Hi all,
I am having an issue setting up S2S VPN on our new ASA 5506 model. When I try to add the vpn via the wizard, I get an error if I choose "inside" on the NAT exempt page. The error is below.
VPN and AnyConnect
[OK] access-list outside_cryptomap line 1 extended permit ip object Subnet_3 object-group Head_Office_Group
[OK] group-policy GroupPolicy_X.X.X.X attributes
group-policy GroupPolicy_X.X.X.X attributes
[ERROR] no split-tunnel-all-dns
Command failed
[OK] exit
[OK] tunnel-group X.X.X.X ipsec-attributes
tunnel-group X.X.X.X ipsec-attributes
[OK] ikev2 local-authentication pre-shared-key **********
[OK] ikev2 remote-authentication pre-shared-key **********
[OK] crypto map outside_map 4 match address outside_cryptomap
[OK] clear configure access-list outside_cryptomap_4
[ERROR] nat (inside,outside) 5 source static Subnet_3 Subnet_3 destination static Head_Office_Group Head_Office_Group no-proxy-arp route-lookup
nat (inside,outside) 5 source static Subnet_3 Subnet_3 destinati ^on static Head_Office_Group Head_Office_Group no-proxy-arp route-lookup
ERROR: % Invalid input detected at '^' marker.
However, if I choose for example "inside1" or "inside2", the wizard will complete but I can only vpn to that interface.
Our service providers set up the firewall initially and I have noticed that our other two firewalls that use S2S vpn without issue (both ASA 5505's) are set up in the interface area as a VLAN. This ASA 5506 has been set up as a Bridge Group. So on the 5505 we just have an inside and an outside. This 5506 has an inside, an outside, and then inside1, inside2, inside3, etc.
I'm not sure how to resolve this. Do I need to re-setup the firewall from scratch using the VLAN option (I can't see a way to change from bridge group to VLAN so not sure if this is even possible on this model). Or is there some other way to get the S2S working so that I can connect to all insideX interfaces?
Thanks in advance for any guidance that you can provide!
