I am trying to implement a second VPN device on a new VLAN 3 on switchport 0/8, but I can't even get ICMP to work. I can ping the new SSLVPN device from the source switchport 0/8, but I can't from the interface eth 0/2. The ACLs and Policies are all the same, but yet the original VPN works and the new SSLVPN doesn't (ICMP). I need the dedicated public IP to route directly to this new SSLVPN IP. The public IP comes in on eth 0/2 and the SSLVPN device is on switchport 0/8.
I have provided relevant parts of my configuration below and would appreciate a second set of eyes to see what I am missing.
Thanks,
dwolf
!
!
! ADTRAN, Inc. OS version R10.9.0.E
! Boot ROM version 13.03.00.SB
! Platform: NetVanta 3448,
ip policy-timeout udp all-ports 300
!
ip firewall
ip firewall fast-nat-failover
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
no ip firewall alg sip
!
!
!
!
!
!
!
!
!
!
!
!
vlan 1
name "Default"
!
vlan 2
name "Voice"
!
vlan 3
name "SSLVPN"
!
!
!
no ethernet cfm
!
interface eth 0/1
description WAN-1
ip address xx.yy.28.61 255.255.255.248
ip mtu 1500
ip address xx.yy.28.57 255.255.255.248 secondary
ip address xx.yy.28.59 255.255.255.248 secondary
ip access-policy Public
ip flow ingress
ip flow egress
qos-policy out eth0/2QosWizard
no shutdown
!
!
interface eth 0/2
description MegaPath
ip address xx.yy.186.170 255.255.255.252
ip mtu 1500
ip address range xx.yy.79.83 xx.yy.79.84 255.255.255.248 secondary
ip access-policy Public2
ip flow ingress
ip flow egress
qos-policy out eth0/2QosWizard
no shutdown
!
!
!
interface switchport 0/1
no shutdown
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
interface switchport 0/5
no shutdown
switchport access vlan 2
!
interface switchport 0/6
no shutdown
switchport access vlan 2
!
interface switchport 0/7
no shutdown
switchport access vlan 2
!
interface switchport 0/8
no shutdown
switchport access vlan 3
!
!
!
interface vlan 1
ip address 192.xx.yy.1 255.255.255.0
ip access-policy Private
no shutdown
!
interface vlan 2
ip address 172.xx.yy.1 255.255.255.0
ip policy route-map VoiceMap
ip access-policy Private
no shutdown
!
interface vlan 3
description Fortinet SSL VPN device
ip address 10.xxx.yy.2 255.255.255.252
ip access-policy PrivateSSLVPN
no shutdown
!
!
!
!
route-map local permit 10
match ip address wan1
set ip next-hop xx.yy.28.62
route-map local permit 20
match ip address wan2
set ip next-hop xxx.yyy.186.169
route-map VoiceMap permit 10
match ip address VoiceMap
set ip next-hop xxx.yyy.186.169
set interface null 0
!
!
!
!
ip access-list standard natpool
permit any
!
ip access-list standard natpool2
permit any
!
ip access-list standard self
permit any
!
!
ip access-list extended acleth0/2QosWizRTP20
permit ip 172.xx.yy.0 0.0.0.255 any
!
ip access-list extended acleth0/2QosWizSignal21
permit udp any any range 5060 5061
permit tcp any any range 5060 5061
!
!
ip access-list extended SSLVPN
remark xx.yy.79.84 -> 10.xxx.yy.1
permit icmp any host xx.yy.79.84 log
permit tcp any host xx.yy.79.84 eq https
permit udp any host xx.yy.79.84 eq 443
!
ip access-list extended SSLVPN-Out2
remark 10.xxx.yy.1 : xx.yy.79.84
permit icmp host 10.xxx.yy.1 any log
permit udp host 10.xxx.yy.1 eq 443 any
permit tcp host 10.xxx.yy.1 eq https any
!
ip access-list extended VoiceMap
permit ip 172.xx.yy.0 0.0.0.255 any track wan2
deny ip any any
!
ip access-list extended VPN
permit icmp any host xx.yy.28.57 echo log
permit gre any host xx.yy.28.57
permit tcp any host xx.yy.28.57 eq 1723
!
ip access-list extended VPN-Out
remark 192.xx.yy.250 : xx.yy.28.57
permit gre host 192.xx.yy.250 any
permit tcp host 192.xx.yy.250 eq 1723 any
permit icmp host 192.xx.yy.250 any
!
ip access-list extended VPN-Out2
remark 192.xx.yy.250 : xx.yy.79.83
permit gre host 192.xx.yy.250 any
permit tcp host 192.xx.yy.250 eq 1723 any
permit icmp host 192.xx.yy.250 any
!
ip access-list extended VPN2
permit icmp any host xx.yy.79.83 echo
permit gre any host xx.yy.79.83
permit tcp any host xx.yy.79.83 eq 1723
!
ip access-list extended wan1
permit icmp host xx.yy.28.61 host 4.2.2.4 log
!
ip access-list extended wan2
permit icmp host xxx.yyy.186.170 host xxx.yyy.186.169 log
!
ip access-list extended web-acl-1
remark Jive Allow
permit ip 199.36.248.0 0.0.3.255 172.xx.yy.0 0.0.0.255
!
ip access-list extended web-acl-2
remark Jive Allow 2
permit ip 199.87.120.0 0.0.3.255 172.xx.yy.0 0.0.0.255
!
ip access-list extended web-acl-3
remark Admin Access
permit tcp any any eq https log
permit tcp any any eq ssh log
permit icmp any any echo log
!
ip access-list extended web-acl-4
remark Jive Allow 3
permit ip 162.250.60.0 0.0.3.255 172.xx.yy.0 0.0.0.255
!
!
!
!
ip policy-class Private
allow list self self
nat source list VPN-Out address xx.yy.28.57 overload policy Public
nat source list VPN-Out2 address xx.yy.79.83 overload policy Public2
nat source list natpool interface eth 0/1 overload policy Public
nat source list natpool2 interface eth 0/2 overload policy Public2
!
ip policy-class PrivateSSLVPN
nat source list SSLVPN-Out2 address xx.yy.79.84 overload policy Public2
allow list self self
!
no ip policy-class Public rpf-check
ip policy-class Public
nat destination list VPN address 192.xx.yy.250
allow list web-acl-1
allow list web-acl-2
allow list web-acl-4
allow list web-acl-3 self
!
no ip policy-class Public2 rpf-check
ip policy-class Public2
nat destination list VPN2 address 192.xx.yy.250
nat destination list SSLVPN address 10.xxx.yy.1
allow list web-acl-1
allow list web-acl-2
allow list web-acl-4
allow list web-acl-3 self
!
!
!
ip route 0.0.0.0 0.0.0.0 xx.yy.28.62 track wan1
ip route 0.0.0.0 0.0.0.0 xxx.yyy.186.169 track wan2
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
sip udp 5060
sip tcp 5060
!
!
It looks like you have a routing issue. You have only a default route out WAN 1 that fails over to Megapath should that fail. Hence you will try to route out the other provider with a source of Megapath's IP.
You could add a static route to the SSLVPN endpoint with a gateway of Megapath's next hop. You could also use a route-map for the remote endpoint.
"show ip policy-session" may give a clue as to how it's routing.
Also, the secondary IPs which I assume are for the LAN block assigned by the ISPs may be conflicting with the primary source of the point-to-point /30 to the provider. You might not be sourcing from where you think you are. Consider using a loopback for these, or a VLAN interface if you need access to these subnets by physical devices.
BTW, It isn't necessary to mask IPs of RFC1918 addresses like 10/8, 172.16/12 and 192.168/16, makes things a bit harder to follow.