12-05-2013 04:46 PM - edited 02-21-2020 07:22 PM
I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point. I have two sites I'm working with, a test site on my bench and the other actual site at another location. Both are ASA 5510's, both are running ASA v8.2(5). The test site has a 3560 off of it, and the production site has a 3750 stack off it. I don't think that part should matter, though.
I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare. The test site connects and I can ssh to the 3560 behind it just fine. The production site, however, cannot connect to that 3750 or ping it to save my life. I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group. When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
Then I thought it may be a routing issue. The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes. But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies. Oon the production site I only see requests, no replies. My encap counters don't increment during pings, but the decap counters do, which make sense.
Other things to note: The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well. Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems. I'd appreciate it! Thanks
Test Site that works | Production Site that Doesn't |
---|---|
testasa01-5510# sh run : Saved : ASA Version 8.2(5) ! hostname testasa01-5510 names ! interface Ethernet0/0 nameif outside security-level 0 ip address <outsideif> 255.255.255.240 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.39.194.2 255.255.255.248 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 no ip address management-only ! boot system disk0:/asa825-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0 access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0 access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240 access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0 access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable ! tcp-map WSOptions tcp-options range 24 31 allow ! pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-713.bin no asdm history enable arp timeout 14400 global (outside) 100 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 100 10.39.0.0 255.255.0.0 access-group inside_access_in in interface inside ! router eigrp 100 network 10.0.0.0 255.0.0.0 passive-interface default no passive-interface inside ! route outside 0.0.0.0 0.0.0.0 <outsideif> 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable http 10.0.0.0 255.0.0.0 management http 10.0.0.0 255.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map1 1 match address outside_cryptomap crypto map outside_map1 1 set pfs group1 crypto map outside_map1 1 set peer 209.242.145.200 crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map1 interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 170 authentication pre-share encryption 3des hash sha group 1 lifetime 86400 telnet timeout 5 ssh 10.0.0.0 255.0.0.0 inside ssh 0.0.0.0 0.0.0.0 management ssh timeout 60 console timeout 0 management-access inside threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server <server> source inside webvpn group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes vpn-tunnel-protocol IPSec group-policy RemoteAccess internal group-policy RemoteAccess attributes dns-server value 8.8.8.8 vpn-filter value remoteaccess vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value RemoteAccess_splitTunnelAcl split-tunnel-all-dns disable vlan none tunnel-group RemoteAccess type remote-access tunnel-group RemoteAccess general-attributes address-pool vpn_ip_pool default-group-policy RemoteAccess tunnel-group RemoteAccess ipsec-attributes pre-shared-key ***** tunnel-group 111.222.333.444 type ipsec-l2l tunnel-group 111.222.333.444 general-attributes default-group-policy GroupPolicy1 tunnel-group 111.222.333.444 ipsec-attributes pre-shared-key ***** ! class-map WSOptions-class match any class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options class WSOptions-class set connection advanced-options WSOptions policy-map type inspect ip-options ip-options-map parameters eool action allow nop action allow router-alert action allow ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily : end | mp01-5510asa# sh run : Saved : ASA Version 8.2(5) ! hostname mp01-5510asa names ! interface Ethernet0/0 nameif inside security-level 100 ip address 10.29.194.2 255.255.255.252 ! interface Ethernet0/1 nameif dmz security-level 50 ip address 172.16.29.1 255.255.255.0 ! interface Ethernet0/2 description nameif backup security-level 0 ip address <backupif> 255.255.255.252 ! interface Ethernet0/3 description speed 100 duplex full nameif outside security-level 0 ip address <outsideif> 255.255.255.248 ! interface Management0/0 nameif management security-level 100 ip address 10.29.199.11 255.255.255.0 management-only ! banner login Authorized Use Only boot system disk0:/asa825-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring object-group network DM_INLINE_NETWORK_1 network-object 10.29.1.0 255.255.255.0 network-object 10.29.15.0 255.255.255.0 network-object 10.29.199.0 255.255.255.0 network-object 10.29.200.0 255.255.255.0 network-object 10.29.31.0 255.255.255.0 access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0 access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0 pager lines 24 logging enable logging list acl-messages message 106023 logging buffered acl-messages logging asdm acl-messages mtu inside 1500 mtu dmz 1500 mtu backup 1500 mtu outside 1500 mtu management 1500 ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-645.bin asdm history enable arp timeout 14400 global (inside) 201 interface global (dmz) 101 interface global (backup) 101 interface global (outside) 101 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 101 10.29.1.0 255.255.255.0 nat (inside) 101 10.29.15.0 255.255.255.0 nat (inside) 101 10.29.31.0 255.255.255.0 nat (inside) 101 10.29.32.0 255.255.255.0 nat (inside) 101 10.29.199.0 255.255.255.0 nat (inside) 101 10.29.200.0 255.255.255.0 nat (inside) 101 192.168.29.0 255.255.255.0 static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1 route backup 0.0.0.0 0.0.0.0 205.179.122.165 254 route management 10.0.0.0 255.0.0.0 10.29.199.1 1 route inside 10.29.0.0 255.255.0.0 10.29.194.1 1 route inside 192.168.29.0 255.255.255.0 10.29.194.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL aaa authentication enable console LOCAL http server enable http 10.0.0.0 255.0.0.0 management http 10.0.0.0 255.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sla monitor 100 type echo protocol ipIcmpEcho 74.125.239.16 interface outside num-packets 3 frequency 10 sla monitor schedule 100 life forever start-time now crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! track 1 rtr 100 reachability telnet timeout 5 ssh 10.0.0.0 255.0.0.0 inside ssh 10.0.0.0 255.0.0.0 management ssh timeout 60 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 10.200.1.41 source inside webvpn group-policy RemoteAccess internal group-policy RemoteAccess attributes dns-server value 8.8.8.8 vpn-filter value remoteaccess vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value RemoteAccess_splitTunnelAcl split-tunnel-all-dns disable vlan none tunnel-group RemoteAccess type remote-access tunnel-group RemoteAccess general-attributes address-pool vpn_ip_pool3 default-group-policy RemoteAccess tunnel-group RemoteAccess ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp ! prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily |
testasa01-5510# sh crypto ipsec sa interface: outside Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif> local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0) current_peer: <peer ip>, username: blah dynamic allocated peer ip: 172.16.139.1 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291 path mtu 1500, ipsec overhead 82, media mtu 1500 current outbound spi: 0A7F396F current inbound spi : E87AF806 inbound esp sas: spi: 0xE87AF806 (3900372998) transform: esp-aes esp-sha-hmac no compression in use settings ={RA, Tunnel, NAT-T-Encaps, } slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP sa timing: remaining key lifetime (sec): 3587 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x7FFFFFFF outbound esp sas: spi: 0x0A7F396F (176109935) transform: esp-aes esp-sha-hmac no compression in use settings ={RA, Tunnel, NAT-T-Encaps, } slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP sa timing: remaining key lifetime (sec): 3587 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 | mp01-5510asa# sh crypto ipsec sa interface: outside Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif> local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0) current_peer: <peer ip>, username: blah dynamic allocated peer ip: 10.254.29.1 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291 path mtu 1500, ipsec overhead 82, media mtu 1500 current outbound spi: 096265D4 current inbound spi : F5E4780C inbound esp sas: spi: 0xF5E4780C (4125390860) transform: esp-aes esp-sha-hmac no compression in use settings ={RA, Tunnel, NAT-T-Encaps, } slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP sa timing: remaining key lifetime (sec): 3576 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x001FFFFF 0xFFFFFFFF outbound esp sas: spi: 0x096265D4 (157443540) transform: esp-aes esp-sha-hmac no compression in use settings ={RA, Tunnel, NAT-T-Encaps, } slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP sa timing: remaining key lifetime (sec): 3576 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 |
12-06-2013 02:10 PM
Config (non working site) looks fine(unless I missed something:)) . You may want to add :
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
Try by taking out vpnfilter : vpn-filter value remoteaccess
To further t-shoot, try using packet tracer from ASA to the client...
https://supportforums.cisco.com/docs/DOC-5796
Thx
MS
12-06-2013 04:35 PM
Thanks for the reply. I've finally figured it out after pulling almost all of my hair out.
I completely forgot about the Palo Alto firewall that's inline up there between the firewall and switch, and that was blocking the traffic because the ASA side was in an untrusted policy. Once I added the policy to trust the vpn network from the asa, it was working.
Geesh! Definitely a good lesson learned here!!
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide