ASA5505 I cannot reach to an outside network from a branch office
My customer has a HQ office and many Branch offices. In the HQ there is an ASA5510 configured as a default gateway, From HQ customer must access to internet (everythig works fine), from Inside LAN should reach to anyway including special services like Credit Card service provider and others (it works fine). From Branch offices must reach Inside LAN hosts (it works fine), from Branch Offices must reach DMZ (it works fine), from branch offices should reach CC Service provider and here's the point of this Q, From almost all branch offices they reach CCSP fine but branch offices where an ASA5505 is installed (Offices that reach CCSP have a RV042 installed or a TPlink ER6120 installed) but offices with ASA just can ping to LAN side of CCSP's router.
I think ASA5505 conf is an opened door configuration. Here's the 5505 configuration and also attached the network diagram. Some one can help please
Are the branch offices connected to the HQ through some ISP MPLS network since I do not see any L2L VPN configurations on the ASA5505?
I presume this is the case. Since you say that the connections between Branch Office (with ASA5505) and HQ LAN work fine it should tell us that there should be no routing problems between those networks.
The diagram possibly also suggests that all the Branch Office connections come to your HQ network through the same Router at the edge so if other Branc Offices connections CCSP work then there should be no routing problem between the Branch Offices and the CCSP (atleast regarding your part of the network)
Now, some questions.
Does the ISR Router forward traffic destined to CCSP directly to the Router at 192.168.2.249 ?
Does the Router with the connection to the CCSP use the Internet to reach the CCSP or is there somekind of dedicated connection between these networks?
If the Router towards CCSP uses Internet then does it lack some NAT configurations for the source network 192.168.27.0/24? Does it perhaps lack a route towards the network 192.168.27.0/24? Or is there any possible errors in the configurations (wrong gateway IP or network mask somewhere?)
Is there any ACLs configured on the Router that has the connection to the CCSP that might block traffic?
Does the CCSP have all the required routing information to pass traffic towards the network 192.168.27.0/24? (If were talking about a dedicated connection and not traffic through the Internet) Have they allowed traffic from the mentioned network 192.168.27.0/24 to their servers/network?
Have you taken "packet-tracer" output from the ASA5505 to confirm that the ASA configurations allow the traffic and dont drop it for some reason?
You can modify the IP addresses (source/destination) and the used destination port and protocol to match the connections that are actually attempted.
Have you monitored the connections on the ASA when users attempt them? This should atleast tell you why they are failing or give a hint. You could also configure traffic capture on the ASA5505 if you wanted to make sure if any traffic was coming from the CCSP towards this ASA (return traffic for connection attempt)
Hope this helps :)
Let me know if I missunderstood the situation wrong somehow.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :