEthernet1/2nameif adminsecurity-level 100ip address 192.168.8.254 255.255.255.0!interface GigabitEthernet1/3nameif insidesecurity-level 100ip address 192.168.0.254 255.255.255.0!interface GigabitEthernet1/4shutdownno nameifsecurity-level 100no ip address!interface GigabitEthernet1/5shutdownno nameifsecurity-level 100no ip address!interface GigabitEthernet1/6shutdownno nameifsecurity-level 100no ip address!interface GigabitEthernet1/7shutdownno nameifsecurity-level 100no ip address!interface GigabitEthernet1/8shutdownno nameifsecurity-level 100no ip address!interface Management1/1management-onlynameif mgmtsecurity-level 0ip address 192.168.21.254 255.255.255.0!ftp mode passivesame-security-traffic permit inter-interfaceobject network xxxxhost 192.168.8.2object network xxxxxhost 192.168.8.3object network xxxxxhost 192.168.0.130object network xxxxhost 192.168.8.4object network FRP-1010-vpnsubnet 192.168.178.0 255.255.255.0object network c3-1subnet 192.168.11.0 255.255.255.0object network c3-2subnet 192.168.12.0 255.255.255.0object network cbrn-stssubnet 10.5.100.0 255.255.255.0object network drn-c2subnet 192.168.9.0 255.255.255.0object network hvt-c1subnet 192.168.7.0 255.255.255.0object network oct-c1subnet 192.168.6.0 255.255.255.0object network sbn-bsubnet 192.168.4.0 255.255.255.0object network sbn-c1subnet 192.168.5.0 255.255.255.0object network thd-a78subnet 192.168.2.0 255.255.255.0object network thd-a77subnet 192.168.10.0 255.255.255.0object network thd-dsubnet 192.168.3.0 255.255.255.0object network vpn_poolsubnet 10.0.78.0 255.255.255.0object network admin-networksubnet 192.168.8.0 255.255.255.0object network xxxxhost 192.168.8.11object network homesubnet 192.168.178.0 255.255.255.0object-group network remote-sitesnetwork-object object c3-1network-object object c3-2network-object object xxxnetwork-object object drn-c2network-object object hvt-c1network-object object oct-c1network-object object sbn-bnetwork-object object sbn-c1network-object object thd-a77network-object object thd-a78network-object object thd-dnetwork-object object vpn_poolnetwork-object object homenetwork-object object FRP-1010-vpnaccess-list vpn-traffic extended permit ip object admin-network object-group remote-sitespager lines 24logging enablelogging list email-alerts level alertslogging list email-alerts message 735001-735004logging list email-alerts message 735007logging list email-alerts message 735020logging list email-alerts message 748008-748009logging list email-alerts message 735022logging list email-alerts message 806001-806008logging list email-alerts message 735012logging asdm informational mtu outside 1500mtu admin 1500mtu inside 1500mtu mgmt 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400no arp permit-nonconnectedarp rate-limit 16384nat (admin,outside) source static admin-network admin-network destination static remote-sites remote-sites no-proxy-arp route-lookup!object network dc_internet_natnat (any,outside) dynamic interfaceobject network wsus_internet_natnat (any,outside) dynamic interfaceobject network milestone_internet_natnat (any,outside) dynamic interfaceobject network zabbix_internet_natnat (any,outside) dynamic interfaceobject network dc_rdl_internetnat (any,outside) dynamic interfaceroute outside 0.0.0.0 0.0.0.0 99.999.99.99 1timeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00timeout conn-holddown 0:00:15timeout igp stale-route 0:01:10user-identity default-domain LOCALaaa authentication http console LOCALaaa authentication ssh console LOCALaaa authentication login-historyhttp server enablehttp 192.168.21.0 255.255.255.0 mgmthttp 192.168.8.0 255.255.255.0 admin no snmp-server locationno snmp-server contactsnmp-server community *****snmp-server enable traps syslogsnmp-server enable traps ipsec start stopsnmp-server enable traps entity config-change cpu-temperature chassis-temperature accelerator-temperaturesnmp-server enable traps memory-thresholdsnmp-server enable traps interface-thresholdsnmp-server enable traps remote-access session-threshold-exceededsnmp-server enable traps connection-limit-reachedsnmp-server enable traps cpu threshold risingsnmp-server enable traps ikev2 start stopsnmp-server enable traps nat packet-discardsnmp-server enable traps configservice sw-reset-buttoncrypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmaccrypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmaccrypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmaccrypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmaccrypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmaccrypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmaccrypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmaccrypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transportcrypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmaccrypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transportcrypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmaccrypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transportcrypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmaccrypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transportcrypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmaccrypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transportcrypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmaccrypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transportcrypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmaccrypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmaccrypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmaccrypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transportcrypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmaccrypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transportcrypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmaccrypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmaccrypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmaccrypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transportcrypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmaccrypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transportcrypto ipsec ikev1 transform-set S2S-IKv1 esp-aes-256 esp-sha-hmaccrypto ipsec ikev2 ipsec-proposal vpn-transformprotocol esp encryption aes-256protocol esp integrity sha-1crypto ipsec ikev2 ipsec-proposal AES256protocol esp encryption aes-256protocol esp integrity sha-1 md5crypto ipsec ikev2 ipsec-proposal AES192protocol esp encryption aes-192protocol esp integrity sha-1 md5crypto ipsec ikev2 ipsec-proposal AESprotocol esp encryption aesprotocol esp integrity sha-1 md5crypto ipsec ikev2 ipsec-proposal 3DESprotocol esp encryption 3desprotocol esp integrity sha-1 md5crypto ipsec ikev2 ipsec-proposal DESprotocol esp encryption desprotocol esp integrity sha-1 md5crypto ipsec security-association pmtu-aging infinitecrypto map CRYPTO-MAP 1 match address vpn-trafficcrypto map CRYPTO-MAP 1 set pfs group5crypto map CRYPTO-MAP 1 set peer 9.9.9.9crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal vpn-transformcrypto map CRYPTO-MAP 2 set pfs group19crypto map CRYPTO-MAP interface outsidecrypto ca trustpool policycrypto ikev2 policy 10encryption aes-256integrity shagroup 14prf shalifetime seconds 86400crypto ikev2 enable outsidecrypto ikev1 policy 2authentication pre-shareencryption aes-256hash shagroup 2lifetime 86400telnet timeout 5ssh stricthostkeycheckssh 192.168.8.0 255.255.255.0 adminssh 192.168.21.0 255.255.255.0 mgmtssh timeout 5ssh key-exchange group dh-group1-sha1console timeout 0vpdn username xxxx password ***** store-local dhcpd auto_config outside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptgroup-policy DfltGrpPolicy attributesvpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientlessdynamic-access-policy-record DfltAccessPolicytunnel-group FRP-1010-IP type ipsec-l2ltunnel-group FRP-1010-IP ipsec-attributesikev1 pre-shared-key *****ikev2 remote-authentication pre-shared-key *****ikev2 local-authentication pre-shared-key *****!class-map inspection_defaultmatch default-inspection-traffic!!policy-map type inspect dns preset_dns_mapparametersmessage-length maximum client automessage-length maximum 512no tcp-inspectionpolicy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect rshinspect rtspinspect esmtpinspect sqlnetinspect skinnyinspect sunrpcinspect xdmcpinspect sipinspect netbiosinspect tftpinspect ip-optionsinspect icmp!service-policy global_policy global prompt hostname contextno call-home reporting anonymousCryptochecksum:e19fe00e7ff8cf8ced267cfac4cf3bf0: end

Thanks

gal.avichid · ‎11-16-2023

The solution was to add the local network of the HUB FW to each S2S connection.

Allowing communicate between all S2S.

Thanks all for the help!

View solution in original post

Aref Alsouqi · ‎11-14-2023

I think the issue could be related to some missing NAT hairpinning rules and maybe some missing rules on the crypto map access list. The traffic that will be coming from a branch to another passing through the hub would need to be defined in the hub crypto access lists and would need to be exempted from being NAT'ed.

gal.avichid · ‎11-14-2023

Sorry, pressed mistakenly on the solution button.

I have set in the remote ASA's ACL for allow communications from the local network to the remote local networks.

In the HUB I can't find the crypto access list its FDM and i am new to this one

I have tried to exempt from NAT the remote local networks on the HUB but no luck.

On the HUB i did packet-tracer and ping is allowed from remote A to remote B.

What else i am missing?

MHM Cisco World · ‎11-14-2023

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/firepower_threat_defense_site_to_site_vpns.html

use hub and spoke type not S2S

gal.avichid · ‎11-14-2023

My menu is different, I guess because I use FTD and not FMC?

Can I achieve the same result with FTD?

Thanks

MHM Cisco World · ‎11-14-2023

You meaning fdm?

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-s2svpn.html

gal.avichid · ‎11-14-2023

Sorry, yes - FDM is the one running on the HUB

MHM Cisco World · ‎11-14-2023

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215513-configure-site-to-site-vpn-on-ftd-manage.html

I see you are little confused'

Check these steps to config s2s to each spoke.

Note:- I check guide about hub and spoke in fdm it hard using dynamic so we will instead use s2s to each site.

For NAT you need to no-NAT for each spoke subnet to other spoke subnet

""manual NAT Exempt rule needs to be created under the Policies > NAT.""

The last pieces is routing. Do you config routing for spoke in hub?

gal.avichid · ‎11-14-2023

The tunnels are up and working.

From Site A to HUB

From Site B to HUB

When I am trying to packet-trace from Site A to B or vice versa:

Result of the command: "packet-tracer input admin icmp 192.168.8.2 8 0 192.168.3.2"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.x using egress ifc outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (admin,outside) source static admin-network admin-network destination static remote-sites remote-sites no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.3.2/0 to 192.168.3.2/0

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (admin,outside) source static admin-network admin-network destination static remote-sites remote-sites no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.8.2/0 to 192.168.8.2/0

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: admin
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

MHM Cisco World · ‎11-14-2023

packet-tracer input admin icmp 192.168.8.2 8 0 192.168.3.2"

But the traffic come from outside and please add detail to packet tracer and do it twice.

gal.avichid · ‎11-14-2023

Result of the command: "packet-tracer input outside icmp 192.168.3.2 8 0 192.168.8.2 detail"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.8.2 using egress ifc admin

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (admin,outside) source static admin-network admin-network destination static remote-sites remote-sites no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2d18691a20, priority=6, domain=nat, deny=false
hits=0, user_data=0x7f2d175c9890, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.3.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.8.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=admin

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2d16860c40, priority=0, domain=nat-per-session, deny=true
hits=133458, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2d17493de0, priority=0, domain=permit, deny=true
hits=650, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: admin
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Result of the command: "packet-tracer input outside icmp 192.168.3.2 8 0 192.168.8.2 detail"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.8.2 using egress ifc admin

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (admin,outside) source static admin-network admin-network destination static remote-sites remote-sites no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2d18691a20, priority=6, domain=nat, deny=false
hits=1, user_data=0x7f2d175c9890, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.3.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.8.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=admin

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2d16860c40, priority=0, domain=nat-per-session, deny=true
hits=133463, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2d17493de0, priority=0, domain=permit, deny=true
hits=651, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: admin
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

MHM Cisco World · ‎11-14-2023

nat (outside,outside) source static remotesiteA reemotesiteA destination static remotesiteB remotesiteB no-proxy-arp route-lookup

add this nat

gal.avichid · ‎11-14-2023

that should be on the HUB or on SITE A+B?

MHM Cisco World · ‎11-14-2023

on Hub it must hairpin traffic without nat

gal.avichid · ‎11-14-2023

as far as i know "same-security-traffic permit intra-interface" is enabled by default on FTD?