EasyVPN - NO VOIP Between Remotes

[TechJimF]

Have an ASA 5510 at the head end and been deploying ASA 5505s for remotes using EasyVPN. Everything has been working great until this issue was discovered today.

When a remote user behind an ASA 5505 calls another remote user also behind an ASA 5505, the call connects but there is no talk path in either direction.

Calls to/from corporate are fine, only remote to remote passing through the ASA 5510 at the head end is the issue.

I guess another related issue is that I have the first ASA 5505 at my house and can not directly admin any of the other remote ASA 5505s. Only can admin remotes from corporate network.

The scrubbed config from the ASA 5510 and from the two ASA 5505s reporting the issue are below.

Thanks in advance,

Jim
_______________________________________________
ASA 5510 - Head End

ASA Version 8.0(4)
!
hostname xxxxxxxxASA1
domain-name xxxxxx.com
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.10.9.21 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.8.5 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.16.3.42
name-server 172.16.3.41
domain-name xxxxxx.com
object-group network xxx_Networks
description All xxxxxxx Networks (Data Center, BG, DF, LEMN, MEM, Juniper VPN Clients)
network-object 10.10.0.0 255.255.0.0
network-object 10.100.1.0 255.255.255.0
network-object 10.250.0.0 255.255.0.0
network-object 172.16.3.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.51.0 255.255.255.0
object-group network Voice_Networks_UDP
description UDP for Avaya VPN Remote
network-object 10.10.50.0 255.255.255.0
network-object 10.250.50.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.51.0 255.255.255.0
network-object 10.10.51.0 255.255.255.0
network-object 10.10.52.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object 10.101.1.0 255.255.255.0
group-object CCN_Networks
access-list ITGroup_splitTunnelAcl remark BG 172 Servers
access-list ITGroup_splitTunnelAcl standard permit 172.16.3.0 255.255.255.0
access-list ITGroup_splitTunnelAcl remark BG 10.10 Network
access-list ITGroup_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0
access-list ITGroup_splitTunnelAcl remark DF #1
access-list ITGroup_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0
access-list ITGroup_splitTunnelAcl remark DF #2
access-list ITGroup_splitTunnelAcl standard permit 192.168.51.0 255.255.255.0
access-list ITGroup_splitTunnelAcl remark Lenexa
access-list ITGroup_splitTunnelAcl standard permit 10.250.0.0 255.255.0.0
access-list ITGroup_splitTunnelAcl remark Memphis
access-list ITGroup_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list ITGroup_splitTunnelAcl remark Juniper DHCP Clients
access-list ITGroup_splitTunnelAcl standard permit 10.100.1.0 255.255.255.0
access-list Avaya_SplitTunnelACL remark Avaya PBX
access-list Avaya_SplitTunnelACL standard permit 10.10.50.0 255.255.255.0
access-list Avaya_SplitTunnelACL remark Avaya PBX
access-list Avaya_SplitTunnelACL standard permit 10.10.51.0 255.255.255.0
access-list Avaya_SplitTunnelACL remark Avaya PBX
access-list Avaya_SplitTunnelACL standard permit 10.10.52.0 255.255.255.0
access-list Avaya_SplitTunnelACL remark Avava IP Phone Backup/Restore File Server
access-list Avaya_SplitTunnelACL standard permit host 10.10.40.31
access-list Avaya_SplitTunnelACL remark Avaya IP Phone TFTP File Server
access-list Avaya_SplitTunnelACL standard permit host 172.16.3.42
access-list no-nat remark Avaya VPN Remote Phone Rule
access-list no-nat extended permit ip object-group CCN_Networks 10.101.1.0 255.255.255.0
access-list no-nat remark AnyConnect VPN Rule
access-list no-nat extended permit ip object-group CCN_Networks 10.101.2.0 255.255.255.0
access-list no-nat remark EasyVPN Rule
access-list no-nat extended permit ip object-group CCN_Networks 10.101.239.0 255.255.255.0
access-list no-nat remark EasyVPN Rule
access-list no-nat extended permit ip object-group CCN_Networks 10.101.240.0 255.255.255.0
access-list no-nat remark MIS Rule
access-list no-nat extended permit ip object-group CCN_Networks 10.101.10.0 255.255.255.224
access-list inside_access_out remark Avaya VPN Remote Phone Rule
access-list inside_access_out extended permit udp object-group CCN_Networks 10.101.1.0 255.255.255.0 range 2048 65535
access-list inside_access_out remark AnyConnect VPN Rule
access-list inside_access_out extended permit ip object-group CCN_Networks 10.101.10.0 255.255.255.224
access-list inside_access_out remark EasyVPN Rule
access-list inside_access_out extended permit ip object-group CCN_Networks 10.101.239.0 255.255.255.0
access-list inside_access_out remark EasyVPN Rule
access-list inside_access_out extended permit ip object-group CCN_Networks 10.101.240.0 255.255.255.0
access-list inside_access_out remark AnyConnect VPN Rule
access-list inside_access_out extended permit ip object-group CCN_Networks 10.101.2.0 255.255.255.0
access-list inside_access_out remark Avaya VPN Remote Phone Rule
access-list inside_access_out extended permit icmp 10.10.50.0 255.255.255.0 10.101.1.0 255.255.255.0 echo
access-list inside_access_out remark EasyVPN Rule
access-list inside_access_out extended permit ip 10.101.240.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list EasyVPN_(Tunnel-Traffic) remark EasyVPN Rule
access-list EasyVPN_(Tunnel-Traffic) extended permit ip object-group CCN_Networks 10.101.240.0 255.255.255.0
access-list 1 webtype permit tcp 10.10.40.31 255.255.255.255
pager lines 24
logging enable
logging buffer-size 10000
logging asdm-buffer-size 500
logging asdm informational
logging ftp-server 172.16.3.215 CCN-BUF-ASA1_Logs CCNAvaya ****
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool AvayaVPN-DHCP 10.101.1.10-10.101.1.150 mask 255.255.255.0
ip local pool MIS-Tech-Pool 10.101.10.10-10.101.10.30 mask 255.255.255.224
ip local pool AnyConnect-Pool 10.101.2.10-10.101.2.150 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no-nat
nat (inside) 10 0.0.0.0 0.0.0.0
access-group inside_access_out out interface outside
!
router eigrp 10
no auto-summary
eigrp router-id 10.10.9.21
network 10.10.9.16 255.255.255.248
passive-interface outside
!
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route inside 10.100.1.0 255.255.255.0 10.10.9.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.101.239.0 255.255.255.240 inside
http 192.168.5.0 255.255.255.0 inside
http 10.101.240.0 255.255.255.248 inside
http 10.10.0.0 255.255.0.0 inside
http 10.100.1.0 255.255.255.0 inside
http 192.168.51.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http 10.101.10.0 255.255.255.224 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set EasyVPN_Set1 esp-des esp-md5-hmac
crypto ipsec transform-set EasyVPN_Set2 esp-3des esp-md5-hmac
crypto ipsec transform-set AvayaVPNPhone_DES esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Untrust_dyn_map 20 set pfs
crypto dynamic-map Untrust_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map Untrust_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Untrust_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map Untrust_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Untrust_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map Untrust_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map Untrust_dyn_map 60 set transform-set ESP-DES-SHA
crypto dynamic-map Untrust_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map Untrust_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map EasyVPN_dynMAP 5 set transform-set EasyVPN_Set2
crypto dynamic-map EasyVPN_dynMAP 5 set security-association lifetime seconds 28800
crypto dynamic-map EasyVPN_dynMAP 5 set security-association lifetime kilobytes 4608000
crypto map Untrust_map 65535 ipsec-isakmp dynamic Untrust_dyn_map
crypto map EasyVPN_MAP 200 ipsec-isakmp dynamic EasyVPN_dynMAP
crypto map EasyVPN_MAP interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.10.0.0 255.255.0.0 inside
telnet 192.168.51.0 255.255.255.0 inside
telnet 10.100.1.0 255.255.255.0 inside
telnet 10.101.10.0 255.255.255.224 inside
telnet 10.101.240.0 255.255.255.248 inside
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.16.3.42 source inside
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 3
svc profiles SBL disk0:/CCNAnyConnectProfile.xml
svc enable
group-policy TechServ_GP internal
group-policy TechServ_GP attributes
wins-server value 172.16.3.42 172.16.3.41
dns-server value 172.16.3.42 172.16.3.41
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ITGroup_splitTunnelAcl
webvpn
svc modules value vpngina
svc profiles value SBL
group-policy Accounting_GP internal
group-policy Accounting_GP attributes
wins-server value 172.16.3.42 172.16.3.41
dns-server value 172.16.3.42 172.16.3.41
vpn-tunnel-protocol svc
ipsec-udp enable
ipsec-udp-port 29203
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ITGroup_splitTunnelAcl
webvpn
svc modules value vpngina
svc profiles value SBL
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
address-pools value AnyConnect-Pool
webvpn
svc ask none default svc
group-policy Accounting_GP_Client internal
group-policy Accounting_GP_Client attributes
wins-server value 172.16.3.42 172.16.3.41
dns-server value 172.16.3.42 172.16.3.41
vpn-tunnel-protocol IPSec
group-lock value IPSecProfile
ipsec-udp enable
ipsec-udp-port 29203
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ITGroup_splitTunnelAcl
address-pools value AnyConnect-Pool
group-policy Projects_GP internal
group-policy Projects_GP attributes
wins-server value 172.16.3.42 172.16.3.41
dns-server value 172.16.3.42 172.16.3.41
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ITGroup_splitTunnelAcl
webvpn
svc modules value vpngina
svc profiles value SBL
group-policy Logistics_GP internal
group-policy Logistics_GP attributes
wins-server value 172.16.3.42 172.16.3.41
dns-server value 172.16.3.42 172.16.3.41
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ITGroup_splitTunnelAcl
webvpn
svc modules value vpngina
svc profiles value SBL
group-policy EasyVPN-GP internal
group-policy EasyVPN-GP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EasyVPN_(Tunnel-Traffic)
nem enable
group-policy AvayaVPNPhone internal
group-policy AvayaVPNPhone attributes
wins-server value 172.16.3.42 172.16.3.41
dns-server value 172.16.3.42 172.16.3.41
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Avaya_SplitTunnelACL
default-domain value xxxxxx.com
address-pools value AvayaVPN-DHCP
group-policy ITGroup internal
group-policy ITGroup attributes
wins-server value 172.16.3.42 172.16.3.41
dns-server value 172.16.3.42 172.16.3.41
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ITGroup_splitTunnelAcl
default-domain value xxxxxxx.com
address-pools value MIS-Tech-Pool
webvpn
url-list value IT_Bookmarks
svc modules value vpngina
svc profiles value SBL
svc ask enable default svc timeout 5
customization value ITPortalTest
hidden-shares visible
file-entry enable
file-browsing enable
group-policy FieldOp_GP internal
group-policy FieldOp_GP attributes
wins-server value 172.16.3.42 172.16.3.41
dns-server value 172.16.3.42 172.16.3.41
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ITGroup_splitTunnelAcl
webvpn
svc modules value vpngina
svc profiles value SBL
username admin password xxxxxxxxxxxx encrypted privilege 15
username xxxxxxxxxASA6 password xxxxxxxxxxxxxxxx
username xxxxxxxxxASA6 attributes
service-type remote-access
username xxxxxxxxASA7 password xxxxxxxxxxx encrypted
username xxxxxxxxASA7 attributes
service-type remote-access
username xxxxxxxxASA4 password xxxxxxxxxxx encrypted
username xxxxxxxxASA4 attributes
service-type remote-access
username xxxxxxxxASA5 password xxxxxxxxxxxxx encrypted
username xxxxxxxxASA5 attributes
service-type remote-access
username xxxxxxxxASA2 password xxxxxxxxxxxxx encrypted
username xxxxxxxxASA2 attributes
service-type remote-access
username xxxxxxxxASA3 password xxxxxxxxxxxxxx encrypted
username xxxxxxxxASA3 attributes
service-type remote-access
username xxxxxxxxASA1 password xxxxxxxxxxxxxxx encrypted
username xxxxxxxxASA1 attributes
service-type remote-access
username xxxxxxxxASA101 password xxxxxxxxxxxxxxx encrypted
username xxxxxxxxASA101 attributes
service-type remote-access
username xxxxxxx password xxxxxxxxxx encrypted
username xxxxxxxx attributes
vpn-group-policy Logistics_GP
service-type remote-access
username xxxxxxx password xxxxxxxxxxxxx encrypted
username xxxxxxxx attributes
vpn-group-policy Accounting_GP
service-type remote-access
username xxxxxxxxx password xxxxxxxxxxxxx encrypted
username xxxxxxxxxxx attributes
vpn-group-policy Accounting_GP
service-type remote-access
username xxxxxxxxx password xxxxxxxxxxxxxx encrypted
username xxxxxxx attributes
vpn-group-policy TechServ_GP
service-type remote-access
username xxxxxxx password xxxxxxxxxxxxxxxxxx encrypted
username xxxxxxxxxxx attributes
vpn-group-policy Accounting_GP_Client
service-type remote-access
username xxxxxxxxx password xxxxxxxxxxxxxx encrypted
username xxxxxxxx attributes
vpn-group-policy ITGroup
service-type remote-access
webvpn
svc modules none
svc profiles none
username xxxxxxx password xxxxxxxxxxxxxxxx encrypted privilege 15
username xxxxxxx attributes
vpn-group-policy ITGroup
webvpn
svc profiles none
username xxxxxxxx password xxxxxxxxxxxxxx encrypted
username xxxxxxxx attributes
vpn-group-policy AvayaVPNPhone
service-type remote-access
username xxxxxxxxx password xxxxxxxxxxxxx encrypted
username xxxxxxxxx attributes
vpn-group-policy AvayaVPNPhone
service-type remote-access
username xxxxxxx password xxxxxxxxxxxxxxxx encrypted
username xxxxxxx attributes
vpn-group-policy AvayaVPNPhone
service-type remote-access
username xxxxxxxxxxx password xxxxxxxxxxxxxxx encrypted privilege 15
username xxxxxxxxxxx attributes
vpn-group-policy ITGroup
username xxxxxxxxxxx password xxxxxxxxxxxxxxx encrypted privilege 15
username xxxxxxxxxxxxxx attributes
vpn-group-policy ITGroup
username xxxxxxxxxx password xxxxxxxxxxxxxxxxxxxx encrypted
username xxxxxxxxxx attributes
vpn-group-policy Accounting_GP_Client
service-type remote-access
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 172.16.3.42 master timeout 2 retry 2
nbns-server 172.16.3.41 timeout 2 retry 2
tunnel-group AvayaVPNPhone type remote-access
tunnel-group AvayaVPNPhone general-attributes
address-pool AvayaVPN-DHCP
default-group-policy AvayaVPNPhone
tunnel-group AvayaVPNPhone ipsec-attributes
pre-shared-key *
tunnel-group ITGroup type remote-access
tunnel-group ITGroup general-attributes
default-group-policy ITGroup
tunnel-group ITGroup webvpn-attributes
customization ITPortalTest
group-alias "IT AnyConnect" disable
tunnel-group ITGroup ipsec-attributes
pre-shared-key *
tunnel-group IPSecProfile type remote-access
tunnel-group IPSecProfile general-attributes
address-pool AnyConnect-Pool
tunnel-group IPSecProfile ipsec-attributes
pre-shared-key *
tunnel-group ASA5505EasyVPN type remote-access
tunnel-group ASA5505EasyVPN general-attributes
default-group-policy EasyVPN-GP
tunnel-group ASA5505EasyVPN ipsec-attributes
pre-shared-key *
tunnel-group-map default-group AvayaVPNPhone
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0aee99a9a8bae199d2881b4cc7d6c231
: end
asdm image disk0:/asdm-613.bin
asdm location 10.10.50.0 255.255.255.0 inside
asdm location 10.10.40.31 255.255.255.255 inside
asdm location 172.16.3.42 255.255.255.255 inside
asdm location 10.250.50.0 255.255.255.0 inside
asdm location 10.101.240.0 255.255.255.0 inside
no asdm history enable
______________________________________________
ASA 5505 - Remote #5

: Saved
:
ASA Version 8.0(4)
!
hostname xxxxxxxxASA5
domain-name xxxxxxx.com
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.101.240.33 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.11 255.255.255.0
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 172.16.3.42
name-server 172.16.3.41
domain-name xxxxxxxx.com
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.51.0 255.255.255.0 inside
http 10.101.240.0 255.255.255.248 inside
http 10.101.240.32 255.255.255.248 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp enable inside
crypto isakmp enable outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 10.101.240.34-10.101.240.37 inside
dhcpd dns 172.16.3.42 172.16.3.41 interface inside
dhcpd wins 172.16.3.41 172.16.3.42 interface inside
dhcpd domain xxxxxxxx.com interface inside
dhcpd option 176 ascii mcipadd=10.10.50.21,10.10.50.22,mcport=1719,httpsrvr=10.10.40.31,httpdir=AvayaIPSettings interface inside
dhcpd option 242 ascii mcipadd=10.10.50.21,10.10.50.22,mcport=1719,httpsrvr=10.10.40.31,httpdir=DEV-AvayaIP interface inside
dhcpd enable inside
!
vpnclient server xx.xx.xx.xx
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup ASA5505EasyVPN password ********
vpnclient username xxxxxxxxASA5 password ********
vpnclient enable
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.16.3.42 source inside prefer
username admin password xxxxxxxxxxxxxxxxxxxxx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ffc5d7e90f4c5f16efe6dbd9be001c77
: end
asdm image disk0:/asdm-613.bin
no asdm history enable
__________________________________________________
ASA 5505 - Remote #6

ASA Version 8.0(4)
!
hostname xxxxxxxxxASA6
domain-name xxxxxx.com
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.101.240.41 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.11 255.255.255.0
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 172.16.3.42
name-server 172.16.3.41
domain-name xxxxxxxx.com
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.51.0 255.255.255.0 inside
http 10.10.0.0 255.255.0.0 inside
http 10.101.240.40 255.255.255.248 inside
http 10.101.240.0 255.255.255.248 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp enable inside
crypto isakmp enable outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.10.0.0 255.255.0.0 inside
telnet 192.168.51.0 255.255.255.0 inside
telnet 192.168.5.0 255.255.255.0 inside
telnet 10.101.240.40 255.255.255.248 inside
telnet timeout 15
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 10.101.240.42-10.101.240.45 inside
dhcpd dns 172.16.3.42 172.16.3.41 interface inside
dhcpd wins 172.16.3.41 172.16.3.42 interface inside
dhcpd domain xxxxxxx.com interface inside
dhcpd option 176 ascii mcipadd=10.10.50.21,10.10.50.22,mcport=1719,httpsrvr=10.10.40.31,httpdir=AvayaIPSettings interface inside
dhcpd option 242 ascii mcipadd=10.10.50.21,10.10.50.22,mcport=1719,httpsrvr=10.10.40.31,httpdir=DEV-AvayaIP interface inside
dhcpd enable inside
!
vpnclient server xx.xx.xx.xx
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup xxxxxxxxxxxx password ********
vpnclient username xxxxxxxxASA6 password ********
vpnclient enable
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.16.3.42 source inside prefer
username admin password xxxxxxxxx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:426fd970f4095d6814c18bc3da602ae3
: end
asdm image disk0:/asdm-613.bin
no asdm history enable

 

[unclerico]

are your remotes able to connect to each other in order to do CIFS, HTTP, etc??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[andrewis]

Hi Jim

Try adding this command to your 5510 config

Same-security-traffic permit intra-interface

This will allow IPSec traffic from one VPN to another by allowing the traffic in and out the same interface "hairpinning"

 

[unclerico]

hey no fair, you stole my thunder man!!! i was going to give that answer!!! j/k of course

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[TechJimF]

I added the command but can't test because one of the remotes left his home office. Once I get results I'll let you know.

Thanks for the help,

Jim

 

[TechJimF]

Okay, entered that command but did not seem to help. The issue apparently is at bit larger than I thought. All the users aren't reporting it to me.

Remote 5 & 6 can not talk to each other. Remote 5 & 6 can talk to remote 3. Remote 3 when called by someone in a branch office, no audio. If remote 3 calls the branch office, audio is fine.

I'm going to troubleshoot more tomorrow, possibly routing or ACL/ACEs?

Jim

 

[andrewis]

I think take a look at your split-tunnels.

Try this.

access-list EasyVPN_(Tunnel-Traffic) extended permit ip object-group CCN_Networks any

 

[TechJimF]

andrewis,

I added that line, still no good. I even added the remote networks to the object group, did not help.

Any other suggestions?

Thanks,

Jim

 

[andrewis]

did you clear your SA's and let them re-establish?

 

[TechJimF]

No I did not. If I do that will it connections drop?

 

[andrewis]

Yeah they will..

 

[andrewis]

clear cypto ipsec sa on the 5510

 

[TechJimF]

I'll try that tonight and then have the users test tomorrow.

 

[TechJimF]

The problems worsened for the two remotes mentioned at the beginning of this thread. I reloaded both ASA 5 & ASA 6, which would clear SAs for those two without affecting the others. Now they can talk to each other as well as anyone else they had problems with.

Thanks for your help,

Jim