12-13-2011 07:03 AM
Hello,
I have 2 sites :
site A :
ASA 5510
VPN gateway for remote users
LAN 192.168.192.0/22
site B :
ASA 5505
LAN 192.168.208.0/22
Both sites are connected through a site to site VPN.
Remote clients (AnyConnect/VPN client) can connect to Site A LAN and see machines on LAN A but cannot see Site B LAN.
What do I miss (maybe on both sides) ?
Any help appreciated.
Here is a part of my configuration :
On Site A (ASA 5510)
--------------------------------
name 192.168.192.0 SiteA_Internal_Network
name 192.168.208.0 SiteB_Internal_Network
name 192.168.133.0 VPNPool_AnyConnect
name 192.168.133.32 VPNPool_VpnClient
object-group network DM_INLINE_NETWORK_3
network-object VPNPool_AnyConnect 255.255.255.224
network-object VPNPool_VpnClient 255.255.255.224
network-object SiteA_Internal_Network 255.255.252.0
access-list External_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 SiteB_Internal_Network 255.255.252.0
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 1 SiteA_Internal_Network 255.255.252.0
nat (External-DMZ) 0 access-list External-DMZ_nat0_outbound
static (Internal,External-DMZ) SiteA_Internal_Network SiteA_Internal_Network netmask 255.255.252.0
static (Internal,Internal-DMZ) SiteA_Internal_Network SiteA_Internal_Network netmask 255.255.252.0
static (External-DMZ,External) SiteA_ExternalDMZ_Network SiteA_ExternalDMZ_Network netmask 255.255.255.240
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
webvpn
enable External
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1 regex "Windows NT"
svc image disk0:/anyconnect-wince-ARMv4I-2.3.0254-k9.pkg 2 regex "Windows CE"
svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 3 regex "Intel Mac OS X"
svc image disk0:/anyconnect-macosx-powerpc-2.3.0254-k9.pkg 4 regex "PPC Mac OS X"
svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 5 regex "Linux"
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value XXXXXXXXXXXXX
vpn-tunnel-protocol IPSec svc webvpn
ip-comp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-lan
default-domain value XXXXX
webvpn
svc keepalive 30
svc compression none
group-policy TG-ADM internal
group-policy TG-ADM attributes
vpn-tunnel-protocol IPSec
ip-comp disable
group-policy JSIgroup internal
group-policy JSIgroup attributes
vpn-tunnel-protocol IPSec svc webvpn
webvpn
url-list none
svc ask enable
tunnel-group DefaultRAGroup general-attributes
authentication-server-group RADIUS LOCAL
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool POOL-ANYCONNECT
authentication-server-group RADIUS LOCAL
dhcp-server XXXXXXXXXX
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias VPN-ACCESS enable
tunnel-group XXXXXXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXXXXXXX ipsec-attributes
pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXX
tunnel-group TG-ADM type remote-access
tunnel-group TG-ADM general-attributes
address-pool POOL-ADM
authentication-server-group RADIUS LOCAL
default-group-policy TG-ADM
tunnel-group TG-ADM ipsec-attributes
pre-shared-key XXXXXXXXXXXXXXXXXXXXXX
On Site B (ASA 5505)
-------------------------------
name 192.168.192.0 SiteA_Internal_Network
name 192.168.133.32 AnyConnect
name 192.168.133.0 VPN_Client
object-group network DM_INLINE_NETWORK_2
network-object 192.168.133.0 255.255.255.224
network-object 192.168.133.32 255.255.255.224
network-object 192.168.192.0 255.255.252.0
object-group network DM_INLINE_NETWORK_1
network-object 192.168.133.0 255.255.255.224
network-object 192.168.133.32 255.255.255.224
network-object 192.168.192.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 192.168.208.0 255.255.252.0 object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit ip 192.168.208.0 255.255.252.0 192.168.192.0 255.255.252.0
access-list inside_access_in extended permit object-group Traffic-Good 192.168.208.0 255.255.252.0 any
access-list outside_cryptomap_1 extended permit ip 192.168.208.0 255.255.252.0 object-group DM_INLINE_NETWORK_2
access-list outside_access_in extended deny ip any 192.168.208.0 255.255.252.0
access-list outside_access_in extended deny ip any 192.168.192.0 255.255.252.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
12-13-2011 07:09 AM
It looks like you have the traffic defined in the crypto acl's and the nat0 acl on the site B asa. Do you have this on the site A asa?
same-security-traffic permit intra-interface
07-24-2014 05:21 AM
This was the solution for me. I had to allow hairpinning. With a continuous ping going, as soon as I entered this command, pings started returning.
01-15-2016 12:27 AM
Do you remember what you did to fix it?
I have the same issues for the VPN.Thank you
06-05-2015 11:28 AM
Thank you. I had everything right and couldn't think why this was not working. I had forgotten to add this line. In hindsight I guess everything was not right :).
12-13-2011 07:34 AM
Yes I forgot it, here is what I have on Site A router :
The site 2 site tunnel is working fine, except for vpn remote users
access-list Internal_nat0_outbound extended permit ip SiteA_Internal_Network 255.255.252.0 SiteB_Internal_Network 255.255.252.0
access-list Internal_nat0_outbound extended permit ip SiteA_Internal_Network 255.255.252.0 VPNPool_AnyConnect 255.255.255.224
access-list Internal_nat0_outbound extended permit ip SiteA_Internal_Network 255.255.252.0 VPNPool_VpnClient 255.255.255.224
access-list Internal_nat0_outbound extended permit ip VPNPool_AnyConnect 255.255.255.224 SiteB_Internal_Network 255.255.252.0
access-list Internal_nat0_outbound extended permit ip VPNPool_VpnClient 255.255.255.224 SiteB_Internal_Network 255.255.252.0
12-13-2011 07:58 AM
You shouldn't need those last 2 lines there as the nat0 is applied to the inside interface, while the vpn client traffic is coming from the outside interface. It would never be natted there anyway.
What do your logs say on site A asa when you try to connect from a vpn client to site b? I usually bring up the ASDM log viewer, filter on the ip address of the vpn client and test.
12-13-2011 08:25 AM
Thanks for your feedback.
I removed both lines. No change.
Should I remove also VPN client networks in DM_INLINE_NETWORK_1 of siteB ?
I watched the logs, but I can only see that I connect to SiteA gateway but when I ping a machine of SiteB there is nothing in the logs.
12-13-2011 09:18 AM
No, don't remove on the other end. That is needed.
What does your split tunnel acl look like on site A asa? Make sure you are tunneling the site B inside network.
12-14-2011 06:28 AM
Thanks,
Well, removing the 2 nat lines caused an Issue : vpn clients couldn't access LAN of siteA anymore... I put it back.
Here are the full configurations of both ASAs
SITE A
: Saved
:
ASA Version 8.0(4)
!
hostname XXXXX
domain-name XXXXXX
enable password XXXXXXXX encrypted
passwd XXXXXXXX encrypted
names
name 192.168.33.0 SiteA_InternalDMZ_Network description SiteA DMZ
name 192.168.192.0 SiteA_Internal_Network description SiteA
name 192.168.208.0 SiteB_Internal_Network description SiteB
name 192.168.133.0 VPNPool_AnyConnect
name 192.168.133.32 VPNPool_VpnClient
name XXXXXX SiteA_ExternalDMZ_Network description SiteA
name XXXXXXXXX SiteA_External_Network description SiteA
name 192.168.33.17 AAA-InternalDMZ description Server SOUTH
name XXXXXXXXX AAA-ExternalDMZ description Server NORTH
dns-guard
!
interface Ethernet0/0
nameif External
security-level 0
ip address XXXXXXXXXXXXXX
ospf cost 10
!
interface Ethernet0/1
nameif Internal
security-level 100
ip address 192.168.192.1 255.255.252.0
ospf cost 10
!
interface Ethernet0/2
nameif External-DMZ
security-level 50
ip address XXXXXXXXXXXXXXXXXXXXXX
ospf cost 10
!
interface Ethernet0/3
nameif Internal-DMZ
security-level 75
ip address XXXXXXXXXXXXXXXXXXXXXXXXX
ospf cost 10
!
regex worldofwarcraft ".*worldofwarcraft\.com.*"
regex facebook ".*facebook\.com.*"
boot system disk0:/asaXXXXX.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup External
dns domain-lookup Internal
dns domain-lookup External-DMZ
dns server-group DefaultDNS
name-server XXXXXXXXXXX
name-server XXXXXXXXXXXXXX
domain-name XXXXXXXXXXXXXXXXXXXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Net-SiteA
description SiteA Nets
network-object SiteA_Internal_Network 255.255.252.0
network-object SiteA_ExternalDMZ_Network 255.255.255.240
object-group network Blocked-destinations
network-object host Blacklist_crackz.ws
network-object host Blacklist_bad-ads
network-object host Blacklist_roxy69.gtrx.net
network-object host Blacklist_beehappyy.biz
network-object host Blacklist_Warhammer
network-object host Blacklist_Infected-site
network-object host Blacklist_tfcco.biz
network-object host Blacklist_iframecash.biz
network-object host Blacklist_Infected-sm0king
object-group service Traffic-Good
service-object icmp
service-object esp
service-object tcp-udp eq domain
service-object tcp-udp eq echo
service-object tcp-udp eq www
service-object tcp-udp eq sunrpc
service-object tcp-udp eq tacacs
service-object tcp eq 3389
service-object tcp eq 445
service-object tcp eq aol
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object tcp eq https
service-object tcp eq ldap
service-object tcp eq ldaps
service-object tcp eq netbios-ssn
service-object tcp eq pop3
service-object tcp eq sip
service-object tcp eq ssh
service-object tcp eq telnet
service-object tcp eq whois
service-object icmp traceroute
service-object udp eq 10000
service-object udp eq 4500
service-object udp eq isakmp
service-object udp eq nameserver
service-object udp eq netbios-dgm
service-object udp eq netbios-ns
service-object udp eq nfs
service-object udp eq ntp
service-object udp eq sip
service-object udp eq snmp
service-object udp eq sunrpc
service-object udp eq syslog
service-object udp eq tftp
service-object icmp echo
service-object icmp echo-reply
service-object tcp-udp eq 9418
service-object tcp eq 10000
object-group service EEEEEEEEEE-ports
service-object tcp eq smtp
service-object icmp
service-object tcp eq www
service-object tcp eq https
object-group service revEEEEEEEEEE-ports
service-object tcp eq smtp
service-object icmp
service-object tcp eq 3389
object-group service revFFFFFF-ports
service-object ip
service-object icmp
object-group service FFFFFF-ports
service-object ip
service-object icmp
service-object tcp eq 3268
object-group service GGGGGGG
service-object tcp eq www
service-object tcp eq https
service-object tcp eq smtp
object-group network Internal-DC
network-object host XXXXXXXXXXXXX
network-object host XXXXXXXXXXXXXXXXX
object-group network Internal-email
network-object host XXXXXXXXXXXXXXXXXXXX
object-group network DM_INLINE_NETWORK_2
network-object SiteA_Internal_Network 255.255.252.0
network-object SiteA_ExternalDMZ_Network 255.255.255.240
object-group service GRP-SVC-FFFFFF-TCP tcp
port-object eq 3268
object-group service GRP-SVC-FFFFFF-UDP udp
port-object eq 88
port-object eq domain
port-object eq ntp
object-group service GRP-SVC-HHHHHHH-TCP tcp
port-object eq smtp
port-object eq https
object-group network GRP-ADMIN-WS
network-object SiteA_Internal_Network 255.255.252.0
object-group network GRP-DMZ-NODES
network-object SiteA_InternalDMZ_Network 255.255.255.0
network-object SiteA_ExternalDMZ_Network 255.255.255.240
object-group network GRP-PUB-DNS-SRV
network-object host DNS_1
network-object host DNS_2
object-group service GRP-SVC-BROWSING-TCP tcp
port-object eq ftp
port-object eq www
port-object eq https
object-group service GRP-SVC-PMAD-TCP tcp
port-object eq 3389
port-object eq ssh
object-group icmp-type GRP-SVC-USEFUL-ICMP
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group network DM_INLINE_NETWORK_3
network-object VPNPool_AnyConnect 255.255.255.224
network-object VPNPool_VpnClient 255.255.255.224
network-object SiteA_Internal_Network 255.255.252.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq 8443
port-object eq 8880
object-group service Torrent
service-object tcp range 6881 6889
service-object tcp eq 6969
service-object tcp eq 7000
object-group network DM_INLINE_NETWORK_1
network-object VPNPool_AnyConnect 255.255.255.224
network-object VPNPool_VpnClient 255.255.255.224
object-group network DM_INLINE_NETWORK_4
network-object SiteA_InternalDMZ_Network 255.255.255.0
network-object SiteA_ExternalDMZ_Network 255.255.255.240
object-group service DM_INLINE_SERVICE_1
service-object tcp
object-group network DM_INLINE_NETWORK_5
network-object VPNPool_AnyConnect 255.255.255.224
network-object VPNPool_VpnClient 255.255.255.224
access-list External_access_in extended deny ip any SiteA_Internal_Network 255.255.252.0
access-list External_access_in extended deny ip any SiteA_InternalDMZ_Network 255.255.255.0
access-list External_access_in extended permit tcp any host AAA-ExternalDMZ eq smtp
access-list External_access_in extended permit tcp any host AAA-ExternalDMZ object-group DM_INLINE_TCP_1
access-list External_access_in extended permit icmp any SiteA_External_Network 255.255.255.240 object-group GRP-SVC-USEFUL-ICMP
access-list External_access_in extended permit icmp any SiteA_ExternalDMZ_Network 255.255.255.240 object-group GRP-SVC-USEFUL-ICMP
access-list External-DMZ_access_in extended deny ip any SiteA_Internal_Network 255.255.252.0
access-list External-DMZ_access_in extended deny ip any SiteA_InternalDMZ_Network 255.255.255.0
access-list External-DMZ_access_in extended permit tcp host AAA-ExternalDMZ any eq smtp
access-list External-DMZ_access_in extended permit ip SiteA_ExternalDMZ_Network 255.255.255.240 any
access-list Internal_access_in extended deny ip any object-group Blocked-destinations
access-list Internal_access_in extended permit udp object-group Internal-DC object-group GRP-PUB-DNS-SRV eq domain
access-list Internal_access_in extended permit tcp object-group Internal-DC object-group GRP-PUB-DNS-SRV eq domain
access-list Internal_access_in extended permit object-group Traffic-Good SiteA_Internal_Network 255.255.252.0 any
access-list Internal_access_in extended permit ip object-group DM_INLINE_NETWORK_1 SiteB_Internal_Network 255.255.252.0
access-list Internal_access_in extended permit object-group Torrent SiteA_Internal_Network 255.255.252.0 any inactive
access-list Internal_access_in extended permit ip SiteA_Internal_Network 255.255.252.0 SiteB_Internal_Network 255.255.252.0
access-list Internal_access_in extended permit tcp host XXXXXXXXX host AAA-InternalDMZ eq smtp
access-list Internal_access_in extended permit tcp object-group GRP-ADMIN-WS object-group GRP-DMZ-NODES object-group GRP-SVC-PMAD-TCP
access-list Internal_nat0_outbound extended permit ip SiteA_Internal_Network 255.255.252.0 SiteB_Internal_Network 255.255.252.0
access-list Internal_nat0_outbound extended permit ip SiteA_Internal_Network 255.255.252.0 object-group DM_INLINE_NETWORK_5
access-list Internal-DMZ_access_in extended deny ip any SiteA_ExternalDMZ_Network 255.255.255.240
access-list Internal-DMZ_access_in extended permit tcp host AAA-InternalDMZ object-group Internal-DC object-group GRP-SVC-FFFFFF-TCP
access-list Internal-DMZ_access_in extended permit udp host AAA-InternalDMZ object-group Internal-DC object-group GRP-SVC-FFFFFF-UDP
access-list Internal-DMZ_access_in extended permit tcp host AAA-InternalDMZ object-group Internal-email object-group GRP-SVC-HHHHHHH-TCP
access-list Internal-DMZ_access_in extended permit tcp host AAA-InternalDMZ host XXXXXXX eq www
access-list Internal-DMZ_access_in extended deny ip any SiteA_Internal_Network 255.255.252.0
access-list External-DMZ_nat0_outbound extended permit ip SiteA_ExternalDMZ_Network 255.255.255.240 SiteB_Internal_Network 255.255.252.0
access-list CSC-Internal extended deny ip any SiteB_Internal_Network 255.255.252.0 inactive
access-list CSC-Internal extended deny ip any SiteA_ExternalDMZ_Network 255.255.255.240
access-list CSC-Internal extended deny ip any SiteA_InternalDMZ_Network 255.255.255.0
access-list CSC-Internal extended permit tcp any any eq www
access-list CSC-Internal extended permit tcp any any eq smtp
access-list CSC-Internal extended permit tcp any any eq pop3
access-list CSC-Internal extended permit tcp any any eq ftp
access-list CSC-Internal extended permit tcp any any eq imap4
access-list CSC-External extended deny ip SiteB_Internal_Network 255.255.252.0 any inactive
access-list CSC-External extended permit tcp any any eq smtp
access-list CSC-External extended permit tcp any any eq www
access-list CSC-External extended permit tcp any any eq pop3
access-list CSC-External extended permit tcp any any eq imap4
access-list CSC-External extended permit tcp any any eq ftp
access-list CSC-External-DMZ extended deny ip any SiteB_Internal_Network 255.255.252.0 inactive
access-list CSC-External-DMZ extended deny ip any SiteA_Internal_Network 255.255.252.0
access-list CSC-External-DMZ extended deny ip any SiteA_InternalDMZ_Network 255.255.255.0
access-list CSC-External-DMZ extended permit tcp any any eq www
access-list CSC-External-DMZ extended permit tcp any any eq smtp
access-list CSC-External-DMZ extended permit tcp any any eq pop3
access-list CSC-External-DMZ extended permit tcp any any eq ftp
access-list CSC-External-DMZ extended permit tcp any any eq imap4
access-list CSC-Internal-DMZ extended deny ip any SiteB_Internal_Network 255.255.252.0 inactive
access-list CSC-Internal-DMZ extended deny ip any SiteA_Internal_Network 255.255.252.0
access-list CSC-Internal-DMZ extended deny ip any SiteA_ExternalDMZ_Network 255.255.255.240
access-list CSC-Internal-DMZ extended permit tcp any any eq www
access-list CSC-Internal-DMZ extended permit tcp any any eq smtp
access-list CSC-Internal-DMZ extended permit tcp any any eq pop3
access-list CSC-Internal-DMZ extended permit tcp any any eq ftp
access-list CSC-Internal-DMZ extended permit tcp any any eq imap4
access-list split-lan standard permit SiteA_Internal_Network 255.255.252.0
access-list External_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 SiteB_Internal_Network 255.255.252.0
pager lines 24
logging enable
logging trap warnings
logging asdm warnings
logging host Internal 192.168.192.XXX
mtu External 1500
mtu Internal 1500
mtu External-DMZ 1500
mtu Internal-DMZ 1500
ip local pool POOL-ANYCONNECT 192.168.133.1-192.168.133.30 mask 255.255.255.224
ip local pool POOL-ADM 192.168.133.33-192.168.133.62 mask 255.255.255.224
ip verify reverse-path interface External
ip verify reverse-path interface Internal
ip verify reverse-path interface External-DMZ
ip verify reverse-path interface Internal-DMZ
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply External
icmp permit any time-exceeded External
icmp permit any unreachable External
icmp permit SiteA_Internal_Network 255.255.252.0 echo Internal
icmp permit SiteA_Internal_Network 255.255.252.0 echo-reply Internal
icmp permit SiteA_Internal_Network 255.255.252.0 traceroute Internal
icmp permit SiteA_Internal_Network 255.255.252.0 unreachable Internal
icmp permit SiteA_Internal_Network 255.255.252.0 time-exceeded Internal
icmp permit XXXXXXXXX 255.255.252.0 echo Internal
icmp permit SiteA_ExternalDMZ_Network 255.255.255.240 echo Internal
icmp permit SiteA_ExternalDMZ_Network 255.255.255.240 echo-reply Internal
icmp permit SiteA_ExternalDMZ_Network 255.255.255.240 traceroute Internal
icmp permit SiteA_ExternalDMZ_Network 255.255.255.240 unreachable Internal
icmp permit SiteA_ExternalDMZ_Network 255.255.255.240 time-exceeded Internal
icmp permit VPNPool_AnyConnect 255.255.255.0 echo External-DMZ
icmp permit VPNPool_AnyConnect 255.255.255.0 echo-reply External-DMZ
icmp permit VPNPool_AnyConnect 255.255.255.0 time-exceeded External-DMZ
icmp permit VPNPool_AnyConnect 255.255.255.0 traceroute External-DMZ
icmp permit VPNPool_AnyConnect 255.255.255.0 unreachable External-DMZ
asdm image disk0:/asdm-XXXXXX.bin
no asdm history enable
arp timeout 14400
global (External) 1 XXXXXXXXXX netmask 255.0.0.0
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 1 SiteA_Internal_Network 255.255.252.0
nat (External-DMZ) 0 access-list External-DMZ_nat0_outbound
static (External-DMZ,External) SiteA_ExternalDMZ_Network SiteA_ExternalDMZ_Network netmask 255.255.255.240
static (Internal,External-DMZ) SiteA_Internal_Network SiteA_Internal_Network netmask 255.255.252.0
static (Internal,Internal-DMZ) SiteA_Internal_Network SiteA_Internal_Network netmask 255.255.252.0
access-group External_access_in in interface External
access-group Internal_access_in in interface Internal
access-group External-DMZ_access_in in interface External-DMZ
access-group Internal-DMZ_access_in in interface Internal-DMZ
route External 0.0.0.0 0.0.0.0 XXXXXXXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (Internal) host XXXXXXXXXX
key XXXXXXXXX
aaa-server RADIUS (Internal) host XXXXXXXXXX
key XXXXXXXXXXXX
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 External
http 0.0.0.0 0.0.0.0 Internal
http redirect External 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map External_map3 1 match address External_cryptomap_1
crypto map External_map3 1 set pfs group5
crypto map External_map3 1 set peer XXXXXXXX
crypto map External_map3 1 set transform-set ESP-AES-256-SHA
crypto map External_map3 1 set security-association lifetime seconds 28800
crypto map External_map3 1 set security-association lifetime kilobytes 4608000
crypto map External_map3 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map External_map3 interface External
crypto ca server
shutdown
crypto isakmp enable External
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet 0.0.0.0 0.0.0.0 Internal
telnet timeout 1440
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 External
ssh 0.0.0.0 0.0.0.0 Internal
ssh timeout 60
ssh version 2
console timeout 0
management-access Internal
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server XXXXXXX source External
ntp server XXXXXXXXX source External prefer
ntp server XXXXXXX source External
ntp server XXXXXX source External
tftp-server Internal XXXXXXXXXXXXX.cfg
webvpn
enable External
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1 regex "Windows NT"
svc image disk0:/anyconnect-wince-ARMv4I-2.3.0254-k9.pkg 2 regex "Windows CE"
svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 3 regex "Intel Mac OS X"
svc image disk0:/anyconnect-macosx-powerpc-2.3.0254-k9.pkg 4 regex "PPC Mac OS X"
svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 5 regex "Linux"
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.192.80 192.168.192.81
vpn-tunnel-protocol IPSec svc webvpn
ip-comp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-lan
default-domain value XXXXXXXXXXXX
webvpn
svc keepalive 30
svc compression none
group-policy TG-ADM internal
group-policy TG-ADM attributes
vpn-tunnel-protocol IPSec
ip-comp disable
group-policy Profile2 internal
group-policy Profile2 attributes
vpn-tunnel-protocol IPSec svc webvpn
webvpn
url-list none
svc ask enable
username admin password XXXXXXXXXXXXXXXXXX encrypted privilege 15
username Profile2Access password XXXXXXXXXXXXXXXXX encrypted privilege 0
username Profile2Access attributes
vpn-group-policy Profile2
tunnel-group DefaultRAGroup general-attributes
authentication-server-group RADIUS LOCAL
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool POOL-ANYCONNECT
authentication-server-group RADIUS LOCAL
dhcp-server XXXXXXXXXXXX
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias PROFILE1-ACCESS enable
tunnel-group XXXXXXXXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXXXXXXXX ipsec-attributes
pre-shared-key *
tunnel-group TG-ADM type remote-access
tunnel-group TG-ADM general-attributes
address-pool POOL-ADM
authentication-server-group RADIUS LOCAL
default-group-policy TG-ADM
tunnel-group TG-ADM ipsec-attributes
pre-shared-key *
tunnel-group PROFILE2ACCESS type remote-access
tunnel-group PROFILE2ACCESS general-attributes
address-pool POOL-ANYCONNECT
default-group-policy Profile2
tunnel-group PROFILE2ACCESS webvpn-attributes
group-alias PROFILE2-ACCESS enable
!
class-map External-DMZ-class
match access-list CSC-External-DMZ
class-map Internal-DMZ-class
match access-list CSC-Internal-DMZ
class-map Internal-class
match access-list CSC-Internal
class-map inspection_default
match default-inspection-traffic
class-map External-class
match access-list CSC-External
!
!
policy-map Internal-policy
class Internal-class
csc fail-open
policy-map External-policy
class External-class
csc fail-open
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map External-DMZ-policy
class External-DMZ-class
csc fail-open
policy-map Internal-DMZ-policy
class Internal-DMZ-class
csc fail-open
policy-map type inspect http blocked-sites
parameters
protocol-violation action drop-connection
match request uri regex facebook
drop-connection log
match request uri regex worldofwarcraft
drop-connection log
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end
SITE B
: Saved
:
ASA Version 8.2(2)
!
hostname XXXXXXXXXX
domain-name XXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXXXXencrypted
passwd XXXXXXXXXXXXX encrypted
no names
name 192.168.192.0 SITEA
name 192.168.133.32 AnyConnect
name 192.168.133.0 VPN_Client
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.208.1 255.255.252.0
!
interface Vlan2
description Old Internet Access
shutdown
no forward interface Vlan1
nameif UNUSED
security-level 0
ip address XXXXXXXXXXXXXX 255.255.255.240
!
interface Vlan12
description: To Internet
nameif outsideNew
security-level 0
ip address XXXXXXXXXX 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asaXXXXXX.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name XXXXXXXXXX
object-group service Traffic-Good
service-object icmp
service-object esp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object tcp-udp eq domain
service-object tcp-udp eq echo
service-object tcp-udp eq www
service-object tcp-udp eq sunrpc
service-object tcp-udp eq tacacs
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object tcp eq https
service-object tcp eq ldap
service-object tcp eq ldaps
service-object tcp eq sip
service-object tcp eq ssh
service-object udp eq ntp
service-object udp eq sip
service-object udp eq sunrpc
service-object udp eq syslog
service-object udp eq tftp
service-object tcp eq 3389
service-object tcp-udp eq sip
service-object tcp eq h323
object-group network DM_INLINE_NETWORK_2
network-object 192.168.133.0 255.255.255.224
network-object 192.168.133.32 255.255.255.224
network-object 192.168.192.0 255.255.252.0
object-group network DM_INLINE_NETWORK_1
network-object 192.168.133.0 255.255.255.224
network-object 192.168.133.32 255.255.255.224
network-object 192.168.192.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 192.168.208.0 255.255.252.0 object-group DM_INLINE_NETWORK_1
access-list inside_access_in remark Full IP to SiteA Network
access-list inside_access_in extended permit ip 192.168.208.0 255.255.252.0 192.168.192.0 255.255.252.0
access-list inside_access_in remark Browsing to the Internet
access-list inside_access_in extended permit object-group Traffic-Good 192.168.208.0 255.255.252.0 any
access-list outsideNew_cryptomap_1 extended permit ip 192.168.208.0 255.255.252.0 object-group DM_INLINE_NETWORK_2
access-list outsideNew_access_in extended deny ip any 192.168.208.0 255.255.252.0
access-list outsideNew_access_in extended deny ip any 192.168.192.0 255.255.252.0
pager lines 24
logging enable
logging trap warnings
logging asdm warnings
logging host inside 192.168.192.XXXXXXX
mtu inside 1500
mtu UNUSED 1500
mtu outsideNew 1500
ip verify reverse-path interface inside
ip verify reverse-path interface UNUSED
ip verify reverse-path interface outsideNew
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply UNUSED
icmp permit any time-exceeded UNUSED
icmp permit any unreachable UNUSED
icmp permit any echo-reply outsideNew
icmp permit any time-exceeded outsideNew
icmp permit any unreachable outsideNew
asdm image disk0:/asdm-XXXXX.bin
asdm history enable
arp timeout 14400
global (UNUSED) 1 interface
global (outsideNew) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outsideNew_access_in in interface outsideNew
route outsideNew 0.0.0.0 0.0.0.0 XXXXXXXXXXXXX 1
route UNUSED 0.0.0.0 0.0.0.0 XXXXXXXXXXX 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.192.0 255.255.252.0 inside
http 192.168.208.90 255.255.255.255 inside
http XXXXXXX 255.255.255.240 outsideNew
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outsideNew_map1 2 match address outsideNew_cryptomap_1
crypto map outsideNew_map1 2 set pfs group5
crypto map outsideNew_map1 2 set peer 93.20.180.195
crypto map outsideNew_map1 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outsideNew_map1 interface outsideNew
crypto isakmp enable outsideNew
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 192.168.192.0 255.255.252.0 inside
ssh 192.168.208.90 255.255.255.255 inside
ssh timeout 15
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outsideNew
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server XXXXXXXX source outsideNew
ntp server XXXXXXXXXXX source outsideNew
ntp server XXXXXXXXXXXXXX source outsideNew
tftp-server inside 192.168.192.XXXX XXXXXXXXXXXXXX.cfg
webvpn
username admin password XXXXXXXXXXXXXXXX encrypted privilege 15
tunnel-group XXXXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXXXXXXXX ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end
09-01-2012 09:44 AM
I appreciate that this was nearly a year ago, but I'm having similar issues and this is one of few posts where anyone else was having issues with a client VPN accessing a remote VLAN on a different site.
Do you remember what you did to fix it?
09-02-2012 01:43 AM
Hi,
Here you need to have the hair pinning enabled to make this work.
http://www.petenetlive.com/KB/Article/0000040.htm
By
Karthik
01-14-2016 07:15 PM
Dear nkarthikeyan
I have configed the vpn as your recommed,but it is fail,I don't know why,can you give me some suggestion,thank you!
01-14-2016 08:00 PM
run: packet-tracer input inside icmp SourceIP 8 0 RemoteIP
Post the results as well as your VPN config and some info on which host you are trying to access and from which network.
01-14-2016 08:49 PM
thanks! below is the configration:
SiteA:
ASA 5525:
VPN gateway for remote users
LAN1:10.24.10.0/24
LAN2:10.24.15.0/24
LAN3:10.24.24.0/24
Remote VPN pool:10.1.84.0/24
site B :
ASA 5520
LAN1:10.1.0.0/24
LAN2:10.1.1.0/24
Both sites are connected through a site to site VPN,and the VPN work normally.
Remote clients(VPN clients)can connect to Site A LAN and see machines on LAN A but cannot see Site B LAN.
I want remote vpn clients can also visit Site B,but I have try many times,it not succeed.
What do I miss?
SiteA:
ip local pool Remote_admin 10.1.84.100-10.1.84.200 mask 255.255.255.0
same-security-traffic permit intra-interface
object network Subnet1
subnet 10.1.0.0 255.255.255.0
object network Subnet2
subnet 10.1.1.0 255.255.255.0
object network Corp
subnet 10.24.15.0 255.255.255.0
object network Servers
subnet 10.24.10.0 255.255.255.0
object network Remote_admin
subnet 10.1.84.0 255.255.255.0
object-group network Subnets
network-object object Subnet1
network-object object Subnet2
object-group network SF_Network
network-object 10.24.24.0 255.255.255.0
network-object object Corp
network-object object Servers
access-list split standard permit 10.24.15.0 255.255.255.0
access-list split standard permit 10.24.10.0 255.255.255.0
access-list split standard permit 10.24.24.0 255.255.255.0
access-list split standard permit 10.1.0.0 255.255.255.0
access-list split standard permit 10.1.1.0 255.255.255.0
access-list Outside1_cryptomap extended permit ip object-group SF_Network object-group Subnets
access-list Outside1_cryptomap extended permit ip object Remote_admin object-group Subnets
nat (Inside,Outside1) source static any any destination static Remote_admin Remote_admin
nat (Outside1,Outside1) source static Remote_admin Remote_admin destination static Subnets Subnets no-proxy-arp route-lookup
nat (Inside,Outside1) source static SF_Network SF_Network destination static Subnets Subnets no-proxy-arp route-lookup
nat (Inside,Outside1) after-auto source dynamic any interface
access-group Inside_access_in in interface Inside
access-group global_access global
crypto ipsec ikev1 transform-set Trans esp-aes-256 esp-sha-hmac
crypto dynamic-map dyn1 65534 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 65534 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 65534 set reverse-route
crypto map Outside1_map 1 match address Outside1_cryptomap
crypto map Outside1_map 1 set peer X.X.X.X
crypto map Outside1_map 1 set ikev1 transform-set Trans
crypto map Outside1_map 1 set security-association lifetime seconds 28800
crypto map Outside1_map 1 set security-association lifetime kilobytes 4608000
crypto map Outside1_map 65534 ipsec-isakmp dynamic dyn1
crypto map Outside1_map interface Outside1
crypto isakmp nat-traversal 3600
crypto ikev1 enable Outside1
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-tunnel-protocol ikev1
group-policy Remote_Admin internal
group-policy Remote_Admin attributes
vpn-session-timeout none
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
address-pools value Remote_admin
tunnel-group X.X.X.Xtype ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Remote_admin type remote-access
tunnel-group Remote_admin general-attributes
address-pool Remote_admin
default-group-policy Remote_Admin
tunnel-group Remote_admin ipsec-attributes
ikev1 pre-shared-key *****
SiteB:
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.24.15.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.24.15.0 255.255.255.0
access-list Office extended permit ip 10.1.0.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list Office extended permit ip 10.1.1.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list Office extended permit ip 10.1.0.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list Office extended permit ip 10.1.0.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list Office extended permit ip 10.1.0.0 255.255.255.0 10.24.15.0 255.255.255.0
access-list Office extended permit ip 10.1.1.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list Office extended permit ip 10.1.1.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list Office extended permit ip 10.1.1.0 255.255.255.0 10.24.15.0 255.255.255.0
nat (Inside) 0 access-list no_nat
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ipsec transform-set Office esp-aes-256 esp-sha-hmac
crypto map mymap 90 match address Office
crypto map mymap 90 set peer X.X.X.X
crypto map mymap 90 set transform-set Office
crypto map mymap 90 set security-association lifetime seconds 28800
crypto map mymap 90 set security-association lifetime kilobytes 4608000
crypto map mymap interface Outside
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
I run this command at SieteB :
packet-tracer input inside icmp 10.1.0.195 8 0 10.1.84.102
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.84.0 255.255.255.0 Outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip Inside 10.1.0.0 255.255.255.0 Outside 10.1.84.0 255.255.255.0
NAT exempt
translate_hits = 4, untranslate_hits = 170
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 1 10.1.0.0 255.255.255.0
nat-control
match ip Inside 10.1.0.0 255.255.255.0 Outside any
dynamic translation to pool 1 (116.246.25.164 [Interface PAT])
translate_hits = 15542307, untranslate_hits = 1167241
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 1 10.1.0.0 255.255.255.0
nat-control
match ip Inside 10.1.0.0 255.255.255.0 Outside any
dynamic translation to pool 1 (116.246.25.164 [Interface PAT])
translate_hits = 15542307, untranslate_hits = 1167241
Additional Information:
Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I also run the command at SiteA:
packet-tracer input outside1 icmp 10.1.84.102 8 0 10.1.0.195
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside1
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit icmp any4 any4
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Outside1,Outside1) source static Remote_admin Remote_admin destination static ChinaSubnets ChinaSubnets no-proxy-arp route-lookup
Additional Information:
Static translate 10.1.84.102/0 to 10.1.84.102/0
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: Outside1
input-status: up
input-line-status: up
output-interface: Outside1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
if you want any other information,pls tell me,thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide