Question : ASA-5505: VPN packets not forwarding to second outside interface

I have an ASA-5505 which I recently factory reset.  I intend to use it as my office's internet-facing firewall and VPN device, as part of a shift to a new ISP.  I am trying to do two non-standard (i.e. things I am not used to doing) things with the new device, that I understand should be possible:

1

I want to use a third Vlan (DMZ interface) to connect to the old ISP (not for failover), so I can run the existing VPNs and transition them to the new interface, over time.

2

I want to hairpin/NAT the old, non-RFC1918 LAN range on the inside interface (192.14.14.0/24) to a new subnet (172.16.0.0/24), so I can finally be rid of the non-standard IP range, but allow me to migrate client settings that I may have missed during the transition period

At the moment, I can only use the packet-trace CLI command to test the various rules, before I can move into physical testing.

Access to external addresses appears to flow correctly, as does the hairpinning, but the packet-trace shows a drop for the traffic that matches the VPN range.

Redacted config, version info and packet trace results are attached.  The questions are:

1

Can anyone see why the VPN traffic is shown as dropped in the packet-trace from 172.16.1.100 to 192.15.15.20 -- is it just because the VPN tunnel is not up/is reaching "VPN" in the packet-trace as close as I can get until it is physically cabled?

2

Once the tunnel is working, Is it possible to allow end-users in the 192.15.15.0/24 range to talk to 192.14.14.0/24 and be translated to 172.16.0.0/24, as per the hairpinning (I have tried a static (inside,outside_old)... rule but the packet-trace shows it as dropped -- I assume packet-trace cannot emulate traffic from the VPN)?

Thanks in advance...

J.

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221: 222: 223: 224: 225: 226: 227: 228: 229: 230: 231: 232: 233: 234: 235: 236: 237: 238: 239: 240: 241: 242: 243: 244: 245: 246: 247: 248: 249: 250: 251: 252: 253: 254: 255: 256: 257: 258: 259: 260: 261: 262: 263: 264: 265: 266: 267: 268: 269: 270: 271: 272: 273: 274: 275: 276: 277: 278: 279: 280: 281: 282: 283: 284: 285: 286: 287: 288: 289: 290: 291: 292: 293: 294: 295: 296: 297: 298: 299: 300: 301: 302: 303: 304: 305: 306: 307: 308: 309: 310: 311: 312: 313: 314: 315: 316: 317: 318: 319: 320: 321: 322: 323: 324: 325: 326: 327: 328: 329: 330: 331: 332: 333: 334: 335: 336: 337: 338: 339: 340: 341: 342: 343: 344: 345: 346: 347: 348: 349: 350: 351: 352: 353: 354: 355: 356: 357: 358: 359: 360: 361: 362: 363: 364: 365: 366: 367: 368: 369: 370: 371: 372: 373: 374: 375: 376: 377: 378: 379: 380: 381: 382: 383: 384: 385: 386: 387: 388: 389: 390: 391: 392: 393: 394: 395: 396: 397: 398: 399: 400: 401: 402: 403: 404: 405: 406: 407: 408: 409: 410: 411: 412: 413: 414: 415: 416: 417: 418: 419: 420: 421: 422: 423: 424: 425: 426: 427: 428: 429: 430: 431: 432: 433: 434: 435: 436: 437: 438: 439: 440: 441: 442: 443: 444: 445: 446: 447: 448: 449: 450: 451: 452: 453: 454: 455: 456: 457: 458: 459: 460: 461: 462: 463: 464: 465: 466: 467: 468: 469: 470: 471: 472: 473: 474: 475: 476: 477: 478: 479: 480: 481: 482: 483: 484: 485: 486: 487: 488: 489: 490: 491: 492: 493: 494: 495: 496: 497: 498: 499: 500: 501: 502: 503: 504: 505: 506: 507: 508: 509: 510: 511: 512: 513: 514: 515: 516: 517: 518: 519: 520: 521: 522: 523: 524: 525: 526: 527: 528: 529: 530: 531: 532: 533: 534: 535: 536: 537: 538: 539: 540: 541: 542: 543: 544: 545: 546: 547: 548: 549: 550: 551: 552: 553: 554: 555: 556: 557: 558: 559: 560: 561: 562: 563: 564: 565: 566: 567: 568: 569: 570: 571: 572: 573: 574: 575: 576: 577: 578: 579: 580: 581: 582: 583: 584: 585: 586: 587: 588: 589: 590: 591: 592: 593: 594: 595: 596: 597: 598: 599: 600: 601: 602: 603: 604: 605: 606: 607: 608: 609: 610: 611: 612: 613: 614: 615: 616: 617: 618: 619: 620: 621: 622: 623: 624: 625: 626: 627: 628: 629: 630: 631: 632: 633: 634: 635: 636: 637: 638: 639: 640: 641: 642: 643: 644: 645:

ciscoasa(config)# sh ver Cisco Adaptive Security Appliance Software Version 8.2(2) Device Manager Version 6.2(5)53 Compiled on Mon 11-Jan-10 14:19 by builders System image file is "disk0:/asa822-k8.bin" Config file at boot was "startup-config" ciscoasa up 24 mins 53 secs Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz Internal ATA Compact Flash, 128MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0) Boot microcode : CN1000-MC-BOOT-2.00 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04 0: Int: Internal-Data0/0 : address is 001e.7aac.3ca3, irq 11 1: Ext: Ethernet0/0 : address is 001e.7aac.3c9b, irq 255 2: Ext: Ethernet0/1 : address is 001e.7aac.3c9c, irq 255 3: Ext: Ethernet0/2 : address is 001e.7aac.3c9d, irq 255 4: Ext: Ethernet0/3 : address is 001e.7aac.3c9e, irq 255 5: Ext: Ethernet0/4 : address is 001e.7aac.3c9f, irq 255 6: Ext: Ethernet0/5 : address is 001e.7aac.3ca0, irq 255 7: Ext: Ethernet0/6 : address is 001e.7aac.3ca1, irq 255 8: Ext: Ethernet0/7 : address is 001e.7aac.3ca2, irq 255 9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255 10: Int: Not used : irq 255 11: Int: Not used : irq 255 Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Restricted Inside Hosts : Unlimited Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled SSL VPN Peers : 2 Total VPN Peers : 10 Dual ISPs : Disabled VLAN Trunk Ports : 0 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled AnyConnect Essentials : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Disabled This platform has a Base license. Serial Number: JMX1151Z0M2 Running Activation Key: 0xcb3a555b 0x00a9f0ce 0xfc53cd14 0xa52820cc 0x492b92b3 Configuration register is 0x1 Configuration last modified by enable_15 at 18:49:48.849 UTC Tue Jul 6 2010 ciscoasa(config)# sh run : Saved : ASA Version 8.2(2) ! terminal width 120 hostname ciscoasa enable password T6L9kwXy8yD66Ci8 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 172.16.0.10 255.255.252.0 ! interface Vlan2 nameif outside security-level 0 ip address 213.x.x.8 255.255.255.0 ! interface Vlan3 no forward interface Vlan2 nameif outside_old security-level 0 ip address 62.x.x.159 255.255.255.128 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport access vlan 3 ! interface Ethernet0/2 description RESERVED shutdown ! interface Ethernet0/3 description RESERVED shutdown ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! boot system disk0:/asa822-k8.bin ftp mode passive same-security-traffic permit intra-interface access-list N0_INSIDE remark Entries in this list will be exempt from NAT access-list N0_INSIDE extended permit ip 172.16.0.0 255.255.252.0 192.15.15.0 255.255.255.0 access-list AG_OUTSIDE_IN remark Traffic allowed into the outside interface access-list AG_OUTSIDE_IN extended permit icmp any any access-list AG_INSIDE_IN remark Traffic allowed into the inside interface access-list AG_INSIDE_IN extended permit tcp any host 192.14.14.20 eq smtp access-list AG_INSIDE_IN extended permit tcp any host 80.x.x.52 eq smtp access-list AG_INSIDE_IN extended deny tcp any any eq smtp access-list AG_INSIDE_IN extended permit ip any any access-list AG_OUTOLD_IN remark Traffic allowed into the outside_old interface access-list AG_OUTOLD_IN extended permit icmp any any access-list VPN_GATESHEAD remark VPN traffic to/from Gateshead office access-list VPN_GATESHEAD extended permit ip 172.16.0.0 255.255.252.0 192.15.15.0 255.255.255.0 pager lines 22 logging asdm informational mtu inside 1500 mtu outside 1500 mtu outside_old 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-625-53.bin no asdm history enable arp timeout 14400 global (inside) 10 interface global (outside) 10 interface global (outside_old) 10 interface nat (inside) 0 access-list N0_INSIDE nat (inside) 10 0.0.0.0 0.0.0.0 static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0 static (inside,outside_old) 192.14.14.0 172.16.0.0 netmask 255.255.255.0 access-group AG_INSIDE_IN in interface inside access-group AG_OUTSIDE_IN in interface outside access-group AG_OUTOLD_IN in interface outside_old route outside 0.0.0.0 0.0.0.0 213.x.x.1 1 route outside_old 192.15.15.0 255.255.255.0 62.x.x.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 172.16.0.0 255.255.252.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map CM_OUTOLD 10 match address VPN_GATESHEAD crypto map CM_OUTOLD 10 set pfs crypto map CM_OUTOLD 10 set peer 82.x.x.219 crypto map CM_OUTOLD 10 set transform-set ESP-AES256-MD5 crypto map CM_OUTOLD 10 set security-association lifetime seconds 3600 crypto map CM_OUTOLD interface outside_old crypto isakmp identity address crypto isakmp enable outside_old crypto isakmp policy 10 authentication pre-share encryption aes-256 hash md5 group 5 lifetime 28800 crypto isakmp ipsec-over-tcp port 10000 telnet 172.16.0.0 255.255.252.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn tunnel-group DefaultL2LGroup ipsec-attributes isakmp keepalive threshold 120 retry 2 tunnel-group DefaultRAGroup ipsec-attributes isakmp keepalive threshold 120 retry 2 tunnel-group 82.163.120.219 type ipsec-l2l tunnel-group 82.163.120.219 ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email [email protected] destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:cf43aed8a7a87ca9205c2faffb0567c1 : end ciscoasa(config)# packet-trace in inside tcp 172.16.1.100 43563 1.2.3.4 www det Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group AG_INSIDE_IN in interface inside access-list AG_INSIDE_IN extended permit ip any any Additional Information: Forward Flow based lookup yields rule: in id=0xd81ee740, priority=12, domain=permit, deny=false hits=5, user_data=0xd64d2b40, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true hits=49, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: NAT Subtype: Result: ALLOW Config: nat (inside) 10 0.0.0.0 0.0.0.0 match ip inside any outside any dynamic translation to pool 10 (213.48.16.8 [Interface PAT]) translate_hits = 2, untranslate_hits = 0 Additional Information: Dynamic translate 172.16.1.100/43563 to 213.48.16.8/61556 using netmask 255.255.255.255 Forward Flow based lookup yields rule: in id=0xd81ebb58, priority=1, domain=nat, deny=false hits=2, user_data=0xd81eba98, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 6 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 10 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 10 (172.16.0.10 [Interface PAT]) translate_hits = 3, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xd81eb6a8, priority=1, domain=host, deny=false hits=33, user_data=0xd81eb290, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xd8186830, priority=0, domain=inspect-ip-options, deny=true hits=2, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 8 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 20, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow ciscoasa(config)# packet-trace in inside tcp 172.16.1.100 43563 1.2.3.4 www det Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0 match ip inside 172.16.0.0 255.255.255.0 inside any static translation to 192.14.14.0 translate_hits = 0, untranslate_hits = 7 Additional Information: NAT divert to egress interface inside Untranslate 192.14.14.0/0 to 172.16.0.0/0 using netmask 255.255.255.0 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group AG_INSIDE_IN in interface inside access-list AG_INSIDE_IN extended permit ip any any Additional Information: Forward Flow based lookup yields rule: in id=0xd81ee740, priority=12, domain=permit, deny=false hits=6, user_data=0xd64d2b40, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true hits=50, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: NAT Subtype: Result: ALLOW Config: nat (inside) 10 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 10 (172.16.0.10 [Interface PAT]) translate_hits = 4, untranslate_hits = 0 Additional Information: Dynamic translate 172.16.1.100/43563 to 172.16.0.10/25517 using netmask 255.255.255.255 Forward Flow based lookup yields rule: in id=0xd81eb350, priority=1, domain=nat, deny=false hits=4, user_data=0xd81eb290, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 6 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 10 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 10 (172.16.0.10 [Interface PAT]) translate_hits = 4, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xd81eb6a8, priority=1, domain=host, deny=false hits=34, user_data=0xd81eb290, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 7 Type: NAT Subtype: rpf-check Result: ALLOW Config: static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0 match ip inside 172.16.0.0 255.255.255.0 inside any static translation to 192.14.14.0 translate_hits = 0, untranslate_hits = 7 Additional Information: Forward Flow based lookup yields rule: out id=0xd81efdb8, priority=5, domain=nat-reverse, deny=false hits=4, user_data=0xd81efb68, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=172.16.0.0, mask=255.255.255.0, port=0, dscp=0x0 Phase: 8 Type: NAT Subtype: host-limits Result: ALLOW Config: static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0 match ip inside 172.16.0.0 255.255.255.0 inside any static translation to 192.14.14.0 translate_hits = 0, untranslate_hits = 7 Additional Information: Reverse Flow based lookup yields rule: in id=0xd81efe50, priority=5, domain=host, deny=false hits=7, user_data=0xd81efb68, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=172.16.0.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 9 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true hits=52, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 10 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 21, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow ciscoasa(config)# packet-trace in inside tcp 172.16.1.100 43563 192.15.15.20 www det Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.15.15.0 255.255.255.0 outside_old Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group AG_INSIDE_IN in interface inside access-list AG_INSIDE_IN extended permit ip any any Additional Information: Forward Flow based lookup yields rule: in id=0xd81ee740, priority=12, domain=permit, deny=false hits=7, user_data=0xd64d2b40, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true hits=52, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: NAT-EXEMPT Subtype: Result: ALLOW Config: match ip inside 172.16.0.0 255.255.252.0 outside_old 192.15.15.0 255.255.255.0 NAT exempt translate_hits = 3, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xd81ea858, priority=6, domain=nat-exempt, deny=false hits=3, user_data=0xd81ea798, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=172.16.0.0, mask=255.255.252.0, port=0 dst ip=192.15.15.0, mask=255.255.255.0, port=0, dscp=0x0 Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside) 10 0.0.0.0 0.0.0.0 match ip inside any outside_old any dynamic translation to pool 10 (62.253.200.159 [Interface PAT]) translate_hits = 0, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xd81ec360, priority=1, domain=nat, deny=false hits=3, user_data=0xd81ec2a0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 7 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 10 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 10 (172.16.0.10 [Interface PAT]) translate_hits = 4, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xd81eb6a8, priority=1, domain=host, deny=false hits=35, user_data=0xd81eb290, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 8 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: out id=0xd820c318, priority=70, domain=encrypt, deny=false hits=3, user_data=0x0, cs_id=0xd820be50, reverse, flags=0x0, protocol=0 src ip=172.16.0.0, mask=255.255.252.0, port=0 dst ip=192.15.15.0, mask=255.255.255.0, port=0, dscp=0x0 Result: input-interface: inside input-status: up input-line-status: up output-interface: outside_old output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule ciscoasa(config)# sh xlate 2 in use, 4 most used Global 192.14.14.0 Local 172.16.0.0 Global 192.14.14.0 Local 172.16.0.0

Answer : ASA-5505: VPN packets not forwarding to second outside interface

Given that I appear to have scared you off and that I ran out of time I decided to drop the hairpinning until both sites are running an ASA.  That way I have more of a fighting chance with the routing than I would with the current remote SOHO device.

To answer my own question, regarding the second interface, I needed to add routes for both the remote LAN (which I had) and the remote peer (which I was missing), forcing both to the outside_old interface.

    route outside_old 192.15.15.0 255.255.255.0 62.x.x.254
    route outside_old 82.x.x.219 255.255.255.255 62.x.x.254