Subnet on VPN gets decaps but no encaps, ASA 5510

JLOW1213 · ‎01-30-2018

I've recofigured the VPN 5 times now and keep running into the same problem. I have a Cisco ASA 5510 connected via site-to-site VPN to a Sophos XG115. The Cisco side has 11 subnets and the Sophos has 1. The primary subnet on the Cisco does not send any traffic over the VPN. It gets decaps from the Sophos, but no encaps going the other way. The other 10 subnets on the Cisco side have no problems communicating back and forth. I have the NAT exempt rule set up and when I run packet tracer everything is allowed through. So I have no idea what to look at next. I've gone through line by line and removed every remnant of the VPN and then set it up again from scratch 5 times. Any help would be greatly appreciated.

Francesco Molino · ‎01-30-2018

Hi

Can you share your config and packet-tracer output?

Also while sharing config, give more info please on subnets at each site that need to communicate together

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

JLOW1213 · ‎01-31-2018

Here is the running config. Thanks!

ciscoasa#
interface Ethernet0/0
nameif Outside
security-level 0
ip address 67.58.258.241 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 1
ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/3
shutdown
nameif Allworx
security-level 100
ip address 192.168.11.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.254 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name SEASONS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Websense
description Websense Clusters
network-object Websense03 255.255.248.0
network-object Websense04 255.255.248.0
network-object Websense01 255.255.240.0
network-object Websense02 255.255.248.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_2
network-object 192.168.6.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.22.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.12.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 192.168.6.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object 192.168.22.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group service RDP tcp
port-object eq 3389
port-object eq ssh
object-group service Allworx udp
description Ports 15000-15511
port-object range 15000 15511
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq www
service-object tcp eq 81
object-group service DM_INLINE_TCP_1 tcp
port-object eq 81
port-object eq www
object-group network DM_INLINE_NETWORK_1
network-object host Outside
network-object host 67.58.258.244
object-group service DM_INLINE_TCP_2 tcp
port-object eq 3391
port-object eq 3399
object-group network DM_INLINE_NETWORK_7
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object 192.168.5.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.6.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
network-object 192.168.13.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object 192.168.22.0 255.255.255.0
network-object 192.168.12.0 255.255.255.0
object-group service DM_INLINE_TCP_3 tcp
port-object eq 9675
port-object eq https
object-group network DM_INLINE_NETWORK_9
network-object host 63.229.189.21
network-object host 67.22.192.129
network-object host 63.229.189.93
object-group network DM_INLINE_NETWORK_10
network-object host 67.58.258.241
network-object host 67.58.258.140
network-object host 67.58.258.141
object-group network DM_INLINE_NETWORK_11
network-object host 67.58.258.241
network-object host 67.58.258.140
network-object host 67.58.258.141
object-group network DM_INLINE_NETWORK_12
network-object host 67.58.258.241
network-object host 67.58.258.140
network-object host 67.58.258.141
object-group network DM_INLINE_NETWORK_13
network-object host 67.58.258.241
network-object host 67.58.258.140
network-object host 67.58.258.141
object-group network DM_INLINE_NETWORK_14
network-object host 67.58.258.241
network-object host 67.58.258.140
network-object host 67.58.258.141
object-group service Polycom tcp
description 3230-3250
port-object range 3230 3250
object-group service DM_INLINE_TCP_5 tcp
port-object eq 3394
port-object eq 3395
port-object eq 3391
object-group network DM_INLINE_NETWORK_5
network-object Inside 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.13.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.6.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object 192.168.11.0 255.255.255.0
network-object 192.168.13.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.6.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
access-list tcp-state-bypass extended permit ip Inside 255.255.255.0 192.168.8.0 255.255.255.0
access-list tcp-state-bypass extended permit ip Inside 255.255.255.0 192.168.2.0 255.255.255.0
access-list tcp-state-bypass extended permit ip Inside 255.255.255.0 192.168.3.0 255.255.255.0
access-list tcp-state-bypass extended permit ip Inside 255.255.255.0 192.168.4.0 255.255.255.0
access-list tcp-state-bypass extended permit ip Inside 255.255.255.0 192.168.5.0 255.255.255.0
access-list tcp-state-bypass extended permit ip Inside 255.255.255.0 192.168.11.0 255.255.255.0
access-list tcp-state-bypass extended permit ip 192.168.8.0 255.255.255.0 Inside 255.255.255.0
access-list tcp-state-bypass extended permit ip 192.168.2.0 255.255.255.0 Inside 255.255.255.0
access-list tcp-state-bypass extended permit ip 192.168.3.0 255.255.255.0 Inside 255.255.255.0
access-list tcp-state-bypass extended permit ip 192.168.4.0 255.255.255.0 Inside 255.255.255.0
access-list tcp-state-bypass extended permit ip 192.168.5.0 255.255.255.0 Inside 255.255.255.0
access-list tcp-state-bypass extended permit ip 192.168.11.0 255.255.255.0 Inside 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Inside 255.255.255.0 object-group DM_INLINE_NETWORK_7
access-list Inside_nat0_outbound extended permit ip Inside 255.255.255.0 192.168.6.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any object-group DM_INLINE_NETWORK_3
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 any
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_5 192.168.12.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.9.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Inside 255.255.255.0 192.168.22.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Inside 255.255.255.0 192.168.9.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Inside 255.255.255.0 172.31.99.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Inside 255.255.255.0 192.168.20.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Inside 255.255.255.0 192.168.7.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Inside 255.255.255.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 192.168.1.208 255.255.255.240
access-list Outside_cryptomap extended permit ip Inside 255.255.255.0 192.168.4.0 255.255.255.0
access-list Outside_cryptomap extended permit ip Inside 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.4.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.6.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.7.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.8.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap extended permit ip Inside 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.4.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.7.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.8.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.9.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Inside_access_in extended permit ip any any
access-list OUTSIDE_IN_ACL extended permit icmp host 63.229.189.21 host 67.58.258.241 unreachable inactive
access-list OUTSIDE_IN_ACL extended permit tcp any host 67.58.258.241 eq pptp
access-list OUTSIDE_IN_ACL extended permit tcp any host 67.58.258.243 object-group DM_INLINE_TCP_3 inactive
access-list OUTSIDE_IN_ACL extended permit udp object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_14 eq 2088 inactive
access-list OUTSIDE_IN_ACL extended permit ip any host 67.58.258.244
access-list OUTSIDE_IN_ACL remark Track-It!
access-list OUTSIDE_IN_ACL extended permit tcp any host 67.58.258.243 object-group DM_INLINE_TCP_1 inactive
access-list OUTSIDE_IN_ACL remark USX
access-list OUTSIDE_IN_ACL extended permit tcp any host 67.58.258.245 eq https
access-list OUTSIDE_IN_ACL remark PPM
access-list OUTSIDE_IN_ACL extended permit tcp any host 67.58.258.242 eq www inactive
access-list OUTSIDE_IN_ACL remark SIP Phone - External
access-list OUTSIDE_IN_ACL extended permit udp any object-group DM_INLINE_NETWORK_13 eq sip inactive
access-list OUTSIDE_IN_ACL extended permit tcp any host 67.58.258.139 inactive
access-list OUTSIDE_IN_ACL extended permit udp any host 67.58.258.139 inactive
access-list OUTSIDE_IN_ACL remark Allworx SMTP
access-list OUTSIDE_IN_ACL extended permit tcp any object-group DM_INLINE_NETWORK_12 eq 26 inactive
access-list OUTSIDE_IN_ACL extended permit tcp any object-group DM_INLINE_NETWORK_11 eq imap4 inactive
access-list OUTSIDE_IN_ACL remark Mobile Link - Allworx
access-list OUTSIDE_IN_ACL extended permit tcp any object-group DM_INLINE_NETWORK_10 eq 8081 inactive
access-list OUTSIDE_IN_ACL remark RDP-In
access-list OUTSIDE_IN_ACL extended permit tcp any host 67.58.258.241 object-group DM_INLINE_TCP_2 inactive
access-list OUTSIDE_IN_ACL remark RDP-In
access-list OUTSIDE_IN_ACL extended permit tcp any host 67.58.258.242 object-group DM_INLINE_TCP_5 inactive
access-list OUTSIDE_IN_ACL extended permit tcp any interface Outside eq 3394 inactive
access-list OUTSIDE_IN_ACL extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https
access-list Outside_cryptomap_1 extended permit ip Inside 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap_1 extended permit ip 192.168.4.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap_1 extended permit ip 192.168.5.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap_1 extended permit ip 192.168.7.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap_1 extended permit ip 192.168.6.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap_1 extended permit ip 192.168.8.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list Outside_cryptomap_1 extended permit ip 192.168.11.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list netflow-export extended permit ip any any
access-list Outside_cryptomap_4 extended permit ip Inside 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap_4 extended permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap_4 extended permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap_4 extended permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap_4 extended permit ip 192.168.9.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap_4 extended permit ip 192.168.7.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap_4 extended permit ip 192.168.4.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap_4 extended permit ip 192.168.8.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap_4 extended permit ip 192.168.11.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Outside_cryptomap_6 extended permit ip Inside 255.255.255.0 192.168.7.0 255.255.255.0
access-list Outside_cryptomap_6 extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list Outside_cryptomap_6 extended permit ip 192.168.3.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list Outside_cryptomap_6 extended permit ip 192.168.4.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list Outside_cryptomap_6 extended permit ip 192.168.5.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list Outside_cryptomap_6 extended permit ip 192.168.6.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list Outside_cryptomap_6 extended permit ip 192.168.9.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list Outside_cryptomap_6 extended permit ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list Outside_cryptomap_6 extended permit ip 192.168.11.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list Outside_1_cryptomap extended permit ip Inside 255.255.255.0 192.168.12.0 255.255.255.0
access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_6 192.168.12.0 255.255.255.0
access-list dns-bypass extended deny ip 192.168.3.0 255.255.255.0 any
access-list dns-bypass extended deny ip 192.168.4.0 255.255.255.0 any
access-list dns-bypass extended deny ip 192.168.5.0 255.255.255.0 any
access-list dns-bypass extended deny ip 192.168.8.0 255.255.255.0 any
access-list dns-bypass extended deny ip 192.168.11.0 255.255.255.0 any
access-list dns-bypass extended deny ip Inside 255.255.255.0 192.168.5.0 255.255.255.0
access-list dns-bypass extended deny ip Inside 255.255.255.0 192.168.4.0 255.255.255.0
access-list dns-bypass extended deny ip Inside 255.255.255.0 192.168.2.0 255.255.255.0
access-list dns-bypass extended deny ip Inside 255.255.255.0 192.168.8.0 255.255.255.0
access-list dns-bypass extended deny ip Inside 255.255.255.0 192.168.3.0 255.255.255.0
access-list dns-bypass extended deny ip Inside 255.255.255.0 192.168.11.0 255.255.255.0
access-list dns-bypass extended permit udp any any eq domain
access-list Allworx_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 object-group DM_INLINE_NETWORK_8
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination Inside 192.168.1.91 1034
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu Allworx 1500
mtu management 1500
ip local pool VPN_DHCP 192.168.1.210-192.168.1.220 mask 255.255.255.0
no failover
icmp unreachable rate-limit 10 burst-size 5
icmp permit any Outside
icmp permit any time-exceeded Inside
icmp permit any unreachable Inside
icmp permit any Inside
icmp permit any Allworx
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
global (Outside) 105 67.58.258.244 netmask 255.0.0.0
global (DMZ) 101 interface
global (Allworx) 101 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Allworx) 0 access-list Allworx_nat0_outbound
nat (Allworx) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255
static (Allworx,Outside) tcp interface 8081 192.168.11.220 8081 netmask 255.255.255.255
static (Allworx,Outside) tcp interface imap4 192.168.11.220 imap4 netmask 255.255.255.255
static (Allworx,Outside) tcp interface 26 192.168.11.220 26 netmask 255.255.255.255
static (Allworx,Outside) udp interface sip 192.168.11.220 sip netmask 255.255.255.255
static (Allworx,Outside) udp interface 2088 192.168.11.220 2088 netmask 255.255.255.255
static (Allworx,Outside) tcp interface pptp 192.168.11.220 pptp netmask 255.255.255.255
static (Inside,Outside) tcp interface 3399 192.168.1.4 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 67.58.258.242 3391 192.168.1.13 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 67.58.258.245 https 192.168.1.24 https netmask 255.255.255.255
static (Inside,Outside) tcp 67.58.258.245 3399 192.168.1.24 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 67.58.258.243 www 192.168.1.15 www netmask 255.255.255.255
static (Inside,Outside) tcp 67.58.258.243 9675 192.168.1.15 9675 netmask 255.255.255.255
static (Inside,Outside) tcp 67.58.258.242 www 192.168.1.19 www netmask 255.255.255.255
static (Inside,Outside) tcp 67.58.258.140 8081 192.168.5.20 8081 netmask 255.255.255.255
static (Inside,Outside) tcp 67.58.258.140 26 192.168.5.20 26 netmask 255.255.255.255
static (Inside,Outside) tcp 67.58.258.140 imap4 192.168.5.20 imap4 netmask 255.255.255.255
static (Inside,Outside) udp 67.58.258.140 sip 192.168.5.20 sip netmask 255.255.255.255
static (Inside,Outside) udp 67.58.258.140 2088 192.168.5.20 2088 netmask 255.255.255.255
static (Inside,Outside) tcp 67.58.258.141 8081 192.168.8.20 8081 netmask 255.255.255.255
static (Inside,Outside) tcp 67.58.258.141 26 192.168.8.20 26 netmask 255.255.255.255
static (Inside,Outside) tcp 67.58.258.141 imap4 192.168.8.20 imap4 netmask 255.255.255.255
static (Inside,Outside) udp 67.58.258.141 sip 192.168.8.20 sip netmask 255.255.255.255
static (Inside,Outside) udp 67.58.258.141 2088 192.168.8.20 2088 netmask 255.255.255.255
static (DMZ,Outside) 67.58.258.244 10.10.10.2 netmask 255.255.255.255
static (Inside,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.44.0 192.168.44.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.8.0 192.168.8.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.13.0 192.168.13.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.15.0 192.168.15.0 netmask 255.255.255.0
static (Inside,Inside) 10.0.1.0 10.0.1.0 netmask 255.255.255.252
static (Inside,Inside) 10.0.2.0 10.0.2.0 netmask 255.255.255.252
static (Inside,Inside) 10.0.3.0 10.0.3.0 netmask 255.255.255.252
access-group OUTSIDE_IN_ACL in interface Outside
access-group Inside_access_in in interface Inside control-plane
access-group Inside_access_in_1 in interface Inside
route Outside 0.0.0.0 0.0.0.0 67.58.258.246 1
route Inside 192.168.2.0 255.255.255.0 192.168.1.40 1
route Inside 192.168.3.0 255.255.255.0 192.168.1.40 1
route Inside 192.168.4.0 255.255.255.0 192.168.1.40 1
route Inside 192.168.5.0 255.255.255.0 192.168.1.40 1
route Inside 192.168.8.0 255.255.255.0 192.168.1.40 1
route Inside 192.168.11.0 255.255.255.0 192.168.11.40 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http Management 255.255.255.0 management
http Inside 255.255.255.0 Inside
http 67.58.258.241 255.255.255.255 Outside
http 173.36.137.141 255.255.255.255 Outside
snmp-server host Inside 192.168.1.15 community private
snmp-server location SPN_0
snmp-server contact Jason Low
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 1 match address Outside_1_cryptomap
crypto map Outside_map0 1 set pfs group5
crypto map Outside_map0 1 set peer 192.30.184.237
crypto map Outside_map0 1 set transform-set ESP-AES-256-MD5 ESP-AES-128-SHA ESP-3DES-MD5
crypto map Outside_map0 3 match address Outside_cryptomap_1
crypto map Outside_map0 3 set peer 96.31.27.98
crypto map Outside_map0 3 set transform-set ESP-3DES-SHA
crypto map Outside_map0 4 match address Outside_cryptomap_4
crypto map Outside_map0 4 set peer 108.178.206.254
crypto map Outside_map0 4 set transform-set ESP-3DES-SHA
crypto map Outside_map0 6 match address Outside_cryptomap_6
crypto map Outside_map0 6 set peer 67.22.192.129
crypto map Outside_map0 6 set transform-set ESP-3DES-SHA
crypto map Outside_map0 6 set security-association lifetime kilobytes 4608000
crypto map Outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map0 interface Outside
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp enable management
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp nat-traversal 21
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 25
ssh 67.55.236.6 255.255.255.255 Outside
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 20
console timeout 0
management-access Inside
dhcprelay server 192.168.1.1 Inside
dhcprelay enable Allworx
dhcprelay timeout 60
priority-queue Outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy SCBHC_VPN internal
group-policy SCBHC_VPN attributes
wins-server value 192.168.1.2
dns-server value 192.168.1.2 192.168.1.5
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy amchone internal
group-policy amchone attributes
dns-server value 192.168.1.2 8.8.8.8
vpn-tunnel-protocol IPSec
default-domain value SEASONS
username ciscotac password DfO7NBd5PZ1b0kZ1 encrypted
username amchone password ejhmf2QP.bmjzabd encrypted privilege 0
username amchone attributes
vpn-group-policy amchone
username nsandbulte password XKoQ5gVGTkHaBaM6 encrypted
username nsandbulte attributes
service-type remote-access
tunnel-group 108.178.206.254 type ipsec-l2l
tunnel-group 108.178.206.254 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 60 retry 5
tunnel-group 108.161.83.66 type ipsec-l2l
tunnel-group 108.161.83.66 ipsec-attributes
pre-shared-key *
tunnel-group 67.22.192.129 type ipsec-l2l
tunnel-group 67.22.192.129 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 60 retry 5
tunnel-group SCBHC_VPN type remote-access
tunnel-group SCBHC_VPN general-attributes
address-pool VPN_DHCP
default-group-policy SCBHC_VPN
tunnel-group SCBHC_VPN ipsec-attributes
pre-shared-key *
tunnel-group 67.58.258.250 type ipsec-l2l
tunnel-group 67.58.258.250 ipsec-attributes
pre-shared-key *
tunnel-group amchone type remote-access
tunnel-group amchone general-attributes
address-pool VPN_DHCP
default-group-policy amchone
tunnel-group amchone ipsec-attributes
pre-shared-key *
tunnel-group 96.31.27.98 type ipsec-l2l
tunnel-group 96.31.27.98 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive threshold 60 retry 2
tunnel-group 192.30.184.237 type ipsec-l2l
tunnel-group 192.30.184.237 ipsec-attributes
pre-shared-key *
!
class-map DNS-inspect
match access-list dns-bypass
class-map netflow-export-class
match access-list netflow-export
class-map TRoute
match any
class-map tcp-state-bypass-class
match access-list tcp-state-bypass
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
description ICMP
class inspection_default
inspect ftp
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect sip
inspect icmp error
inspect icmp
class DNS-inspect
inspect dns
class tcp-state-bypass-class
set connection advanced-options tcp-state-bypass
class class-default
policy-map global-policy
class TRoute
set connection decrement-ttl
class netflow-export-class
flow-export event-type all destination 192.168.1.91
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f2ef067b3c16a25648bd67ce1683f2bd
: end
ciscoasa#

JLOW1213 · ‎01-31-2018

To give a little info on the subnets between the VPN. The Sophos side has 192.168.12.0/24. The Cisco side has 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24, 192.168.5.0/24, 192.168.6.0/24, 192.168.7.0/24, 192.168.8.0/24, 192.168.9.0/24, 192.168.11.0/24, 192.168.13.0/24. All of the subnets on the Cisco side connect and send encaps to the Sophos side except 192.168.1.0/24.

Crypto map tag: Outside_map0, seq num: 1, local addr: 67.58.258.241

access-list Outside_1_cryptomap permit ip Inside 255.255.255.0 192.168.12.0 255.255.255.0
local ident (addr/mask/prot/port): (Inside/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
current_peer: 192.35.185.237

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 12836, #pkts decrypt: 12836, #pkts verify: 12836
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 67.58.258.241, remote crypto endpt.: 192.35.185.237

path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: C76812F9

inbound esp sas:
spi: 0x6AF9241E (1794712606)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 696320, crypto-map: Outside_map0
sa timing: remaining key lifetime (sec): 1580
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x007FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC76812F9 (3345486585)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 696320, crypto-map: Outside_map0
sa timing: remaining key lifetime (sec): 1580
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

JLOW1213 · ‎01-31-2018

Here is the packet tracer output.

ciscoasa# packet-tracer input Inside icmp 192.168.1.112 8 0 192.168.12.20

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in_1 in interface Inside control-plane
access-list Inside_access_in_1 extended permit ip any any
access-list Inside_access_in_1 remark TS-RDP
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description ICMP
class inspection_default
inspect icmp error
service-policy global_policy global
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip Inside Inside 255.255.255.0 Outside 192.168.12.0 255.255.255.0
NAT exempt
translate_hits = 25027, untranslate_hits = 12446
Additional Information:

Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 101 0.0.0.0 0.0.0.0
match ip Inside any Outside any
dynamic translation to pool 101 (67.58.258.241 [Interface PAT])
translate_hits = 2441905, untranslate_hits = 496171
Additional Information:

Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 101 0.0.0.0 0.0.0.0
match ip Inside any Outside any
dynamic translation to pool 101 (67.58.258.241 [Interface PAT])
translate_hits = 2441905, untranslate_hits = 496194
Additional Information:

Phase: 12
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 9149546, packet dispatched to next module

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

Francesco Molino · ‎01-31-2018

I just want to understand something first:

Crypto map tag: Outside_map0, seq num: 1, local addr: 67.58.258.241

access-list Outside_1_cryptomap permit ip Inside 255.255.255.0 192.168.12.0 255.255.255.0
local ident (addr/mask/prot/port): (Inside/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
current_peer: 192.35.185.237

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 12836, #pkts decrypt: 12836, #pkts verify: 12836
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 67.58.258.241, remote crypto endpt.: 192.35.185.237

Here the remote IP endpoint should be 192.35.185.237. However, on the config you posted, there's no IPSEC with that peer IP.

Then, can you share the output of packet-tracer for a working subnet?

Can you follow that link (option 2): https://supportforums.cisco.com/t5/security-documents/asa-how-to-troubleshoot-vpn-l2l-ensure-traffic-is-passing/ta-p/3166082

Do this process with a working subnet and non working subnet please. Can you put everything on a text file and attach to that post?

Your ACL should be (regardless of IP peer mistmatch)

access-list Outside_1_cryptomap extended permit ip Inside 255.255.255.0 192.168.12.0 255.255.255.0
access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_6 192.168.12.0 255.255.255.0

Can you try removing the first line and adding the inside subnet into DM_INLINE_NETWORK_6 group and test it again?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

JLOW1213 · ‎01-31-2018

Sorry, that was my poor attempt at concealing some of our IP's. I modified it on the packet tracer but not the configuration. They do match and the real one is the one on the running configuration.

Anyways, thanks for the suggestions. I am out of the office for a few hours and then I will try the things you suggested and post back. Thanks!

JLOW1213 · ‎01-31-2018

Ok, I posted the results of the commands on the other post (https://supportforums.cisco.com/t5/security-documents/asa-how-to-troubleshoot-vpn-l2l-ensure-traffic-is-passing/ta-p/3166082).

The non-working subnet does not match the SPI's. The working subnet does match the SPI's. So how do I figure out which tunnel the non-working subnet is using and why?

Thanks much for your help so far!

Francesco Molino · ‎01-31-2018

I'll take a review later, did you manage the change I suggested to see if it changes something? I get a weird thing like that on old version like yours.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

JLOW1213 · ‎01-31-2018

I tried the change and it didn't seem to do anything.

Thanks,
Jason

Francesco Molino · ‎01-31-2018

Do a show run | i Outside_cryptomap_2 to see if you get something.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Francesco Molino · ‎01-31-2018

Based on outputs, it tries to use an acl called Outside_cryptomap_2 but I don't see it anywhere in your config. Make the change please and test it again.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

JLOW1213 · ‎01-31-2018

That's because when I made the configuration change you suggested and it didn't help, I tried to undo the change and it messed up the crypto map somehow. So I recreated the crypto map which created a new acl. Sorry for the confusion.

Francesco Molino · ‎01-31-2018

Share your new config into a text file please

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

JLOW1213 · ‎01-31-2018

@Francesco Molino wrote:

Share your new config into a text file please

Sorry, I'm a noob. How do I attach a a text file?