Hello there! It's August!
I thought I'd give you a little update to my last blog where I described our Dual-ISP + ASA 5505 setup.
Everything has been REALLY solid so far, but we have run into a slightly odd issue related to our IPSec configuration.
If you recall, we moved from an ASA-to-IOS based IPSec/VPN tunnel. Our "hub" VPN endpoint is a Cisco ASA 5520 cluster. Our "spoke" VPN endpoint was a Cisco 1760 router. In our "new" setup, our "spoke" VPN endpoint is now the ASA 5505.
We we discovered is that when our VPN Client users connected to VPN (both Mac & PC) they were no longer able to access resources behind the ASA-to-ASA Site-to-Site Tunnel. That's weird. We USED to be able to do that. What's different?
Well, the ASA 5505 is different. So, it must be the culprit, right?
I spent a few days, and couldn't find the problem. So, I opened a low priority TAC case. The engineer quickly evaluated my configs and taught me something… Crypto (VPN) ACLs are very different when doing ASA-to-ASA vs. ASA-to-IOS. I didn't know that.
The Fix
Basically, your ASA-to-ASA crypto acl must be "mirror images" on both ends. Let me give you an example:
WRONG/BROKEN CONFIG
ASA 5520 "hub" crypto acl info
object-group network GlobalNetworks
description All LC.tv Networks
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.255.0.0
network-object 172.18.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
object-group network HNV_Networks
description Hendersonville, Tennessee Campus Networks
network-object 10.10.15.0 255.255.255.0access-list Outside_cryptomap_HNV extended permit ip any object-group HNV_Networks
ASA 5505 "spoke" crypto acl info
object-group network GlobalNetworks
description All LC.tv Networks
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.255.0.0
network-object 172.18.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0access-list hnv-cen extended permit ip 10.10.15.0 255.255.255.0 object-group GlobalNetworks
CORRECT/FIXED CONFIG
ASA 5520 "hub" crypto acl info
access-list Outside_cryptomap_HNV extended permit ip object-group GlobalNetworks object-group HNV_Networks
(see the difference? the old/bad config used "any" and the new/good config is explicit)ASA 5505 "spoke" crypto acl info
object-group network HNV_Networks
description Hendersonville, Tennessee Campus Networks
network-object 10.10.15.0 255.255.255.0access-list hnv-cen extended permit ip object-group HNV_Networks object-group GlobalNetworks
(this is the same and was always right – I just added the object-group to clean it up)
The REAL problem was the way I wrote ACL on the "hub" ASA 5520 cluster. It wasn't the ASA 5505 at all. Seriously. That was it. It all turned out to be a simple ACL issue. And the ACL was "just fine for years" when doing IPSec/VPN from ASA-to-IOS. What? Grrrr.
(banghead)
О! Somos un grupo de voluntarios y la iniciativa de comenzar una nueva marca en la comunidad. Su weblog nos proporcion informacin valiosa para trabajar. Usted ha hecho un trabajo maravilloso!