ASA Bidirectional NAT VPN

I have a VPN tunnel configured with this NAT scenario.

permit l2lnat1 to access extended list ip 10.1.1.1 host 172.16.1.1

permit access list extended ip host 10.1.1.2 l2lnat2 172.16.1.1

static (Inside, Outside) 192.168.1.1 access-list l2lnat1

static (Inside, Outside) 192.168.1.2 access-list l2lnat2

This NAT will be bidirectional? In other words if the remote side of 172 try to pull up the tunnel, he will come to the top and nat to allow them to communicate or do I need to have opposite source and destination of each access list for the static method work in the opposite direction.

Thank you.

Hi Ty,

Assuming that you are running the OS pre 8.3 version, then NAT configuration that you have demonstrated is bidirectional as in

http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/nat_static.html#wp1080960

According taffic wearing the tunnel upward depends on the configuration of ACL encryption. In your case I think you want NAT 10.1.1.1 (10.1.1.2) to 192.168.1.1 (192.168.1.2) while contacting 172.16.1.1 (172.16.1.2), so what ACL crypto should look as below, because the encryption is finally done:

ACL_CRYPTO allowed ip 192.168.1.1 host 172.16.1.1

ACL_CRYPTO allowed ip 192.168.1.2 host 172.16.1.2

Accordigny peer it IPsec must have above ACL mirrored:

ACL_CRYPTO_PEER allowed ip 172.16.1.1 host 192.168.1.1

ACL_CRYPTO_PEER allowed host 172.16.1.2 ip 192.168.1.2

Kind regards

Pawel

Tags: Cisco Security

Similar Questions

8.4 ASA using NAT VPN issue.

Hello

I'm working on a customer site and they have a problem with one of their VPN (we have other works well), but it is a major issue and I think it's because we use manual NAT and NAT of the object on the same server for different things.

Traffic between indoors and outdoors:

It works with a specific manual NAT rule of source from the server 10.10.10.10 object

Inside

SRC-> DST

10.10.10.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 SNAT = VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">

It works with a specific using the NAT on the server of 10.10.10.10 object

Remote

SRC-> DST

1.1.1.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">= VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> DNAT 10.10.10.10

If we have the manual NAT and NAT object it does anyway.

So the question is (as I am new to zip code 8.3 ASA) should not mix the 2 types of NAt and look at configuring it all with manual NAT or NAT object?

With the NAT object out it does not work as it is taken in ouside NAT inside all:

Dynamic NAT (inside, outside) source no matter what interface (this NAT to 1.1.1.1 then does not match the card encryption for VPN)

and I tried a no - nat above that, but that does not work either.

Straws and hugging come to mind try to configure a different config. Any pointers in the right direction would be great.

Kind regards

Z

Hello

I'm not sure that installing even with the explanation. Each NAT configuration I did for VPN used Section 1 Manual / NAT twice.

You have configured the rule by default PAT that you use as Section 1 NAT rule. NAT rules in the new software are divided into 3 sections
- Section 1: Manual / twice by NAT
- Section 2: Purpose NAT
- Section 3: Manual / double NAT (moved to section 3 using the setting "auto after")
- The Sections are passed by from 1 to 2 and 3 in order to find a match.
You should also notice that the Section 1 and Section 3 NAT has "line number" similar to the ACL parameter type. So if you have a default existing PAT rule configured for Section 1 and just add another Section 1 NAT rule without line/order number (VPN NAT) then it will just fall under the existing rule, making the new useless rule.

I would advice against the use of the rule by default PAT as Section 1 NAT rule. Finally, this means that you be constantly watch and edit its configuration when you try to configure more specific rules.

As a general rule 3 of the Section the PAT above default configuration would be the following

NAT (inside, outside) after the automatic termination of dynamic source no matter what interface

This would mean that you need to remove the old. That would mean as naturally as the change would temporarily dismantling all the current connections through "inside", "Outside" while you change the NAT rule format.

If after this configure a NAT twice to the VPN (wihtout the setting "auto after"), it will be the rule in article 1 while the default PAT will be Section 3. Of course, Section 1 will be matched first.

I'm not quite sure of what your setup of the foregoing have understood.

You're just source NAT?

I guess that the configuration you do is something like this?

network of the LAN-REAL object

10.10.10.0 subnet 255.255.255.0

purpose of the MAPPED in LAN network

1.1.1.0 subnet 255.255.255.0

being REMOTE-LAN network

1.1.2.0 subnet 255.255.255.0

NAT static destination of LAN LAN-REAL-MAPPED Shared source (indoor, outdoor) REMOTE - LAN LAN

If the network 1.1.1.0/24 is supposed to be one that is connected directly to your "external" to the format interface may need to be anything else.

-Jouni

Can the NAT of ASA configuration for vpn local pool

We have a group of tunnel remote ipsec, clients address pool use 172.18.33.0/24 which setup from command "ip local pool. The remote cliens must use full ipsec tunnel.

Because of IP overlap or route number, we would like to NAT this local basin of 172.18.33.0 to 192.168.3.0 subnet when vpn users access certain servers or subnet via external interface of the ASA. I have nat mapping address command from an interface to another interface of Armi. The pool local vpn is not behind any physical interface of the ASA. My question is can ASA policy NAT configuration for vpn local pool. If so, how to set up this NAT.

Thank you

Haiying

Elijah,

NAT_VPNClients ip 172.18.33.0 access list allow 255.255.255.0 10.1.1.0 255.255.255.0

public static 192.168.33.0 (external, outside) - NAT_VPNClients access list

The above configuration will be NAT 172.18.33.0/24 to 192.168.33.0/24 when you go to 10.1.1.0/24 (assuming that 10.1.1.0/24 is your subnet of servers).

To allow the ASA to redirect rewritten traffic the same interface in which he receive, you must also order:

permit same-security-traffic intra-interface

Federico.

VPN L2L ASA with NAT

Hello, I was hoping someone might have an example of a site to site VPN configuration where the ASA is statically NATting its internal network. Basically the same configuration like this, but instead of "not nat", the ASA is NATting. So instead of the remote site, connect to the local network 10.10.10.0/24, ASA would be NAT at 172.16.17.0/24 for example.

http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

Thank you.

Mike

It's not very complicated, just keep in mind that NAT is done before the encryption.

So if you your network 10.10.10.0/24 nat internal to 172.16.17.0/24:

public static 172.16.17.0 (Interior, exterior) 10.10.10.0 netmask 255.255.255.0

You can use the address translated into your crypto-ACL:

REMOTE VPN ip 172.16.17.0 access list allow REMOTE-NET 255.255.255.0 255.255.255.0

I suppose that you run ASA v8.3 + that you referred to an older document. If you have a more recent software, the logic is the same but the NAT commands differ.

Sent by Cisco Support technique iPad App

ASA 5520: Remote VPN Clients cannot ping LAN, Internet

I've set up a few of them in my time, but I am confused with this one. Can I establish connect via VPN tunnel but I can't ping or go on the internet. I searched the forum for similar and found a little issues, but none of the fixes seem to match. I noticed a strange thing is when I run ipconfig/all of the vpn client, the IP address that has been leased over the Pool of the VPN is also the default gateway!

I have attached the config. Help, please.

Thank you!

Exemption of NAT ACL has not yet been applied.

NAT (inside) 0-list of access Inside_nat0_outbound

In addition, you have not split tunnel, not sure you were using internet ASA for the vpn client internet browsing.

You can also enable icmp inspection if you test in scathing:

Policy-map global_policy
class inspection_default

inspect the icmp

Hope that helps.

ASA encrypt interesting VPN traffic

Hello everybody out there using ASA.

I had a few IPSEC VPN tunnels between the company's central site and remote sites.

Two dsl lines were connected to the ASA, one for VPN traffic and the other for the internet.

The default gateway has been configured online internet, some static while insured roads as traffic to the sites of the company was sent through the other line.

A few days ago we changed the configuration of ASA to use only a single dsl connection, then the line serving the internet has been cut, while the other will become the gateway default and static routes have been removed.

The VPN connections instant stopped working and trying to send packets to the remote lan, it seems that ASA will not recognize that the traffic is encrypted. Obviousely we checked cryptomap, acl, ecc, but we find no problem... do you have any suggestions?

Thanks in advance,

Matt

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

XNetwork object network
10.10.0.0 subnet 255.255.255.0

network of the YNetwork object
172.0.1.0 subnet 255.255.255.0

card crypto RB1ITSHDSL001_map2 1 corresponds to the address RB1ITSHDSL001_1_cryptomap
card crypto RB1ITSHDSL001_map2 1 set peer a.b.c.186
RB1ITSHDSL001_map2 1 transform-set ESP-3DES-SHA crypto card game

RB1ITSHDSL001_1_cryptomap list extended access permitted ip XNetwork object YNetwork

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hello

Your exit the ASA must be encrypting the traffic between XNetwork and YNetwork.

If the ASA does not encrypt this traffic, it could be because there is a problem with the NAT configuration.

When the ASA receives a packet, it must first check if there are ACLs that allows traffic, passes through the inspection engine and check that the associated NAT. For example, if the package is coordinated, then the private IP encryption will never take place.

Could ensure you that packets from the XNetwork are really reach the ASA, the NAT rule is correct and you may be looking for "debugging cry isa 127" and "scream ips 127" debug to check for errors of incompatibility.

In addition, what is the condition of the tunnel trying to communicate: "sh cry isa his"

Federico.

How to configure ASA as EZ - vpn client?

How can I configure ASA as Ez - vpn client?

Only ASA 5505 can be configured as a client VPN EZ.

Here's a few example configuration:

http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/ezvpn505.html

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

Hope that helps.

NAT/VPN Cisco ASA

Hello

I have a question on a Cisco ASA.

We strive to set up a VPN connection with a provider of our using the 172.16.1.0/24 subnet now that they already have another customer using 172.16.1.0/24, then NAT traffic on a different subnet before connecting to the provider. Is this possible? If yes how can I configure something like this?

172.16.1.0/24 is also used to access the internet.

That's what I have right now:

!

internet_cryptomap_2 to access ip 192.168.0.0 scope list allow 255.255.252.0 (subnet provider)

!

card crypto internet_map1 3 match address internet_cryptomap_2

internet_map1 crypto map peer set 3 (IP address of provider)

internet_map1 crypto map 3 the value transform-set tubis-transformset

internet_map1 crypto map 3 the value reverse-road

!

This VPN works, but only for the subnet listed in the cryptomap_2 unfortunately, I can't use 172.16.1.0/24 for this.

Anyone has any ideas how to solve this problem?

Kind regards

Tom

Yes, you can...

Assuming you want to 172.16.1.0/24 NAT to 10.16.1.0/24 when accessing the provider subnet 192.168.0.0

access list static-nat-to-vendor permit ip 172.16.1.0 255.255.255.0 192.168.0.0 255.255.252.0

public static 10.16.1.0 (inside, outside) access static-nat-to-provider list

access extensive list ip 10.16.1.0 internet_cryptomap_2 allow 255.255.255.0 192.168.0.0 255.255.252.0

Assuming you have ASA 8.2 or lower.

Otherwise, ASA 8.3 or higher:

network object obj - 172.16.1.0

subnet 172.16.1.0 255.255.255.0

network object obj - 10.16.1.0

10.16.1.0 subnet 255.255.255.0

network object obj - 192.168.0.0

Subnet 192.168.0.0 255.255.252.0

NAT (inside, outside) source static obj - 172.16.1.0 obj - 10.16.1.0 destination static obj - 192.168.0.0 obj - 192.168.0.0

ASA to Juniper VPN with policy NAT

I'm trying to configure a VPN tunnel between a remote site 66.18.106.160/27 and my network 192.168.190.0/24 client. I need NAT all traffic leaving 192.168.190.0/24 to 192.168.191.0/24.

Here is my current config:

xxxxx host name

domain xxxxx.local
enable the encrypted password xxxxx
XXXXX encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.190.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 207.98.218.26 255.255.255.248
!
interface Vlan3
prior to interface Vlan1
nameif DMZ
security-level 50
IP 192.168.100.1 address 255.255.255.0
!
interface Vlan12
description of interface vlan2 backup
nameif CharterBackup
security-level 0
IP 72.14.9.50 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passive FTP mode
DNS server-group DefaultDNS
domain xxxxx.local
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 100 permit tcp any host 207.98.218.27 eq 3389
access-list extended 100 permit tcp any host 207.98.218.28 eq 3389
access-list extended 100 permit tcp any host 207.98.218.27 eq 9000
access-list extended 100 permit tcp any host 207.98.218.27 eq 9001
access-list extended 100 permit tcp any host 207.98.218.28 eq 9000
access-list extended 100 permit tcp any host 207.98.218.28 eq 9001
access-list standard split allow 192.168.190.0 255.255.255.0
Access extensive list ip 192.168.190.0 POLICYNAT allow 255.255.255.0 66.18.106.160 255.255.255.224
extended VPN ip 192.168.191.0 access list allow 255.255.255.0 66.18.106.160 255.255.255.224
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 DMZ
MTU 1500 CharterBackup
IP local pool vpnpool 192.168.10.75 - 192.168.10.85
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global interface (CharterBackup) 1
NAT (inside) - 0 110 access list
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (DMZ) 1 0.0.0.0 0.0.0.0
public static 192.168.191.0 (inside, outside) - POLICYNAT access list
Access-group 100 in external interface
Route outside 0.0.0.0 0.0.0.0 207.98.218.25 1 track 1
Route 0.0.0.0 CharterBackup 0.0.0.0 71.14.9.49 254
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
Enable http server
http 192.168.190.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 123
type echo protocol ipIcmpEcho 4.2.2.2 outside interface
timeout of 1000
frequency 3
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set esp - esp-md5-hmac romanset
Crypto ipsec transform-set esp-aes - AES-128-SHA esp-sha-hmac
Crypto-map dynamic dynmap 10 transform-set romanset
romanmap card crypto 10 corresponds to the VPN address
peer set card crypto romanmap 10 66.18.99.68
card crypto romanmap 10 game of transformation-AES-128-SHA
map romanmap 65535-isakmp ipsec crypto dynamic dynmap
romanmap interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
sha hash
Group 2
life 86400
!
track 1 rtr 123 accessibility
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 CharterBackup
SSH timeout 5
Console timeout 0
management-access inside
dhcpd dns 8.8.8.8
dhcpd outside auto_config
!
dhcpd address 192.168.100.100 - DMZ 192.168.100.130
dhcpd enable DMZ
!

internal group xxxxx policy
attributes of the strategy group xxxxx
value of server WINS 192.168.190.3
value of server DNS 192.168.190.3
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split
tunnel-group xxxxx type ipsec-ra
tunnel-group xxxxx General attributes
address vpnpool pool
Group Policy - by default-romangroup
tunnel-group ipsec-attributes xxxxx
pre-shared-key *.
ISAKMP ikev1-user authentication no
tunnel-group 66.18.99.68 type ipsec-l2l
IPSec-attributes tunnel-group 66.18.99.68
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname

Currently, traffic that originates on 192.168.190.0/24 generates no traffic phase 1. However, if the traffic is coming in FRO the side remote (66.18.106.160/27) the tunnel arrives, but no traffic passes.

Although this isn't my area of expertise, it seems to me that my ASA is not 'see' interesting traffic from 192.168.190.0/24 will 66.18.106.160/27.

Any help you could provide would be GREATLY appreciated.

Just remove the 2 following lines:

access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224

access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224

Then 'clear xlate '.

That should solve your problem.

ASA IPP on VPN L2L w/NAT

I have a tunnel VPN L2L on a Cisco ASA 5520 I am trying to get IPPS, to work on. On my ACL cryptomap I defined a local group object and a remote object-group, and I'm the one-to-one NAT scene on the local group. I also have a configured route map that will take the static routes and redistribute in my ACE. EIGRP two things - 1, I noticed, I don't see on my ASA static routes that point to remote subnets and 2, the ACL that I used in my definition of route map is not getting any hits on it.

Any thoughts on where I can go wrong?

Thank you

Darren

You have configured the following:

crypto set reverse-road map

If you do, can you remove and Add again and see if that fixes the problem?

% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; Connection refused because of the failure of the path opposite. NAT VPN clients problems after that put 8.3.2 to level.

I've recently updated to 8.3.2 and I have been informed of these NAT changes, but even after reading the https://supportforums.cisco.com/docs/DOC-12569 I am still unable to rectify the communication network 192.168.100.0 VPN with hosts on 172.16.1.0 and 172.16.9.0. VPN clients connect to the external interface, and I try to ping inside and the demilitarized zone, respectable 172.16.1.0 and 172.16.9.0 hosts. VPN client shows that the two previously mentioned networks such as roads of security, but still not to the ping pong.

# sh nat

Manual NAT policies (Section 1)

1 (inside) to the (whole) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

2 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

3 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0

translate_hits = 0, untranslate_hits = 0

4 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

5 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0

translate_hits = 0, untranslate_hits = 0

Auto NAT policies (Section 2)

1 (dmz), to the source (external) static obj - 172.16.9.5 interface tcp www www service

translate_hits = 0, untranslate_hits = 142

2 (dmz) (outdoor) source static obj - 172.16.9.5 - 01 interface service tcp 3389 3389

translate_hits = 0, untranslate_hits = 2

3 (dmz) (outdoor) source static obj - 172.16.9.5 - 02 interface tcp ldap ldap service

translate_hits = 0, untranslate_hits = 0

4 (dmz) (outdoor) source static obj interface - 172.16.9.5 - 03 service ftp ftp tcp

translate_hits = 0, untranslate_hits = 0

5 (dmz) to (outside) of the source static obj - 172.16.9.5 - 04 interface tcp smtp smtp service

translate_hits = 0, untranslate_hits = 267

6 (inside) source static obj - 172.16.9.0 172.16.9.0 (dmz)

translate_hits = 4070, untranslate_hits = 224

7 (inside) to (dmz) source static obj - 10.1.0.0 10.1.0.0

translate_hits = 0, untranslate_hits = 0

8 (inside) to (dmz) source static obj - 172.16.0.0 172.16.0.0

translate_hits = 152, untranslate_hits = 4082

9 (dmz) to dynamic interface of the obj - 172.16.9.0 - 01 source (outdoor)

translate_hits = 69, untranslate_hits = 0

10 (inside) to the obj_any interface dynamic source (external)

translate_hits = 196, untranslate_hits = 32

I think you must following two NAT config

NAT (inside, outside) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
NAT (dmz, external) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 192.168.100.0 obj - 192.168.100.0

Please configure them and remove any additional NAT configuration and then try again.

ASA Configuration of VPN Site to Site - NAT issues

Greetings,

I am responsible to configure a VPN connection from site to site to a business partner in which I want to firstly NAT to my internal IP to a public IP address and then send it through the tunnel, and vice versa when they try to access my servers I want to get to them through the external IP address. Here's what I think I do, but I was wondering what were the thoughts of the community.

All of the IP addresses represented below are fictitious.

Internal servers Public IP address

10.50.220.150 208.180.170.182

10.50.220.151 208.180.170.183

10.50.220.152 208.180.170.184

Local peer IP: 208.180.254.29

Distance from peer IP: 207.190.218.31

Local network: 208.180.170.0/24

Remote network: 207.190.239.0/24

From my understanding, NAT occur before being sent to a tunnel, or to the internet, etc, so the configuration that I think I need is the following:

NAT (inside) 0 access-list sheep

NAT (inside) 2 10.50.220.150

NAT (inside) 3 10.50.220.151

NAT (inside) 4 10.50.220.152

Global 2 208.180.170.182 (outside)

overall 3 208.180.170.183 (outside)

Global 4 208.180.170.184 (outside)

IP 208.180.170.0 allow Access-list extended sheep 255.255.255.0 207.190.239.0 255.255.255.0 (do I still need this since coordinated to a public IP address still?)

access-list s2s client scope ip 208.180.170.0 allow 255.255.255.0 207.190.239.0 255.255.255.0

Route outside 207.190.239.0 255.255.255.0 207.190.218.31

card crypto off peers set 1 207.190.218.31

Crypto card outside 1 correspondence address s2s-customer

[... rest of the configuration failed..]

That look / her right? If this isn't the case, please advise.

Thank you.

Yes.

PAT (nat/global) will take care of outgoing and static traffic will take care of incoming traffic.

You can create political NAT as well to handle this traffic.

Federico.

With NAT VPN tunnels

I have read on several posts on the topic and still think I'm missing something, I'm looking for help.

Basically, I'm now implementing multiple VPN tunnels for external connections. We strive to keep the external "private addresses" our basic using NAT network.

I can get the Tunnel to work without problems using the ACL SHEEP; However, this technique requires that our internal network is aware of their external addresses "private." Our goal is to enter an address on the inside that is NAT to the external address 'private' and then shipped via the VPN tunnel. Basically to hide the external address 'private' of our internal systems that they would appear as thought the connection was one of our own networks.

The reverse is true coming from their external 'private' network. Any information of "their" private network external origin would result in our 'private' on arrival address space.

Is this possible? I am attaching a schema, which could help.

Hello

Yes, this should be possible. Lets say you allocate 10.112.2.250 as the address that you use to present the external server 192.168.10.10.

On your ASA device

public static 10.112.2.250 (exterior, Interior) 192.168.10.10 netmask 255.255.255.255

You will need to make sure that when the system tries to connect to 10.112.2.250 it is routed to the device of the SAA.

HTH

Jon

ASA 5505. VPN Site-to-Site does not connect!

Hello!
Already more than a week there, as we had a new channel of communication of MGTSa (Ontario terminal Sercomm RV6688BCM, who barely made in the 'bridge' - had to do the provider in order to receive our white Cisco Ip address), and now I train as well more that one week to raise between our IKEv1 IPsec Site-to-Site VPN tunnel closes offices.
Configurable and use the wizard in ASDM and handles in the CLI, the result of a year, the connection does not rise.
Cisco version 9.2 (2), the image of the Cisco asa922 - k8.bin, Security Plus license version, version 7.2 AMPS (2).
What I'll never know...
Debugging and complete configuration enclose below.
Help, which can follow any responses, please! I was completely exhausted!

Config:

Output of the command: "sh run".

: Saved
:
: Serial: XXXXXXXXXXXX
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA Version 9.2 (2)
!
hostname door-71
activate the encrypted password of F6OJ0GOws7WHxeql
names of
IP local pool vpnpool 10.1.72.100 - 10.1.72.120 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.1.72.254 255.255.255.0
!
interface Vlan2
nameif outside_mgts
security-level 0
62.112.100.R1 255.255.255.252 IP address
!
passive FTP mode
clock timezone 3 MSK/MSD
clock to DST MSK/MDD recurring last Sun Mar 02:00 last Sun Oct 03:00
DNS lookup field inside
DNS server-group MGTS
Server name 195.34.31.50
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NET72 object
10.1.72.0 subnet 255.255.255.0
network object obj - 0.0.0.0
host 0.0.0.0
network of the Nafanya object
Home 10.1.72.5
network object obj - 10.1.72.0
10.1.72.0 subnet 255.255.255.0
network of the NET61 object
10.1.61.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.1.72.96_27 object
subnet 10.1.72.96 255.255.255.224
network of the NETT72 object
10.1.72.0 subnet 255.255.255.0
network of the NET30 object
10.1.30.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.1.72.0_24 object
10.1.72.0 subnet 255.255.255.0
object-group service OG INET
the purpose of the echo icmp message service
response to echo icmp service object
service-object icmp traceroute
service-object unreachable icmp
service-purpose tcp - udp destination eq echo
the DM_INLINE_NETWORK_1 object-group network
network-object NET30
network-object, object NET72
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
inside_access_in extended access list permit ip object NET72 object-group DM_INLINE_NETWORK_1
access extensive list ip 10.1.72.0 inside_access_in allow 255.255.255.0 any
inside_access_in extended access list permit ip object Nafanya any idle state
inside_access_in list extended access allowed object-group OG INET an entire
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access deny ip any alerts on any newspaper
outside_mgts_access_in list extended access allowed object-group OG INET an entire
outside_mgts_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_mgts_access_in list extended access deny ip any alerts on any newspaper
access extensive list ip 10.1.72.0 outside_mgts_cryptomap allow 255.255.255.0 object NET61
VPN-ST_splitTunnelAcl permit 10.1.72.0 access list standard 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
outside_mgts MTU 1500
IP check path reverse interface outside_mgts
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside outside_mgts) static source NET72 NET72 NETWORK_OBJ_10.1.72.96_27 NETWORK_OBJ_10.1.72.96_27 non-proxy-arp-search of route static destination
NAT (inside outside_mgts) static source NETWORK_OBJ_10.1.72.0_24 NETWORK_OBJ_10.1.72.0_24 NET61 NET61 non-proxy-arp-search of route static destination
!
network obj_any object
NAT (inside outside_mgts) dynamic obj - 0.0.0.0
network of the NET72 object
NAT (inside outside_mgts) interface dynamic dns
inside_access_in access to the interface inside group
Access-group outside_mgts_access_in in the outside_mgts interface
Route 0.0.0.0 outside_mgts 0.0.0.0 62.112.100.R 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
without activating the user identity
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 10.1.72.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
card crypto outside_mgts_map 1 match address outside_mgts_cryptomap
card crypto outside_mgts_map 1 set pfs Group1
peer set card crypto outside_mgts_map 1 91.188.180.42
card crypto outside_mgts_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_mgts_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
card crypto outside_mgts_map interface outside_mgts
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
E-mail [email protected] / * /
name of the object CN = door-71
Serial number
IP address 62.112.100.42
Proxy-loc-transmitter
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
registration auto
ASDM_TrustPoint1 key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint0 certificates
certificate eff26954
30820395 3082027d a0030201 020204ef f2695430 0d06092a 864886f7 0d 010105
019
6460ae26 ec5f301d 0603551d 0e041604 14c9a3f2 d70e6789 38fa4b01 465d 1964
60ae26ec 5f300d06 092 has 8648 01050500 03820101 00448753 7baa5c77 86f70d01
62857b 65 d05dc91e 3edfabc6 7b3771af bbedee14 673ec67d 3d0c2de4 b7a7ac05
5f203a8c 98ab52cf 076401e5 1a2c6cb9 3f7afcba 52c617a5 644ece10 d6e1fd7d
28b57d8c aaf49023 2037527e 9fcfa218 9883191f 60b221bf a561f2be d6882091
0222b7a3 3880d6ac 49328d1f 2e085b15 6d1c1141 5f850e5c b6cb3e67 0e373591
94a 82781 44493217 and 38097952 d 003 5552 5c445f1f 92f04039 a23fba20 b9d51b13
f511f311 d1feb2bb 6d056a15 7e63cc1b 1f134677 8124c 024 3af56b97 51af8253
486844bc b1954abe 8acd7108 5e4212df db835d76 98ffdb2b 8c8ab915 193b 8167
0db3dd54 c8346b96 c4f4eff7 1e7cd576 a8b1f86e 3b868a6e 89
quit smoking
string encryption ca ASDM_TrustPoint1 certificates
certificate a39a2b54
3082025f 30820377 a0030201 020204 has 3 9a2b5430 0d06092a 864886f7 0d 010105
0500304 06035504 03130767 36313137 30120603 55040513 6174652d 3110300e b

c084dcd9 d250e194 abcb3eb8 1da93bd0 fb0dba1a b1c35b43 d547a841 5d4ee1a4
14bdb207 7dd790a4 0cd 70471 5f3a896a 07bd56dc ea01b3dd 254cde88 e1490e97
f3e54c05 551adde0 66aa3782 c85880c2 b162ec29 4e49346a df71062d 6d6d8f49
62b9de93 ba07b4f7 a50e77e1 8f54b32b 6627cb27 e982b36f a 362973, 0 88de3272
9bd6d4d2 8ca1e11f 214f20a9 78bdea95 78fdc45c d6d45674 6acb9bcb d0bd930e
638eedfe cd559ab1 e1205c48 3ee9616f e631db55 e82b623c 434ffdc1 11020301
0001 has 363 3061300f 0603551d 130101ff 0101ff30 04053003 0e060355 1d0f0101
ff040403 1f060355 02018630 230418 30168014 0cea70bf 0d0e0c4b eb34a0b1 1 d
8242 has 549 0603 551d0e04 1604140c ea70bf0d 0e0c4beb 34a0b182 301D 5183ccf9
42a 54951 010105 05000382 0101004e 7bfe054a 0d 864886f7 0d06092a 83ccf930
d434a27c 1d3dce15 529bdc5f 70a2dff1 98975de9 2a97333b 96077966 05a8e9ef
bf320cbd ecec3819 ade20a86 9aeb5bde bd129c7b 29341e4b edf91473 f2bf235d
9aaeae21 a629ccc6 3c79200b b9a89b08 bf38afb6 ea56b957 4430f692 a 4745, 411
34d71fad 588e4e18 2b2d97af b2aae6b9 b6a22350 d031615b 49ea9b9f 2fdd82e6
ebd4dccd df93c17e deceb796 f268abf1 881409b 5 89183841 f484f0e7 bd5f7b69
ebf7481c faf69d3e 9d24df6e 9c2b0791 785019f7 a0d20e95 2ef35799 66ffc819
4a77cdf2 c6fb4380 fe94c13c d4261655 7bf3d6ba 6289dc8b f9aad4e1 bd918fb7
32916fe1 477666ab c2a3d591 a84dd435 51711f6e 93e2bd84 89884c
quit smoking
crypto isakmp identity address
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate outside_mgts port 443 customer service
Crypto ikev2 access remote trustpoint ASDM_TrustPoint0
Crypto ikev1 allow inside
Crypto ikev1 enable outside_mgts
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
without ssh stricthostkeycheck
SSH 10.1.72.0 255.255.255.0 inside
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
vpnclient Server 91.188.180.X
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
VPN - L2L vpnclient vpngroup password *.
vpnclient username aradetskayaL password *.
dhcpd auto_config outside_mgts
!
dhcpd update dns replace all two interface inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust ASDM_TrustPoint0 inside point
SSL-trust ASDM_TrustPoint0 outside_mgts point
WebVPN
Select outside_mgts
internal GroupPolicy_91.188.180.X group strategy
attributes of Group Policy GroupPolicy_91.188.180.X
Ikev1 VPN-tunnel-Protocol
internal group VPN - ST strategy
attributes of group VPN - ST policy
value of 195.34.31.50 DNS Server 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN-ST_splitTunnelAcl
by default no
aradetskayaL encrypted HR3qeva85hzXT6KK privilege 15 password username
tunnel-group 91.188.180.X type ipsec-l2l
attributes global-tunnel-group 91.188.180.X
Group - default policy - GroupPolicy_91.188.180.42
IPSec-attributes tunnel-group 91.188.180.X
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
remote access to tunnel-group VPN - ST type
VPN-general ST-attributes tunnel-group
address vpnpool pool
Group Policy - by default-VPN-ST
tunnel-group ipsec VPN ST-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:212e4f5035793d1c219fed57751983d8
: end

door-71 # sh crypto ikev1 his

There are no SAs IKEv1

door-71 # sh crypto ikev2 his

There are no SAs IKEv2

door-71 # sh crypto ipsec his

There is no ipsec security associations

door-71 # sh crypto isakmp

There are no SAs IKEv1

There are no SAs IKEv2

Global statistics IKEv1
The active Tunnels: 0
Previous Tunnels: 0
In bytes: 0
In the packages: 0
In packs of fall: 0
In Notifys: 0
In the constituencies of P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
Requests for removal in his P2: 0
Bytes: 0
Package: 0
Fall packages: 0
NOTIFYs out: 0

Exchanges of P2: 0
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
Requests to remove on P2 Sa: 0
Tunnels of the initiator: 0
Initiator fails: 0
Answering machine fails: 0
Ability system breaks down: 0
AUTH failed: 0
Decrypt failed: 0
Valid hash fails: 0
No failure his: 0

IKEV1 statistics for Admission appeals
In negotiating SAs Max: 25
In negotiating SAs: 0
In negotiating SAs Highwater: 0
In negotiating SAs rejected: 0

Global statistics IKEv2
The active Tunnels: 0
Previous Tunnels: 0
In bytes: 0
In the packages: 0
In packs of fall: 0
In Fragments of fall: 0
In Notifys: 0
In Exchange for the P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
In IPSEC delete: 0
In delete IKE: 0
Bytes: 0
Package: 0
Fall packages: 0
Fragments of fall: 0
NOTIFYs out: 0
Exchange of P2: 0
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
On IPSEC delete: 0
The IKE Delete: 0
Locally launched sAs: 0
Locally launched sAs failed: 0
SAs remotely initiated: 0
SAs remotely initiated failed: 0
System capacity: 0
Authentication failures: 0
Decrypt failures: 0
Hash failures: 0
Invalid SPI: 0
In the Configs: 0
Configs: 0
In the Configs rejects: 0
Configs rejects: 0
Previous Tunnels: 0
Previous Tunnels wraps: 0
In the DPD Messages: 0
The DPD Messages: 0
The NAT KeepAlive: 0
IKE recomposition launched locally: 0
IKE returned to the remote initiated key: 0
Generate a new key CHILD initiated locally: 0
CHILD given to the remote initiated key: 0

IKEV2 statistics for Admission appeals
Max active SAs: no limit
Max in negotiating SAs: 50
Challenge cookie line: never
Active sAs: 0
In negotiating SAs: 0
Incoming requests: 0
Accepted incoming requests: 0
A rejected incoming requests: 0
Out of requests: 0
Out of the applications accepted: 0
The outgoing rejected requests: 0
A rejected queries: 0
Rejected at the SA: 0 Max limit
Rejected low resources: 0
Rejected the current reboot: 0
Challenges of cookie: 0
Cookies transmitted challenges: 0
Challenges of cookie failed: 0

IKEv1 global IPSec over TCP statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Incoming packets: 0
Inbound packets ignored: 0
Outgoing packets: 0
Outbound packets ignored: 0
The RST packets: 0
Heartbeat Recevied ACK packets: 0
Bad headers: 0
Bad trailers: 0
Chess timer: 0
Checksum errors: 0
Internal error: 0

door-71 # sh statistical protocol all cryptographic
[Statistics IKEv1]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistics IKEv2]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[IPsec statistics]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0

ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[SSL statistics]
Encrypt packets of queries: 19331
Encapsulate packets of queries: 19331
Decrypt packets of queries: 437
Package requests decapsulating: 437
HMAC calculation queries: 19768
ITS creation queries: 178
SA asked to generate a new key: 0
Requests to remove SA: 176
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistical SSH are not taken in charge]
[Statistics SRTP]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistics]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 6238
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of queries random generation: 76
Failure of queries: 9
door-71 # sh crypto ca trustpoints

Trustpoint ASDM_TrustPoint0:
Configured for the production of a self-signed certificate.

Trustpoint ASDM_TrustPoint1:
Configured for the production of a self-signed certificate.

If you need something more, then spread!
Please explain why it is that I don't want to work?

Hello

When the IPSEC tunnel does not come to the top, the first thing comes to my mind is to run a tracer of package from the CLI and the phases in it. Please run this command from your firewall side and share the output. I've just compiled this command with the random ip address and ports of your given range.

Packet-trace entry inside tcp 10.1.72.2 1233 10.1.61.2 443 detailed

Best regards

Amandine

Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming

HelloW everyone.

I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.

but the vpn does not come to the top. can someone tell me what can be the root cause?

Here is the configuration of twa asa: (I changed the ip address all the)

Singapore:

See the race
ASA 2.0000 Version 4
!
ASA5515-SSG520M hostname
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.15.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.5.3 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 160.83.172.8 255.255.255.224
<--- more="" ---="">

!
<--- more="" ---="">

interface GigabitEthernet0/3
<--- more="" ---="">

Shutdown
<--- more="" ---="">

No nameif
<--- more="" ---="">

no level of security
<--- more="" ---="">

no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.219 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
connection of the banner ^ C please disconnect if you are unauthorized access ^ C
connection of the banner please disconnect if you are unauthorized access
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
network of the SG object
<--- more="" ---="">

192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.15.202
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
<--- more="" ---="">

service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.15.0_24 object
192.168.15.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
debugging in the history record
asdm of logging of information
host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
no failover
<--- more="" ---="">

ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
!
network of the SG object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1
Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- more="" ---="">

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server

Community trap SNMP-server host test 192.168.168.231 *.
No snmp server location
No snmp Server contact
Server enable SNMP traps syslog
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 103.246.3.54
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400

Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
tunnel-group 143.216.30.7 type ipsec-l2l
tunnel-group 143.216.30.7 General-attributes
Group Policy - by default-GroupPolicy1
<--- more="" ---="">

IPSec-attributes tunnel-group 143.216.30.7
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
Overall description
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
<--- more="" ---="">

inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:ccce9a600b491c8db30143590825c01d
: end

Malaysia:

:
ASA 2.0000 Version 4
!
hostname ASA5515-SSG5-MK
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.6.70 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.12.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 143.216.30.7 255.255.255.248
<--- more="" ---="">

!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.218 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
<--- more="" ---="">

Interface Port - Channel 1
No nameif
no level of security
IP 1.1.1.1 255.255.255.0
!
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
clock timezone GMT + 8 8
network of the SG object
192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
<--- more="" ---="">

tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.6.23
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.2.0_24 object
192.168.6.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
asdm of logging of information
<--- more="" ---="">

host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
reverse IP check management interface path
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
!
network of the MK object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
<--- more="" ---="">

Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http server

No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 160.83.172.8
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
<--- more="" ---="">

tunnel-group MK SG type ipsec-l2l
IPSec-attributes tunnel-group MK-to-SG
IKEv1 pre-shared-key *.
tunnel-group 160.83.172.8 type ipsec-l2l
tunnel-group 160.83.172.8 General-attributes
Group Policy - by default-GroupPolicy1
IPSec-attributes tunnel-group 160.83.172.8
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
<--- more="" ---="">

inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Good news, that VPN has been implemented!

According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.

Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.

In addition, you can try to enable ICMP inspection:

Policy-map global_policy
class inspection_default

inspect the icmp

inspect the icmp error

ASA Bidirectional NAT VPN

Similar Questions

Maybe you are looking for