ASA 5505 as internet gateway (must reverse NAT)

Hi all the Cisco guru

I have this diet:

Office-> Cisco 877-> Internet-> ASA 5505-> remote network

Office network: 192.168.10.0/24

Cisco 877 IP internal: 192.168.10.200

Cisco 877 external IP: a.a.a.a

ASA 5505 external IP: b.b.b.b

ASA 5505 internal IP: 192.168.1.3 and 192.168.17.3

Remote network: 192.168.17.0/24 and 192.168.1.0/24

VPN tunnel is OK and more. I have the Office Access to the remote network and the remote network access to the bureau by the tunnel.

But when I try to access the network remotely (there are 2 VLANS: management and OLD-private) to the internet, ASA answer me:

305013 *. * NAT rules asymetrique.64.9 matched 53 for flows forward and backward; Connection for udp src OLD-Private:192.168.17.138/59949 dst WAN:*.*.64.9/53 refused due to path failure reverse that of NAT

Ping of OLD-private interface to google result:

110003 192.168.17.2 0 66.102.7.104 0 routing cannot locate the next hop for icmp NP identity Ifc:192.168.17.2/0 to OLD-Private:66.102.7.104/0

Result of traceroute

How can I fix reverse NAT and make ASA as internet gateway?

There is my full config

!
ASA Version 8.2 (2)
!
hostname ASA2
domain default.domain.invalid
activate the encrypted password password
encrypted passwd password
names of
!
interface Vlan1
Description INTERNET
1234.5678.0002 Mac address
nameif WAN
security-level 100
IP address b.b.b.b 255.255.248.0
OSPF cost 10
!
interface Vlan2
OLD-PRIVATE description
1234.5678.0202 Mac address
nameif OLD-private
security-level 0
IP 192.168.17.3 255.255.255.0
OSPF cost 10
!
interface Vlan6
Description MANAGEMENT
1234.5678.0206 Mac address
nameif management
security-level 0
192.168.1.3 IP address 255.255.255.0
OSPF cost 10
!
interface Ethernet0/0
!
interface Ethernet0/1
Shutdown
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
switchport trunk allowed vlan 2.6
switchport mode trunk
!
interface Ethernet0/7
Shutdown
!
connection of the banner * W A R N I N G *.
banner connect unauthorized access prohibited. All access is
connection banner monitored, and intruders will be prosecuted
connection banner to the extent of the law.
Banner motd * W A R N I N G *.
Banner motd unauthorised access prohibited. All access is
Banner motd monitored and trespassers will be prosecuted
Banner motd to the extent of the law.
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS domain-lookup WAN
DNS server-group DefaultDNS
Server name dns.dns.dns.dns
domain default.domain.invalid
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service RDP - tcp
RDP description
EQ port 3389 object
Access extensive list ip 192.168.17.0 LAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
Standard access list LAN_IP allow 192.168.17.0 255.255.255.0
WAN_access_in list of allowed ip extended access all any debug log
WAN_access_in list extended access permitted ip OLD-private interface WAN newspaper inactive debugging interface
WAN_access_in list extended access permit tcp any object-group RDP any RDP log debugging object-group
MANAGEMENT_access_in list of allowed ip extended access all any debug log
access-list extended OLD-PRIVATE_access_in any allowed ip no matter what debug log
access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 inactive debug log
OLD-PRIVATE_access_in allowed extended object-group TCPUDP host 192.168.10.7 access-list no matter how inactive debug log
access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.10.254 interface private OLD newspaper inactive debugging
access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.17.155 interface private OLD newspaper debugging
access-list 101 extended allow host tcp 192.168.10.7 any eq 3389 debug log
Access extensive list ip 192.168.17.0 WAN_1_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_cryptomap_2 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
Capin list extended access permit ip host 192.18.17.155 192.168.10.7
Capin list extended access permit ip host 192.168.10.7 192.168.17.155
LAN_access_in list of allowed ip extended access all any debug log
Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
Access extensive list ip 192.168.17.0 WAN_2_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0

permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
pager lines 24
Enable logging
recording of debug trap
logging of debug asdm
Debugging trace record
Debug class auth record trap
MTU 1500 WAN
MTU 1500 OLD-private
MTU 1500 management
mask 192.168.1.150 - 192.168.1.199 255.255.255.0 IP local pool VPN_Admin_IP
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP permitted host a.a.a.a WAN
ICMP deny any WAN
ICMP permitted host 192.168.10.7 WAN
ICMP permitted host b.b.b.b WAN
ASDM image disk0: / asdm - 631.bin
don't allow no asdm history
ARP timeout 14400
Global (OLD-private) 1 interface
Global interface (management) 1
NAT (WAN) 1 0.0.0.0 0.0.0.0

inside_nat0_outbound (WAN) NAT 0 access list
WAN_access_in access to the WAN interface group
Access-group interface private-OLD OLD-PRIVATE_access_in
Access-group MANAGEMENT_access_in in the management interface
Route WAN 0.0.0.0 0.0.0.0 b.b.b.185 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
local AAA authentication attempts 10 max in case of failure
Enable http server
http 192.168.1.0 255.255.255.0 WAN
http 0.0.0.0 0.0.0.0 WAN
http b.b.b.b 255.255.255.255 WAN
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Service resetoutside
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto WAN_map 1 corresponds to the address WAN_1_cryptomap
card crypto WAN_map 1 set peer a.a.a.a
WAN_map 1 transform-set ESP-DES-SHA crypto card game
card crypto WAN_map WAN interface
ISAKMP crypto enable WAN
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
sha hash
Group 1
life 86400
Telnet timeout 5
SSH a.a.a.a 255.255.255.255 WAN
SSH timeout 30
SSH version 2
Console timeout 0
dhcpd auto_config management
!

a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 129.6.15.28 source WAN prefer
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal admin group strategy
group admin policy attributes
DNS.DNS.DNS.DNS value of DNS server
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list LAN_IP
privilege of encrypted password password username administrator 15
type tunnel-group admin remote access
tunnel-group admin general attributes
address pool VPN_Admin_IP
strategy-group-by default admin
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a general-attributes
strategy-group-by default admin
a.a.a.a group of tunnel ipsec-attributes
pre-shared-key *.
NOCHECK Peer-id-validate
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!

Thank you for your time and help

Why you use this NAT type?

Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 any
NAT (OLD-private) 0-list of access WAN_nat0_outbound

You are basically saying the ASA not NAT traffic. This private IP address range is not routed on the Internet. This traffic is destined to be sent over the Internet? If so, that LAC should then not be there.

If you want NAT traffic to one IP public outside the ASA, you must remove this line and let the NAT and GLOBAL work:

NAT (OLD-private) 1 0.0.0.0 0.0.0.0

Global (WAN) 1 interface

Tags: Cisco Security

Similar Questions

  • VPN on ASA 5506 without internet access, help with NAT?

    Hello

    I have upgraded to a Cisco ASA 5505 to a 5506 X and as such have climbed to ASA 9.5

    For this reason, I'm a bit stuck on how to implement the VPN. I followed the wizard and I can now establish inbound connections, but when connected (all traffic is tunnel) there is no internet connectivity.

    Our offices internal (inside) network is 192.168.2.0/24

    Our VPN pool is 192.168.4.0/24

    I guess that I'm missing a NAT rule, but in all honesty, I'm a user ASDM and as everything is changed, I am struggling to recreate it?

    Here is my config:

    Result of the command: "sh run"
    
    : Saved
    
    :
    : Serial Number: JAD194306H5
    : Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
    :
    ASA Version 9.5(1)
    !
    hostname ciscoasanew
    domain-name work.internal
    enable password ... encrypted
    names
    ip local pool RemoteVPNPool 192.168.4.1-192.168.4.254 mask 255.255.255.0
    !
    interface GigabitEthernet1/1
     nameif outside
     security-level 0
     ip address 192.168.3.4 255.255.255.0
    !
    interface GigabitEthernet1/2
     nameif inside
     security-level 100
     ip address 192.168.2.197 255.255.255.0
    !
    interface GigabitEthernet1/3
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet1/4
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet1/5
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet1/6
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet1/7
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet1/8
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface Management1/1
     management-only
     nameif management
     security-level 100
     ip address 192.168.1.1 255.255.255.0
    !
    ftp mode passive
    clock timezone GMT 0
    dns domain-lookup inside
    dns domain-lookup management
    dns server-group DefaultDNS
     name-server 192.168.2.199
     domain-name work.internal
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network obj_any
     subnet 0.0.0.0 0.0.0.0
    object network 173.0.82.0
     host 173.0.82.0
    object network 173.0.82.1
     subnet 66.211.0.0 255.255.255.0
    object network 216.113.0.0
     subnet 216.113.0.0 255.255.255.0
    object network 64.4.0.0
     subnet 64.4.0.0 255.255.255.0
    object network 66.135.0.0
     subnet 66.135.0.0 255.255.255.0
    object network a
     host 192.168.7.7
    object network devweb
     host 192.168.2.205
    object network DevwebSSH
     host 192.168.2.205
    object network DEV-WEB-SSH
     host 192.168.2.205
    object network DEVWEB-SSH
     host 192.168.2.205
    object network vpn-network
     subnet 192.168.4.0 255.255.255.0
    object network NETWORK_OBJ_192.168.4.0_24
     subnet 192.168.4.0 255.255.255.0
    object network NETWORK_OBJ_192.168.2.0_24
     subnet 192.168.2.0 255.255.255.0
    object-group network EC2ExternalIPs
     network-object host 52.18.73.220
     network-object host 54.154.134.173
     network-object host 54.194.224.47
     network-object host 54.194.224.48
     network-object host 54.76.189.66
     network-object host 54.76.5.79
    object-group network PayPal
     network-object object 173.0.82.0
     network-object object 173.0.82.1
     network-object object 216.113.0.0
     network-object object 64.4.0.0
     network-object object 66.135.0.0
    object-group service DM_INLINE_SERVICE_1
     service-object icmp
     service-object icmp6
     service-object icmp alternate-address
     service-object icmp conversion-error
     service-object icmp echo
     service-object icmp information-reply
     service-object icmp information-request
    access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object DEVWEB-SSH eq ssh
    access-list outside_access_in remark AWS Servers
    access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object devweb eq ssh log debugging inactive
    access-list outside_access_in extended permit ip any any inactive
    access-list outside_access_in remark Ping reply
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any interface outside
    access-list outside_access_in remark Alarm
    access-list outside_access_in extended permit tcp any interface outside eq 10001
    access-list outside_access_in remark CCTV
    access-list outside_access_in extended permit tcp any interface outside eq 7443
    access-list outside_access_in extended deny ip any any
    access-list workvpn_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
    access-list workvpn_splitTunnelAcl_1 standard permit 162.13.130.12 255.255.255.252
    access-list workvpn_splitTunnelAcl_1 standard permit 162.13.133.72 255.255.255.252
    access-list workvpn_splitTunnelAcl_1 standard permit 164.177.128.200 255.255.255.252
    access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.16 255.255.255.252
    access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.72 255.255.255.252
    access-list workvpn_splitTunnelAcl_1 standard permit 212.64.147.184 255.255.255.248
    access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.116 255.255.255.254
    access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.118 255.255.255.254
    access-list workvpn_splitTunnelAcl_1 standard permit host 95.138.147.118
    access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.120 255.255.255.254
    access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
    access-list workvpn2_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
    access-list workVPN2016_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffer-size 16000
    logging asdm-buffer-size 512
    logging asdm warnings
    logging flash-bufferwrap
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 7200
    no arp permit-nonconnected
    nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup
    !
    object network obj_any
     nat (any,outside) dynamic interface
    object network DEVWEB-SSH
     nat (inside,outside) static interface service tcp ssh ssh
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.3.3 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    service sw-reset-button
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint _SmartCallHome_ServerCA
     no validation-usage
     crl configure
    crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
     enrollment self
     fqdn none
     subject-name CN=192.168.2.197,CN=ciscoasanew
     keypair ASDM_LAUNCHER
     crl configure
    
    snip
    
    dhcpd auto_config outside
    !
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    no threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
    ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
    group-policy DfltGrpPolicy attributes
     vpn-tunnel-protocol ssl-client
    group-policy workVPN2016 internal
    group-policy workVPN2016 attributes
     dns-server value 192.168.2.199
     vpn-tunnel-protocol ikev1
     split-tunnel-policy tunnelall
     ipv6-split-tunnel-policy tunnelall
     default-domain value work.internal
     split-dns value work.internal
     split-tunnel-all-dns enable
    dynamic-access-policy-record DfltAccessPolicy
    
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    hpm topN enable
    Cryptochecksum:
    : end
    

    Hi Ben-

    What you are trying to accomplish is called VPN crossed.  Depending on your initial configuration, you have 2 NAT problems.  The first has to do with the NAT you place your order.  In the code later that we are dealing with two NAT ASA 8.3 times and who are ranked 2 sections going on before and after the device NAT. object

    My general rule for control of NAT is like this:

    1. Twice NAT (front) - use this section for exemptions from NAT or unusual configurations that have to go first
    2. Purpose of NAT - Use this section to the static NAT instructions for servers
    3. Twice NAT (after) - use this section to your global declarations of NAT, basically a catch-all

    Then, never use 'all' as an interface for all training of NAT.  This may seem like a good idea, but it will bite you.  Remember, it is more the notion of control NAT, then 'all' interface is bit VPN configurations and similar DMZ.  Always be specific about your interface for NAT pairs.

    To this end, here is what I suggest that your NAT configuration should resemble:

    nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup!object network DEVWEB-SSH nat (inside,outside) static interface service tcp ssh ssh !nat (inside,outside) after-auto source dynamic any interfacenat (outside,outside) after-auto source dynamic any interface
    The key is that you need a NAT device explicitly reflecting the VPN traffic. PSC
  • ASA 5505 - order Internet access for users

    Hi all

    I have a Cisco ASA 5505 connect my LAN over the internet using NAT/PAT. I want to restrict access to the internet on ports 80 and 443 on a per user basis.

    That is to say access to management staff while limiting the general staff.

    I understand how this on a per device level by creating an access list to block certain IP addresses to the internet, but I would limit some users.

    I guess they will have to authenticate to the ASA some how.

    Pointers?

    TIA.

    You need to set up the Cup via proxy in ASA.

    Here is the configuration that we add on ASA:-

    access-list WEBAUTH permit tcp any any eq 80

    access-list WEBAUTH permit tcp any any eq 443

    AAA authentication WEBAUTH indoor soccer match

    AAA authentication secure-http-client

    AAA authentication listener http inside port www redirect

    Redirect the AAA authentication listener https within the https port

    http://www.Cisco.com/en/us/docs/security/ASA/asa72/configuration/guide/fwaaa.html#wp1043431

    http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/a1_72.html#wp1437427

    Kind regards

    ~ JG

    Note the useful messages

  • Access remote VPN, no split tunneling, internet access. Translation NAT problem

    Hi all, I'm new to the forum.  I have a Cisco ASA 5505 with confusing (to me) question NAT.

    Unique external IP (outside interface) with several translations of NAT static object to allow the redirection of port of various internal devices.  The configuration worked smoothly during the past years.

    Recently, I configured a without the split tunneling VPN remote access and access to the internet and noticed yesterday that my port forwarding has stopped working.

    I reviewed the new rules for the VPN NAT and found the culprit.

    I've been reviewing the rules again and again, and all I can think about and interpret it, I don't know how this rule affects the port forwarding on the device or how to fix.

    Here's the NAT rules, I have in place: ('inactive' rule is the culprit.  Once I have turn on this rule, the port forwarding hits a wall)

    NAT (inside, outside) static source any any static destination VPN_Subnet VPN_Subnet non-proxy-arp-search to itinerary
    NAT (outside, outside) static source VPN_Subnet VPN_Subnet VPN_Subnet VPN_Subnet non-proxy-arp-search of route static destination
    NAT (outside, outside) source VPN_Subnet dynamic interface inactive
    !
    network obj_any object
    NAT dynamic interface (indoor, outdoor)
    network of the XXX_HTTP object
    NAT (inside, outside) interface static tcp www www service
    Access-group outside_access_in in interface outside
    Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

    Any help would be appreciated.

    Try changing the nat rule to VPN_Subnet interface of nat (outside, outside) the after-service automatic dynamic source

    With respect,

    Safwan

  • On ASA 5505 VPN cannot access remote (LAN)

    I have an ASA 5505 upward and running, all static NAT statements I need to forward ports to the internal services such as smtp, desktop remotely and it works very well, however I have set up an IPSEC vpn connection that authenticates to our DC and part works. However, after I connect and cannot ping anything on the local network or access services. I don't know what a NAT statement I have corrected. Here is the config. I really need to get this up and going tomorrow. Thanks for any help.

    Tyler

    Just remove the line of nat (outside) and ACL outside_nat0_outbound.

    And talk about these statements:

    IPSec-1 sysopt connection permit... (If it is disabled, you can check with sh run sysopt).

    2, crypto isakmp nat traversal 10 or 20

    3 no NAT ACL, mention your local subnets as the source and vpn client as the destination.

    4, create the other ACL (ST) with different name and source and destination like no nat ACL.

    5, then type nat (inside) 0 access-list sheep

    6, in the dwgavpn group policy, talk to splittunnel tunnelspecified and mention the tunnel split ACL (ST).

    Concerning

  • Cannot connect to internet after connecting to VPN Cisco ASA 5505

    Hi all

    I am an engineer of network, but haven't had any Experinece in the firewall for the moment, I'm under pressure to take care of a ASA 5505 were all VPN and incoming and out of bounds have been set up, recently I've had a few changes and re made the change, but unfortunately, he took some configurations that are ment for VPN now I am facing a problem,

    VPN connection, but impossible to navigate on the internet is my problem, I tried inheriting tunneli Split, but I coudnt get through it seems, I did something in a bad way, I use here for most ASDM,.

    I paste the Configuration for the investigation, although he's trying to help me.

    ASA Version 8.0(4)16 ! hostname yantraind domain-name yantra.intra enable password vD1.re9JLbigXJxz encrypted passwd hVjSWvtgvNN21M./ encrypted names ! interface Vlan2 nameif outside security-level 0 ip address Outside_Interface 255.255.255.240 ospf cost 10 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 2 ! interface Ethernet0/6 switchport access vlan 2 shutdown ! interface Ethernet0/7 switchport access vlan 2 shutdown ! boot system disk0:/asa804-16-k8.bin boot system disk0:/asa724-k8.bin ftp mode passive clock timezone GMT 0 dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 192.168.0.106 name-server 192.168.0.10 domain-name yantra.intra same-security-traffic permit intra-interface object-group service Email_In tcp port-object eq https port-object eq pop3 port-object eq smtp object-group service DM_INLINE_TCP_2 tcp port-object eq ftp port-object eq ftp-data port-object eq www object-group service RDP tcp port-object eq 3389 object-group service DM_INLINE_SERVICE_1 service-object icmp service-object icmp traceroute object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service voip udp port-object eq domain object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data access-list outside_access_in extended permit tcp any host  object-group Email_In access-list outside_access_in extended permit tcp any host FTP_Server_Ext object-group DM_INLINE_TCP_1 access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit tcp any host ForSLT eq www access-list outside_access_in extended permit tcp any host Search object-group DM_INLINE_TCP_2 access-list outside_access_in extended permit tcp any host IMIPublic eq www access-list outside_access_in extended permit tcp any host eq www access-list outside_access_in extended permit tcp any host SLT_New_Public eq www access-list outside_access_in extended permit object-group TCPUDP any host 202.133.48.68 eq www access-list rvpn_stunnel standard permit 192.168.0.0 255.255.255.0 access-list rvpn_stunnel standard permit 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.0.0 255.255.255.0 COLO 255.255.255.0 access-list nat0 extended permit ip host IT_DIRECT 192.168.0.0 255.255.255.0 access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 202.133.48.64 255.255.255.240 access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in extended deny object-group TCPUDP host 192.168.0.252 202.133.48.64 255.255.255.240 access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 COLO 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 pager lines 24 logging enable logging timestamp logging console debugging logging buffered debugging logging trap debugging logging history emergencies logging asdm debugging logging host inside 192.168.0.187 logging permit-hostdown logging class ip buffered emergencies mtu inside 1500 mtu outside 1500 ip local pool rvpn-ip 192.168.100.1-192.168.100.25 mask 255.255.255.0 ip verify reverse-path interface inside ip verify reverse-path interface outside no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any traceroute outside asdm image disk0:/asdm-61551.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list nat0 nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) netmask 255.255.255.255 dns static (inside,outside) FTP_Server_Ext FTP_Server_Int netmask 255.255.255.255 dns static (inside,outside) ForSLT SLT_New netmask 255.255.255.255 static (inside,outside) Search LocalSearch netmask 255.255.255.255 static (inside,outside) IMIPublic IMI netmask 255.255.255.255 static (inside,outside) SLT_New_Public SLT_Local netmask 255.255.255.255 static (inside,outside) netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 202.133.48.65 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.0.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map rvpn_map 65535 set pfs crypto dynamic-map rvpn_map 65535 set transform-set ESP-3DES-SHA crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer  crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 2 match address outside_cryptomap crypto map outside_map 2 set pfs crypto map outside_map 2 set peer crypto map outside_map 2 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic rvpn_map crypto map outside_map interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=yantraind proxy-ldc-issuer crl configure crypto ca server shutdown crypto ca certificate chain ASDM_TrustPoint0 certificate f8684749     30820252 308201bb a0030201 020204f8 68474930 0d06092a 864886f7 0d010104     0500303b 31123010 06035504 03130979 616e7472 61696e64 31253023 06092a86     4886f70d 01090216 1679616e 74726169 6e642e79 616e7472 612e696e 74726130     1e170d30 38313231 36303833 3831365a 170d3138 31323134 30383338 31365a30     3b311230 10060355 04031309 79616e74 7261696e 64312530 2306092a 864886f7     0d010902 16167961 6e747261 696e642e 79616e74 72612e69 6e747261 30819f30     0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00f6d1d0 d536624d     de9e4a2e 215a3986 98087e65 be9f6c0f b8f6dc3e 151c5603 21afdebe 85b2917b     297b1d1c b3abf5c6 628afbbe dda1ca27 01282aff 6514f62f 2965c87c 8aab0273     ab59dac6 aa9f549b 846d93fd 44c7f84f b29545bb d0db8bbb 060dfbbf 592a15e3     3db126be 541003c4 38754847 0b472e62 d092fec2 d556f9e3 09020301 0001a363     3061300f 0603551d 130101ff 04053003 0101ff30 0e060355 1d0f0101 ff040403     02018630 1f060355 1d230418 30168014 9f66b685 2ebf0d5a 97a684ba 9a9518ca     a8ed637e 301d0603 551d0e04 1604149f 66b6852e bf0d5a97 a684ba9a 9518caa8     ed637e30 0d06092a 864886f7 0d010104 05000381 81003b49 2a7ee503 79b47792     6ce90453 70cf200e 943eccd7 deab53e0 2348d566 fe6aa8e0 302b922c 12df802d     398674f3 b1bc55f2 fe2646d5 c59689c2 c6693b0f 14081661 bafb233b 1b296708     fc2b6cbb ba1a005e 37073d72 4156b582 4521e673 ba6c7f7d 2d6941c4 9e076c39     73de21b9 712f69ed 7aab4bda 365d7eb3 39c05d27 e2dd   quit crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 192.168.0.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 15 ssh version 2 console timeout 0 dhcpd address 192.168.0.126-192.168.0.150 inside dhcpd dns 192.168.0.106 192.168.0.10 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn group-policy DfltGrpPolicy attributes dns-server value 192.168.0.106 vpn-tunnel-protocol IPSec l2tp-ipsec svc split-dns value 192.168.0.106 group-policy rvpn internal group-policy rvpn attributes dns-server value 192.168.0.106 vpn-tunnel-protocol IPSec webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value rvpn_stunnel default-domain value yantra.intra username rreddy password 6p4HjBmf02hqbnrL encrypted privilege 15 username bsai password 41f5/8EINw6VQ5Os encrypted username bsai attributes service-type remote-access username Telnet password U.eMKTkIYZQA83Al encrypted privilege 15 username prashantt password BdrzfvDcOsnHBIdz encrypted username prashantt attributes service-type remote-access username m.shiva password p5YdC3kTJcnceaT/ encrypted username m.shiva attributes service-type remote-access username Senthil password qKYIiJ9NmC8NYvCA encrypted username Senthil attributes service-type remote-access username agupta password p3slrWEH1ye5/P2u encrypted username agupta attributes service-type remote-access username Yogesh password uQ3pfHI2wLvg8B8. encrypted username Yogesh attributes service-type remote-access username phanik password inZN0zXToeeR9bx. encrypted username phanik attributes service-type remote-access username murali password Ckpxwzhdj5RRu2tF encrypted privilege 15 username mgopi password stAEoJodb2CfgruZ encrypted privilege 15 username bill password Z1KSXIEPQkLN3OdQ encrypted username bill attributes service-type remote-access username Shantala password aCvfO5/PcsZc3Z5S encrypted username Shantala attributes service-type remote-access username maheshm password Fry56.leIsT9VHsv encrypted username maheshm attributes service-type remote-access username dhanj password zotUI9D6WWrMAh8T encrypted username dhanj attributes service-type remote-access username npatel password vOfMuOZg0vSkICyF encrypted username npatel attributes service-type remote-access username bmandakini password Y5UZuahgr6vd6ccE encrypted username bmandakini attributes service-type remote-access tunnel-group rvpn type remote-access tunnel-group rvpn general-attributes address-pool rvpn-ip tunnel-group rvpn ipsec-attributes pre-shared-key * tunnel-group  type ipsec-l2l tunnel-group  ipsec-attributes pre-shared-key * tunnel-group type ipsec-l2l tunnel-group  ipsec-attributes pre-shared-key * ! class-map global-class match default-inspection-traffic class-map inspection_default ! ! policy-map global_policy policy-map global-policy class global-class   inspect esmtp   inspect sip    inspect pptp   inspect ftp   inspect ipsec-pass-thru ! service-policy global-policy global prompt hostname context Cryptochecksum:7042504fefd0d22ce4de7f6fa4da14fa : end 

    Thanking you in advance

    Hello

    If you want to have Split-tunnelin in use. One you have patterns for.

    Then you will need to fix the configured "private group policy" under the "tunnel - private-group

    tunnel-group private general-attributes

    strategy - by default-private group

    Then reconnect the VPN Client connection and try again.

    After that the VPN Client connection only transmits traffic directed to the LAN on the VPN Client connection and all Internet traffic beyond the VPN connection directly to the Internet through the current connection of the users.

    -Jouni

  • ASA 5505 VPN works great but can't access internet via the tunnel to customers

    We have an ASA 5505 ASA 8.2.1 running and using IPSec for Remote access clients in the main office.  Remote access is a lot of work, with full access to network resources in the main office and the only thing I can't get to work is access to internet through the tunnel.  I don't want to use split tunneling.  I use ASDM 6.2.1 for configuration.  Any help is appreciated.  I'm probably missing something simple and it looked so much, I'm probably looking at right beyond the error.  Thanks in advance for your time and help!    Jim

    Add a statement of nat for your segment of customer on the external interface

    NAT (outside) - access list

    then allow traffic routing back on the same interface, it is entered in the

    permit same-security-traffic intra-interface

    *

    *

    * more than information can be found here:

    http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807...

    On Wednesday, 27 January 2010, at 23:12, jimcanova

  • VPN peers on old ASA, reverse routing as we migrate to the new ASA and new Internet

    Hello

    I'm migrating my old Internet/VPN connection. How can I ensure that even existing VPN are addressed to my old/curreent ASA

    While my default gateway must get out of my new internet link

    Very vague question, given the lack of topology ;/

    In general redistribute you your range of IP addresses downstream pool to the nucleus.

  • SCP behind the ASA 5505 may not help ping an internet address,.

    There must be a problem of ACL configuration.  How to configure the ASA 5505 so that computers

    behind an internet can ping 4.2.2.2 such IP address or www.google.com.

    Thank you

    David

    If you have no ACLs on the external interface, please use the following command to allow ICMP through the ASA.

    fixup protocol icmp.

    So try and ping. Let me know if this helps.

    Also, please give us a little more in detail so that we can understand and help you better

    See you soon,.

    Nash.

  • HOW connection NAT on ASA 5505

    Hello guys

    first of all, thank fully any community of cisco, they helped me a lot withouth expert and University...

    Today, I have some question on NAT

    We HAVE site-to-site VPN, his job very well.  our company demand of patern to use the public Ip address instead of the ip address private field of encryption. and they said, you have to NAT for you the private to the PUblic ip address. really, we don't know how NAT for cisco ASA 5505.

    THIS IS THE CASE

    OUR COMPANY = USES CISCO ASA 5505

    OUR PUBLIC IP ADDRESS: 155.155.1555.20

    PRIVATE IP: 192.168.7.2 SOUND LINUX SERVER, THEN HOW WE CAN NAT THIS IP PRIVATE AND CHANGE IN PUBLIC

    Thank you very much

    If you have 1 public IP address and it is assigned to your ASA outside interface, then you need to configure static PAT (you will need to know what exactly they want to access and configure the specific port they need).

    However, if you have a free public IP address, then you need not to know exactly what they need to get to and you can configure the linux server using the public IP to spare.

    Also, they need access to the linux server using public IP via the VPN tunnel (encrypted)? or they are happy to access only via the internet (clear text)?

  • Internet connections ASA 5505 - two

    Is Hi possible to configure an ASA 5505 with two internet connections? One dedicated to the VPN and the other for Internet access only.

    If you have an example to share.

    Thank you very much

    David

    I see that you have a static route to 186.125.164.178, if you only test card crypto 2, right?

    Your nat (inside) 0 uses ACL inside_nat0_outbound_1 which doesn't seem to have the exclusion for 10.5.3.0/24 remote network.

  • NAT error ASA 5505 to 5510

    Connection refused because of the failure of path opposite of that of NAT

    I put a second location of ASA and not can communicate through the VPN is implemented. The error I get is (rules asymmetrical NAT matched for flows forward and backward; Connection for icmp outside CBC: 192.168.72.14 internal dst: 192.168.73.103 (type 0, code 0) rejected due to the failure of reverse NAT) when trying to ping a host on the network iinsde the 73 to a host within the network of 72.

    I mirrored the statements of nat VPN work. I see an ACL to a group of objects but don't see where this is important. Am I missing something obvious?

    HOST:
    ASA Version 8.3 (1)
    !
    host name 5510
    !
    interface Ethernet0/0
    Outside of the interface description
    nameif OUTSIDE
    security-level 0
    IP 72.54.197.28 255.255.255.248
    !
    interface Ethernet0/1
    Interior of a description of the network interface internal
    nameif inside
    security-level 100
    IP 192.168.72.2 255.255.255.0
    !
    boot system Disk0: / asa831 - k8.bin
    permit same-security-traffic intra-interface
    network object obj - 192.168.72.0
    192.168.72.0 subnet 255.255.255.0
    network object obj - 192.168.74.0
    192.168.74.0 subnet 255.255.255.0
    network object obj - 192.168.72.100
    Home 192.168.72.100
    network obj_any object
    subnet 0.0.0.0 0.0.0.0
    network obj_any-01 object
    subnet 0.0.0.0 0.0.0.0
    network object obj - 0.0.0.0
    host 0.0.0.0
    object network obj_any-02
    subnet 0.0.0.0 0.0.0.0
    network object obj - 192.168.73.0
    192.168.73.0 subnet 255.255.255.0
    Rye description
    Citrix1494 tcp service object-group
    port-object eq citrix-ica
    port-object eq www
    EQ object of the https port
    Beach of port-object 445 447
    the ValleywoodInternalNetwork object-group network
    object-network 192.168.72.0 255.255.255.0
    permit access list extended ip object obj - object obj 192.168.72.0 - OUTSIDE_1_cryptomap 192.168.74.0
    Access extensive list ip 192.168.72.0 INSIDE_nat0_inbound allow 255.255.255.0 192.168.74.0 255.255.255.0
    access extensive list ip 192.168.74.0 outside_1_cryptomap allow 255.255.255.0 ValleywoodInternalNetwork object-group
    extended permitted outside-ACL access list tcp any host 192.168.72.100 object - group Citrix1494
    permit access list extended ip object obj - object obj 192.168.72.0 - OUTSIDE_2_cryptomap 192.168.73.0

    NAT (inside, inside) source static obj - 192.168.72.0 obj - 192.168.72.0 destination static obj - 192.168.74.0 obj - 192.168.74.0
    NAT (INSIDE, OUTSIDE) source static obj - 192.168.72.0 obj - 192.168.72.0 destination static obj - 192.168.74.0 obj - 192.168.74.0
    NAT (INSIDE, OUTSIDE) source static obj - 192.168.72.0 obj - 192.168.72.0 destination static obj - 192.168.73.0 obj - 192.168.73.0
    NAT (inside, inside) source static obj - 192.168.72.0 obj - 192.168.72.0 destination static obj - 192.168.73.0 obj - 192.168.73.0
    !
    network object obj - 192.168.72.100
    NAT (INSIDE, OUTSIDE) static 72.54.197.26
    network obj_any object
    dynamic NAT interface (INSIDE, OUTSIDE)
    network obj_any-01 object
    NAT (INSIDE, OUTSIDE) dynamic obj - 0.0.0.0
    object network obj_any-02
    NAT (management, outside) dynamic obj - 0.0.0.0
    Access-group outside-ACL in interface OUTSIDE
    Route outside 0.0.0.0 0.0.0.0 72.54.197.25 100

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto outside_map 1 match address outside_1_cryptomap
    outside_map map 1 lifetime of security association set seconds 28800 crypto
    card crypto outside_map 1 set security-association life kilobytes 4608000
    card crypto OUTSIDE_map 1 corresponds to the address OUTSIDE_1_cryptomap
    card crypto OUTSIDE_map 1 set pfs Group1


    card crypto OUTSIDE_map 1 set peer 72.54.178.126
    OUTSIDE_map 1 transform-set ESP-3DES-SHA crypto card game
    card crypto OUTSIDE_map 2 corresponds to the address OUTSIDE_2_cryptomap
    card crypto OUTSIDE_map 2 set pfs Group1
    card crypto OUTSIDE_map 2 set peer 69.15.200.138
    card crypto OUTSIDE_map 2 game of transformation-ESP-3DES-SHA
    OUTSIDE_map interface card crypto OUTSIDE
    ISAKMP crypto identity hostname
    crypto ISAKMP allow outside
    crypto ISAKMP allow inside
    activate the crypto isakmp management
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    tunnel-group 72.54.178.126 type ipsec-l2l
    IPSec-attributes tunnel-group 72.54.178.126
    pre-shared key *.
    tunnel-group 69.15.200.138 type ipsec-l2l
    IPSec-attributes tunnel-group 69.15.200.138
    pre-shared key *.
    !

    DISTANCE:
    : Saved
    :
    ASA Version 8.3 (1)
    !
    host name 5505

    interface Vlan1
    nameif inside
    security-level 100
    IP 192.168.73.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP 69.15.200.138 255.255.255.252
    !

    boot system Disk0: / asa831 - k8.bin

    network obj_any object
    subnet 0.0.0.0 0.0.0.0
    network of the 192.168.72.0 object
    192.168.72.0 subnet 255.255.255.0
    Description Sixpines
    network of the NETWORK_OBJ_192.168.73.0_24 object
    192.168.73.0 subnet 255.255.255.0
    network object obj - 192.168.73.0
    192.168.73.0 subnet 255.255.255.0
    network of the Sixpines object
    192.168.72.0 subnet 255.255.255.0
    the SixpinesInternalNetwork object-group network
    object-network Sixpines 255.255.255.0
    outside_1_cryptomap extended access list permit ip object obj - 192.168.73.0 object Sixpines

    NAT (dmz, external) NETWORK_OBJ_192.168.73.0_24 NETWORK_OBJ_192.168.73.0_24 Shared static source 192.168.72.0 destination 192.168.72.0
    NAT (inside, all) source static obj - 192.168.73.0 obj - 192.168.73.0 static destination Sixpines Sixpines
    NAT (inside, outside) source static obj - 192.168.73.0 obj - 192.168.73.0 static destination Sixpines Sixpines
    !
    network obj_any object
    NAT dynamic interface (indoor, outdoor)
    Route outside 0.0.0.0 0.0.0.0 69.15.200.137 1

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 set pfs Group1
    peer set card crypto outside_map 1 72.54.197.28
    card crypto outside_map 1 set of transformation-ESP-3DES-SHA
    card crypto outside_map 1 the value reverse-road
    outside_map interface card crypto outside
    crypto ISAKMP allow inside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    tunnel-group 72.54.197.28 type ipsec-l2l
    IPSec-attributes tunnel-group 72.54.197.28
    pre-shared key *.
    !
    !

    Any suggestion would be greatly apperciated

    You may need to remove the following ASA remote. I don't know what it is for

    NAT (dmz, external) NETWORK_OBJ_192.168.73.0_24 NETWORK_OBJ_192.168.73.0_24 Shared static source 192.168.72.0 destination 192.168.72.0

  • Internet VERY slow connection on SD2008 connected to ASA 5505

    I recently bought a SD2008 (2008/11/28) to replace an older Linksys 10/100 switch for my home network. This switch connects to an ASA 5505 to go to the internet. I have improved since most of my pc have 10/100/1000 and the new NAS I purchased also connects to 1000 so I wanted to speed internally.

    The cries of network domestic now

    BUT...

    Get out to the internet has now slowed to crawl of a lily "slowski". I used to get 16-18Mbps using the 10/100 switch. Now, I'm lucky to get 1 MB/s dl speed.

    Any suggestions would be greatly appreciated.

    Too bad. I found the answer on a completely different thread that actually worked. I've linked the SD2008 to the ASA 5505 with a crossover cable, set the port speed/duplex AUTO/AUTO, restarted the ASA, and everything was back to normal.

    So much for the detection of cut MDI/MDI-X auto...

    Hope this helps someone else.

  • Strange behavior of NAT ASA 5505

    Hello

    We have an ASA 5505 version 9.1 (5) and we need to open port TCP 55055 firewall that redirect to TCP port 80 on ip QNAP Viostor 192.168.11.254

    I added a network object in this way:

    The Viostor object network

    Home 192.168.11.54

    Description QNAP_Viostor

    NAT rule:

    NAT (inside, outside) interface static service tcp 80 55055

    Firewall rule:

    access-list outside_access_in line 8 Note Viostor

    allowed to Access-list outside_access_in line 9 extended tcp any Viostor eq 55055 object

    When I try to connect with the application Android Vmobile I see that notify the journal of the ASA:

    Request TCP and eliminated from MY_EXTERNAL_IP to outside:X.Y:Z.W/55055

    The ASA has no server UDP which serves the UDP request

    I don't understand why UDP instead of TCP.

    Please help me!

    Thank you

    Ahmed, thanks for your replies... However're missing you something important (sw ASA version). Tracer package shows THAT NAT is not affected; and on this sw version ACL does not use external_IP or mapped IP, but the real_IP instead.

    s.be00001, follow these steps:

    object service 55055 service tcp source eq 55055object service www service tcp source www!nat (inside,outside) 1 source static Viostor interface service www 55055!access-list outside_access_in line 9 extended permit tcp any object Viostor eq www
    Run the packet - trace and send us the results:
    packet-tracer input outside tcp 8.8.8.8 1025 [outside interface IP] 55055 detailed
  • ASA 5505 Anyconnect traversal nat error

    Good afternoon gents,

    I installed an ASA 5505 and can connect with anyconnect, but when I do, I can't access my LAN, then my LAN can access my laptop.  In the newspapers, I see the following error message:

    Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside;10.139.50.1/64506 dst inside 10.201.180.5/53 refused because of the failure of path opposite of that of NAT.

    I can't seem to figure this point and nothing I read to try worked. Here's the relevant config, any help would be GREATLY appreciated.

    interface Vlan1
    nameif inside
    security-level 100
    IP 10.201.180.10 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP 67.200.133.107 255.255.255.248
    !

    access extensive list ip 10.139.50.0 inside_nat0_outbound allow 255.255.255.0 10.201.180.0 255.255.255.0
    access extensive list ip 10.201.180.0 inside_nat0_outbound allow 255.255.255.0 10.139.50.0 255.255.255.0

    mask 10.139.50.1 - 10.139.50.50 255.255.255.0 IP local pool SSLClientPool

    Global 1 interface (outside)
    NAT (inside) 0 inside_nat0_outbound list of outdoor access
    NAT (inside) 1 0.0.0.0 0.0.0.0

    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    AAA authentication enable LOCAL console
    the ssh LOCAL console AAA authentication

    Try the nat statement 0 without the keyword on the outside.

    NAT (inside) 0-list of access inside_nat0_outbound

    In addition,

    sh run sysopt and stick out.

    Manish

Maybe you are looking for

  • upgrade processor G60

    Hello I have a laptop G60-530US older and who plan to make the updates with the CPU. I have a few sitting around and want to use something other than the T4300. I called HP several times and got the "Please hold while I direct your call", then take a

  • Satellite P200-1EE - webcam activation problem

    Hi This is my 1st post... so hi to all. Well I unboxed the laptop and installed all the stuff... but I'm not able to get the webcam to start? I have no idea... so any help please. I looked in Device Manager and it was not listed, and I can't find any

  • Hour system P100-102 is always changing

    Hello I bought my P100-102 new several days ago, when I started first time system was not correct, so I don't correct them in Windows and after that, I took a look in the bios and changed the time there also. But everytime I restart and sometimes eve

  • Hack my account

    Hello I'm deaf who hack my account and this person has complete change my password and the secret word, that I can no longer access

  • Impossible to analyze the multiple documents

    Original title: scanning I'm trying to scan a photo in my computer and I get as much as the "New Scan" box and can not move forward, I just connected a new printer then maybe it's a problem, I've never had this problem before