I have a Cisco ASA5506 that we are presently using to firewall/route 2 separate networks with 2 separate ISP "devices". This is in a remote location so the 2 ISPs are essentially 2 different 4G cards with different public static IPs and we have 2 different internal networks, each routing to a "dedicated" 4G card using PBR.
We have successfully configured a S2S VPN tunnel on the "default route" subnet/public IP, but we are having some difficulty terminating a VPN tunnel on the second ISP interface.
Essentially our physical network layout is as follows:
ISP Card 1 ISP Card 2
(24.x.x.x) (75.x.x.x)
| (int g1/1, outside) | (int g1/7, outside2)
----------------------------------------
Firewall
----------------------------------------
| {int g1/2) | {int g1/8)
Internal Network 1 Internal Network 2
(192.168.1.1/24 inside) (192.168.2.1/24 inside2)
we have the default route set to the next hop of ISP1 (route outside 0.0.0.0 0.0.0.0 24.x.x.1) and we are using policy based routing on int g1/8 (inside2) to set the next hop and interface to outside2 and the next hop for that interface.
access-list al_inside2_to_outside2 permit ip 192.168.2.0 255.255.255.0 any
route-map inside2-to-outside2 permit 10
match ip address al_inside2_to_outside2
set interface outside2
set ip next-hop 75.x.x.1
I have also added a PBR route-map on the g1/7 (outside2) interface that essentially routes all interface traffic back out to the outside2 next hop as well... (added this after the log output you will see below, same outputs without this route-map)
access-list al_outside2_back_outside2 permit ip host 75.x.x.x any
route-map outside2_back_outside2 permit 10
match ip address al_outside2_back_outside2
set interface outside2
set ip next-hop 75.x.x.1
Normal internet browsing all works as expected and what is my ip from a computer on the inside2 interface shows the outside2 public interface ip address (PAT is enabled on the interface).
To configure the VPN, we configured nat exemption with nat (inside2,outside2) for the interesting traffic and created the proper interesting traffic acl. A second crypto map was created and applied to the outside2 interface. However, we get no connectivity and packet-tracer is showing a drop almost right away and I don't understand what little nuisance I may be overlooking. The logs also output a message of:
Routing failed to locate next hop for UDP from identity:75.x.x.x500 to outside2:173.x.x.x/500
But that doesn't seem to jive with what packet-tracer complains about where it seems to find a correct route:
packet-tracer input inside2 icmp 192.168.2.50 8 0 <ip on other side of tunnel>
provides output of (IPs obviously changed to match example IPs I have used throughout the question):
Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map inside2-to-outside2 permit 10
match ip address al_inside2-to-outside2
set ip next-hop 75.x.x.1
set interface outside2
Additional Information:
Matched route-map inside2-to-outside2, sequence 10, permit
Found next-hop 75.x.x.1 using egress ifc outside2
*** Finds Next hop and correct interface ****
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside2,outside2) source static Management_VPN_Secured_Networks Management_VPN_Secured_Networks destination static Remote-Network Remote-Network no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.186.1/0 to 192.168.186.1/0
**** Why despite referencing the correct nat rule with inside2 and outside2 does this portion indicated a NAT divert to the "outside" (instead of outside2) interface. I think this is the issue ****
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside2,outside2) source static Management_VPN_Secured_Networks Management_VPN_Secured_Networks destination static Remote-Network Remote-Network no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.2.50/0 to 192.168.2.50/0
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Any ideas on what I may be missing here?
Also, if I do a packet trace on to try to track the public IP routing between the endpoints (essentially what the logs are complaining it cannot find), I get the following:
Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map outside2_back_outside2 permit 10
match ip address al_outside2_back_outside2
set ip next-hop 75.x.x.1
set interface outside2
Additional Information:
Matched route-map outside2_back_outside2, sequence 10, permit
Found next-hop 75.x.x.1 using egress outside2
**** Finds correct next hop and interface ****
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
*** Then mysteriously drops it ****
