Recently i have established VPN connection between our Head Office and Branch Office ASA firewalls. But we are facing some issues as well as one more requirement is pending to do. Please find attached config for your kind reference.
One way Ping Issue: Branch office connectivity to Head Office connectivity(LAN to LAN) is fine. But from Head Office to Branch office LAN connectivity is not happening to particular subnet (172.16.20.X). Because ping from remote subnets at branch office to head office subnets are fine but ping from Head office LAN(172.16.10.X) to branch office LAN (172.16.20.X) is not happening. From HO ASA also its not pinging
New requirement to do
Only Users at remote subnet (172.16.20.X) should use the internet of Head Office. The reason why we try to implement this is because there is no proxy set at Remote office at the moment, so we would like to use the same proxy located in the HO LAN(172.26.10.X) for remote location users as well.
Lets first take a look ar your Encryption Domain. It states that the networks participating on the L2L VPN Connection are
The Branch Site is easy to check as it only has one local interface and all the source networks behind that interface. Your Crypto ACL and the NAT0 ACL match eachother on the Branch Office site so that should be fine. Also you dont have an internal interface ACL configured so all traffic should be allowed.
On the Head Office it seems to me that you have not allowed the traffic to be initiated to the remote site network 172.16.20.0/24
You can test this with "packet-tracer" on the Head Office ASA
packet-tracer input inside tcp
See if it gets blocked by the ACL
Or you could simply allow all traffic from the Head Office local LAN networks to the Branch Office in the ACL
access-list ACL-inside line 1 remark Allow traffic to L2L VPN
access-list ACL-inside line 2 permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...
Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli...
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA:
Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.
We make improvement...
This document presents the ISE data limiting best practices that can dramatically improve the system performance on ISE.
Your deployment may be impacted if the alarms tab on ISE shows High load average, high CPU or high memoy usage alarm...