ASA IPSEC site-to-site with NAT problem

Similar Questions

• Cisco Asa vpn site-to-site with nat

  Hi all

  I need help
  I want to make a site from the site with nat vpn
  Site A = 10.0.0.0/24
  Site B = 10.1.252.0/24

  I want when site A to site B, either by ip 172.26.0.0/24

  Here is my configuration

  inside_nat_outbound to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0

  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group ipsec-attributes x.x.x.x
  pre-shared-key!

  ISAKMP retry threshold 10 keepalive 2

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  card crypto outside_map 2 match address inside_nat_outbound

  card crypto outside_map 2 pfs set group5
  card crypto outside_map 2 peers set x.x.x.x

  card crypto outside_map 2 game of transformation-ESP-AES-256-SHA

  NAT (inside) 10 inside_nat_outbound

  Global 172.26.0.1 - 172.26.0.254 10 (outside)

  but do not work.

  Can you help me?

  Concerning

  Frédéric

  You must ensure that there is no NAT 0 ACL statement because it will take precedence over the static NAT.

  You don't need:

  Global 172.26.0.1 - 172.26.0.254 10 (outside)

  NAT (inside) 10 access-list nattoyr

  Because it will be replaced by the static NAT.

  In a Word is enough:

  nattoyr to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0

  access extensive list ip 172.26.0.0 vpntoyr allow 255.255.255.0 10.1.252.0 255.255.255.0

  public static 172.26.0.0 (inside, outside) - nattoyr access list

  card crypto outside_map 2 match address vpntoyr

  card crypto outside_map 2 pfs set group5

  card crypto outside_map 2 defined peer "public ip".

  card crypto outside_map 2 game of transformation-ESP-AES-256-SHA

  outside_map interface card crypto outside

  tunnel-group "public ip" type ipsec-l2l

  tunnel-group "public ip" ipsec-attributes

  pre-shared key *.

  -Make sure that it not there no NAT ACL 0 including the above statements and check if NAT happening (sh xlate) and the

  traffic is being encryption (sh cry ips its)

  Federico.

• I have Lightroom 4.4 on my Mac laptop. It came with the purchase of a Leica camera. When I check the updates, the answer is that there is no update available. Download Version 5.7 of Adobe's Web site with no problems?

  I have Lightroom 4.4 on my Mac laptop. It came with the purchase of a Leica camera. When I check the updates, the answer is that there is no update available. Download Version 5.7 of Adobe's Web site with no problems?

  Your license for the 4.4 release will not work with version 5.7, you can download it without doubt, but if you do not have version 5.7 download then it won't do much good.  If you do not have a license for it so you won't be able to use it beyond use of the trial.

• A Site with NAT

  Hi all, thanks for looking. I'm a very basic user to a Cisco ASA 5510, I tend to do most of the things in the ASDM GUI interface.

  We need to create a site to site with a client connection. It's pretty easy but there is a caveat, we can use our internal IPS that they already use the range elsewhere. If we gave them two different IP, for example 192.158.22.101 and 192.158.22.102. I created the site to the site using these two survey periods, but these do not exist internally on the machines because they are not IPs on our network, which is using 192.158.44.0.

  The question I have is how can I get the IP addresses 192.158.44.101 and 192.158.44.102 to become 92.158.22.101 and 92.158.22.102 before being sent via this connection. I tried to add the NAT to the object of an IP address related, but I'm obviously missing something.

  The other option, I do not fear to do, is to add a new range of internal IP 192.158.22.0 addresses, but I don't know how do either.

  Any help would be appreciated, I'm really bad here and spent two weeks on this subject already. I searched for it, but it seems that it is either too basic for most people wonder or slightly different, for example, they have control of the two sites.

  Hello

  Add to that dieng said here is the config for NATTING as two IPS 192.158.44.101 and 102:

  network object obj - 192.158.44.101

  Home 192.158.44.101

  network object obj - 192.158.44.102

  Home 192.158.44.102

  object obj -192.158.22.101 network

  Home 192.158.22.101

  object obj -192.158.22.102 network

  host 192.158.22.102

  object obj remote network

  10.x.x.x subnet 255.255.255.0

  You need two NAT statements for this:

  NAT (inside, outside) source dynamic obj - 192.158.44.101 obj -192.158.22.101 destination static obj-remote obj-remote

  nat source (indoor, outdoor) obj dynamic obj - 192.158.44.102 - 192.158.22.102 destination static obj obj-remote control-remote control

  It will be useful.

  Kind regards

  Aditya

  Please evaluate the useful messages.

• Cisco ASA VPN Site to Site WITH NAT inside

  Hello!

  I have 2 ASA 5505 related to IPSEC Tunnel VPN Site to Site.

  A 192.168.1.0/24 'remotely' inside the network and a local "192.168.200.0/24' inside the network (you can see the diagram)

  The local host have 192.168.200.254 as default gateway.

  I can't add static route to all army and I can't add static route to 192.168.200.254.

  NAT the VPN entering as 192.168.200.1 or a 192.168.200.x free to connect my host correcly?

  If my host sends packet to exit to the default gateway.

  Thank you for your support

  Best regards

  Marco

  The configuration must be applied on the SAA with the 192.168.200.0 subnet it is inside, there must be something like this:

  permit 192.168.1.0 ip access list VPN_NAT 255.255.255.0 192.168.200.0 255.255.255.0

  NAT (outside) X VPN_NAT outside access list

  Global (inside) X Y.Y.Y.Y (where the Y.Y.Y.Y) is the ip address

  If you have other traffic on the vpn through the tunnel that requires no nat, then you must add external nat exemption rules since these lines above obliges all traffic through the asa to have a nat statement.

  See if it works for you, else post your config nat here.

• VPN site to Site with NAT (PIX 7.2)

  Hi all

  I hope for more help with config PIX.  TBH I would classify myself as a newb on PIX, only dabbling in it every 6 months or so...

  I have to configure a VPN site-to site between our UK and US Office, to replace our frame relay link.  I have configured multiple VPN site to site on the before PIX, so am reasonably okay with the appearance of the config of who.  What is a new concept for me is the needs of NAT'ing between the IPSEC tunnel.

  The U.S. Agency requires us to NAT source addresses (i.e. 192.168.1.0) usable on their side address (i.e. 143.102.89.0).  The tunnel must then be set to encrypt traffic between 143.102.89.0/24 and 172.24.0.0/14.

  I added the following config and hoping to test it at the U.S. office happens online today.

  If I Ping from 192.168.1.0 to 172.24.x.x source and run a SH NAT inside, the NAT translation seems good.

  is the intellectual property inside 192.168.1.0 255.255.255.0 outside 172.24.0.0 255.252.0.0
  static translation at 143.102.89.0
  translate_hits = 4, untranslate_hits = 0

  Could someone please go through the following lines of config and comment if there is no error?

  Thank you very much

  Kevin

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  IP 143.102.89.0 allow Access-list ipsec - dallas extended 255.255.255.0 172.24.0.0 255.252.0.0

  policy-nat-dallas-list of allowed extensive access ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0

  public static 143.102.89.0 (inside, outside) - list of access policy-nat-dallas

  Crypto ipsec transform-set esp-3des esp-md5-hmac 3desmd5set

  card crypto map dyn 40 correspondence address ipsec - dallas

  set dyn-map 40 crypto map peer 143.101.6.141

  card crypto dyn-map 40 transform-set 3desmd5set

  dyn-map interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  tunnel-group 143.101.6.141 type ipsec-l2l

  IPSec-attributes tunnel-group 143.101.6.141

  pre-shared-key *.

  You can configure NAT/Global pair for the rest of the users.

  For example:

  You can use the initially configured ACL:

  policy-nat-dallas-list of allowed extensive access ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0
  NAT (inside) 1 access list policy-nat-dallas

  Global 1 143.102.89.x (outside)

  The static statement that you configured previously will take precedence over the above. So the printer gets statically using a NAT to 143.102.89.10, and the rest can do another ip address 143.102.89.x PATed.

  Please note that for PAT, traffic can only be initiated from 192.168.1.0/24 LAN to 172.24.0.0/14, not the other way around.

  Hope that helps.

• local host to access the vpn site to site with nat static configured

  I have two 881 routers with vpn site to site between them. I have a static nat on the router for a Web server that is accessible from the internet. I can't access the Web server through the vpn. All other traffic is fine its VPN. I think that there is a problem with the NAT. Here are the relevant configuration lines.

  IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
  IP nat inside source static 192.168.150.2 bonnefin map route SDM_RMAP_1

  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 100

  access-list 100 deny ip 192.168.150.0 0.0.0.255 192.168.123.0 0.0.0.255
  access-list 100 permit ip 192.168.150.0 0.0.0.255 any

  You should be able to access the web server with its IP private (192.168.150.2) through the VPN connection.

  If you just add the VPN and the road map, try to clear the existing translation and see if you can access it via its private of the Remote LAN VPN ip address.

• ASA - a Site with self-signed certificates

  Team,

  ASA version 9.1 (3), ASDM 7.1 (4) on 5505.

  I have a pair of Cisco ASA 5505 that I am trying to establish a tunnel. I do everything with PSK. IKEv2 with AES256 IPSec. No problem...

  However, I learned that I can auto-signer certificates and use them to authenticate each firewall to another. I tried for hours... Generating of certs in all combinations and options, and the export of the P12 in the other firewall, by adding in - no problem

  I have self signed CERTS, so there is no CA.

  Then I'll be back in the connection profile and remove the PSK - flip on to RSA - SIG in the IKE Policy.

  Does anyone have this working with the ASA version, I'm running and care apart from your snippets of configuration especially how you created the pair of keys, self-signed one, exported and adding in the adjacent firewall?

  I don't want to use PSK for authentication.

  Help!

  I never used this way without a CA so I can't guarantee that it will work, but one thing is often forgotten with digital certificates: you assigned the ID-Cert cert in the crypto-plan?

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• VPN site to Site with NAT

  Hello Experts

  We intend to set up a VPN site-to site between two sites, sites, Site & A B such as shown in the attached diagram.

  The LAN on SIte A is 10.8.1.0/24 who are planning to NAT on the ASA5505 to 192.168.42.0/24 because this is the range that is allowed on the firewall on the remote end (Site B ASA 5520)

  What type of configuration requires we on the firewall of the Site regarding the interesting traffic.

  Natted IPs will be the interesting traffic?

  Is there another thing we have in other mind while configuring the ASA for the scenarios.

  Help would be appreciated.

  ACL "crypto-NAT" of my example will be the NAT traffic that source of 10.8.1.0/24 for 10.3.0.0/24 to match 192.168.42.0/24.

  For example:

  10.8.1.1 will be coordinated to 192.168.42.1 when traffic is destined to the 10.3.0.0/24 subnet.

  10.8.1.2 will be coordinated to 192.168.42.2 when traffic is destined to the 10.3.0.0/24 subnet.

  etc etc.

  If you have another remote subnet, you are right, you just add the extra line to the crypto-NAT and crypto-ACL. So, you will have the following lines:

  IP 10.8.1.0 allow Access-list crypto-NAT 255.255.255.0 10.3.0.0 255.255.255.0

  10.8.1.0 IP Access-list crypto-NAT 255.255.255.0 allow 10.5.0.0 255.255.0.0

  Crypto ip 192.168.42.0 access list ACL allow 255.255.255.0 10.3.0.0 255.255.255.0

  Crypto ip 192.168.42.0 access list ACL allow 255.255.255.0 10.5.0.0 255.255.0.0

• VPN site to Site with NAT and Port forwarding on a 871

  Hello

  Could someone please look at the config 871 router attached and tell me where I'm wrong!

  VPNs all work, work, BUT anyone trying to connect to a port that is sent through the VPN port forwarding fails.

  In the config attached Port 3389 (RDP) is sent to an internal server, if you connect to the external interface Internet connection is made and it works well, but if someone tries to connect to the IP address internal to that same server through VPN, it does not.

  We've added commands to stop working on the lines VPN NAT, but these do not seem to work.

  What Miss me?

  Thank you in advance and I will adjudicate all useful responses.

  It is a common problem. Yes you added controls to prevent NAT to work above the tunnel, but your static nat port to port 3389 takes precedence over the generic nat command, and there not all orders top to prevent it is nat would be above the tunnel.

  I wrote an example configuration for this some time, see here for more details:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

  If all goes well, he explains everything. Note that it is for a general order static host, not a static port that you have, but the concept is exactly the same. Just add a statement roadmap on the end of your static command of the port, and this route map - will reference an ACL that denies are used when going up above the tunnel.

• Need help with the configuration of the Site with crossed on Cisco ASA5510 8.2 IPSec VPN Client (1)

  Need urgent help in the configuration of the Client VPN IPSec Site with crossed on Cisco ASA5510 - 8.2 (1).

  Here is the presentation:

  

  There are two leased lines for Internet access - a route 1.1.1.1 and 2.2.2.2, the latter being the default Standard, old East for backup.

  I was able to configure the Client VPN IPSec Site

  (1) with access to the outside so that the internal network (172.16.0.0/24) behind the asa

  (2) with Split tunnel with simultaneous assess internal LAN and Internet on the outside.

  But I was not able to make the tradiotional model Hairpinng to work in this scenario.

  I followed every possible suggestions made on this subject in many topics of Discussion but still no luck. Can someone help me here please?

  Here is the race-Conf with Normal Client to Site IPSec VPN configured with no access boarding:

  LIMITATION: Cannot boot into any other image ios for unavoidable reasons, must use 8.2 (1)

  race-conf - Site VPN Customer normal work without internet access/split tunnel

  : ASA Version 8.2 (1) ! ciscoasa hostname domain cisco.campus.com enable the encrypted password xxxxxxxxxxxxxx XXXXXXXXXXXXXX encrypted passwd names of ! interface GigabitEthernet0/0 nameif outside internet1 security-level 0 IP 1.1.1.1 255.255.255.240 ! interface GigabitEthernet0/1 nameif outside internet2 security-level 0 IP address 2.2.2.2 255.255.255.224 ! interface GigabitEthernet0/2 nameif dmz interface security-level 0 IP 10.0.1.1 255.255.255.0 ! interface GigabitEthernet0/3 nameif campus-lan security-level 0 IP 172.16.0.1 255.255.0.0 ! interface Management0/0 nameif CSC-MGMT security-level 100 the IP 10.0.0.4 address 255.255.255.0 ! boot system Disk0: / asa821 - k8.bin boot system Disk0: / asa843 - k8.bin passive FTP mode DNS server-group DefaultDNS domain cisco.campus.com permit same-security-traffic inter-interface permit same-security-traffic intra-interface object-group network cmps-lan the object-group CSC - ip network object-group network www-Interior object-group network www-outside object-group service tcp-80 object-group service udp-53 object-group service https object-group service pop3 object-group service smtp object-group service tcp80 object-group service http-s object-group service pop3-110 object-group service smtp25 object-group service udp53 object-group service ssh object-group service tcp-port port udp-object-group service object-group service ftp object-group service ftp - data object-group network csc1-ip object-group service all-tcp-udp access list INTERNET1-IN extended permit ip host 1.2.2.2 2.2.2.3 access-list extended SCC-OUT permit ip host 10.0.0.5 everything list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq www list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any https eq list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq ssh list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 no matter what eq ftp list of access CAMPUS-LAN extended permitted udp 172.16.0.0 255.255.0.0 no matter what eq field list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq smtp list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq pop3 access CAMPUS-wide LAN ip allowed list a whole access-list CSC - acl note scan web and mail traffic access-list CSC - acl extended permit tcp any any eq smtp access-list CSC - acl extended permit tcp any any eq pop3 access-list CSC - acl note scan web and mail traffic access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 993 access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq imap4 access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 465

  access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq www

  access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq https

  access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq smtp

  access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq pop3

  access-list extended INTERNET2-IN permit ip any host 1.1.1.2

  access-list sheep extended ip 172.16.0.0 allow 255.255.0.0 172.16.0.0 255.255.0.0

  access list DNS-inspect extended permit tcp any any eq field

  access list DNS-inspect extended permit udp any any eq field

  access-list extended capin permit ip host 172.16.1.234 all

  access-list extended capin permit ip host 172.16.1.52 all

  access-list extended capin permit ip any host 172.16.1.52

  Capin list extended access permit ip host 172.16.0.82 172.16.0.61

  Capin list extended access permit ip host 172.16.0.61 172.16.0.82

  access-list extended capout permit ip host 2.2.2.2 everything

  access-list extended capout permit ip any host 2.2.2.2

  Access campus-lan_nat0_outbound extended ip 172.16.0.0 list allow 255.255.0.0 192.168.150.0 255.255.255.0

  pager lines 24

  Enable logging

  debug logging in buffered memory

  asdm of logging of information

  Internet1-outside of MTU 1500

  Internet2-outside of MTU 1500

  interface-dmz MTU 1500

  Campus-lan of MTU 1500

  MTU 1500 CSC-MGMT

  IP local pool 192.168.150.2 - 192.168.150.250 mask 255.255.255.0 vpnpool1

  IP check path reverse interface internet2-outside

  IP check path reverse interface interface-dmz

  IP check path opposite campus-lan interface

  IP check path reverse interface CSC-MGMT

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 621.bin

  don't allow no asdm history

  ARP timeout 14400

  interface of global (internet1-outside) 1

  interface of global (internet2-outside) 1

  NAT (campus-lan) 0-campus-lan_nat0_outbound access list

  NAT (campus-lan) 1 0.0.0.0 0.0.0.0

  NAT (CSC-MGMT) 1 10.0.0.5 255.255.255.255

  static (CSC-MGMT, internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255

  Access-group INTERNET2-IN interface internet1-outside

  group-access INTERNET1-IN interface internet2-outside

  group-access CAMPUS-LAN in campus-lan interface

  CSC-OUT access-group in SCC-MGMT interface

  Internet2-outside route 0.0.0.0 0.0.0.0 2.2.2.5 1

  Route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  the ssh LOCAL console AAA authentication

  AAA authentication enable LOCAL console

  Enable http server

  http 10.0.0.2 255.255.255.255 CSC-MGMT

  http 10.0.0.8 255.255.255.255 CSC-MGMT

  HTTP 1.2.2.2 255.255.255.255 internet2-outside

  HTTP 1.2.2.2 255.255.255.255 internet1-outside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs set group5

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  Crypto map internet2-outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  crypto internet2-outside_map outside internet2 network interface card

  Crypto ca trustpoint _SmartCallHome_ServerCA

  Configure CRL

  Crypto ca certificate chain _SmartCallHome_ServerCA

  certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as

  quit smoking

  ISAKMP crypto enable internet2-outside

  crypto ISAKMP policy 10

  preshared authentication

  aes encryption

  md5 hash

  Group 2

  life 86400

  Telnet 10.0.0.2 255.255.255.255 CSC-MGMT

  Telnet 10.0.0.8 255.255.255.255 CSC-MGMT

  Telnet timeout 5

  SSH 1.2.3.3 255.255.255.240 internet1-outside

  SSH 1.2.2.2 255.255.255.255 internet1-outside

  SSH 1.2.2.2 255.255.255.255 internet2-outside

  SSH timeout 5

  Console timeout 0

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal VPN_TG_1 group policy

  VPN_TG_1 group policy attributes

  Protocol-tunnel-VPN IPSec

  username ssochelpdesk encrypted password privilege 15 xxxxxxxxxxxxxx

  privilege of encrypted password username administrator 15 xxxxxxxxxxxxxx

  username vpnuser1 encrypted password privilege 0 xxxxxxxxxxxxxx

  username vpnuser1 attributes

  VPN-group-policy VPN_TG_1

  type tunnel-group VPN_TG_1 remote access

  attributes global-tunnel-group VPN_TG_1

  address vpnpool1 pool

  Group Policy - by default-VPN_TG_1

  IPSec-attributes tunnel-group VPN_TG_1

  pre-shared-key *.

  !

  class-map cmap-DNS

  matches the access list DNS-inspect

  CCS-class class-map

  corresponds to the CSC - acl access list

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  CCS category

  CSC help

  cmap-DNS class

  inspect the preset_dns_map dns

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y

  : end

  Adding dynamic NAT for 192.168.150.0/24 on the external interface works, or works the sysopt connection permit VPN

  Please tell what to do here, to pin all of the traffic Internet from VPN Clients.

  That is, that I need clients connected via VPN tunnel, when connected to the internet, should have their addresses IP NAT'ted against the address of outside internet2 network 2.2.2.2 interface, as it happens for the customers of Campus (172.16.0.0/16)

  I am well aware of all involved in here, so please be elaborative in your answers. Please let me know if you need more information about this configuration to respond to my request.

  Thank you & best regards

  MAXS

  
  

  Hello

  If possible, I'd like to see that a TCP connection attempt (e.g. http://www.google.com) in the ASDM logging of the VPN Client when you set up the dynamic NAT for the VPN Pool also.

  I'll try also the command "packet - trace" on the SAA, while the VPN Client is connected to the ASA.

  The command format is

  packet-tracer intput tcp

  That should tell what the SAA for this kind of package entering its "input" interface

  Still can not see something wrong with the configuration (other than the statement of "nat" missing Dynamics PAT)

  -Jouni

• PIX v6.3 Site-to-Site with policy NAT

  Hi guys,.

  I need to set up a site to site with nat because we have overlapping subnet at the other end.

  They need access to both servers on our network with IP static.

  Site A: 192.168.100.0/24

  Site b: 192.168.200.128/25

  The other site has chosen this network for NAT: 10.200.50.0/28

  I need to translate

  192.168.100.10 > 10.200.50.2

  192.168.100.20 > 10.200.50.3

  through the tunnel

  That's what I've done so far, will this work? Any problem that may appear with this config?

  Crypto ACL:

  VPN ip 10.200.50.0 access list allow 255.255.255.240 192.168.200.128 255.255.255.128

  Policy_NAT1 list of allowed access host ip of 192.168.100.10 192.168.200.128 255.255.255.128

  Policy_NAT2 list of allowed access host ip 192.168.100.20 192.168.200.128 255.255.255.128

  NAT (inside) 10 access-list Policy_NAT1 0 0

  NAT (inside) 11 access-list Policy_NAT2 0 0

  overall 10 10.200.50.2 (outside)

  Overall 11 10.200.50.3 (outside)

  Thanks in advance!

  Hello

  Your configuration looks very good.

  Although I guess it's a dynamic configuration policy NAT/PAT.

  Incase you want to configure static policy NAT, you need to change a bit. I mean if you wanted a NAT configuration allowing to form bidirectional connection. Both from your site to the remote site and the remote site to your side. You can always use the same ACL you have configured, but you would use the "static" configurations.

  public static 10.200.50.2 (inside, outside) - Policy_NAT1 access list

  public static 10.200.50.3 (inside, outside) - Policy_NAT2 access list

  Review with the static NAT to politics and the dynamic policy NAT/PAT which would be if these hosts have static NAT configured at the direction of the 'outside' interface while static NAT would cancel both of these configurations.

  If you use the political dynamic NAT and had also a static NAT for the host, then you would have to change from the above static NAT in a policy to override the static NAT.

  And with the foregoing in mind possible existing static NAT and new static NAT of policy might have some problems as a whole. In this case the scheduling of NAT rules would determine if static NAT of the policy has been applied already. If you already had the configured static NAT then it would nullify the political new static NAT:. The solution would be to remove the static NAT and enter it again. This would move the static NAT once the static NAT to policy in the order that they appear on the CLI format configuration and, therefore, static political NAT would work for the specified destination and addresses the static NAT for all other destination addresses.

  Hope I made any sense

  Feel free to ask more if necessary while

  -Jouni

• IPSEC VPN from Site to Site - NAT problem with address management

  Hi all

  I have two Cisco ASA 5505 performing of IPSEC Site to Site VPN. All traffic inside each firewall through the VPN tunnel and I have full connectivity. From site A, I can connect to the inside address of the ASA at the site B and launch of the ASDM or SSH, etc.

  The problem I have is when I'm logged on the ASA site B management traffic is given the external address. I created this as interesting traffic to get it to go through the VPN but I need to use the inside address of ASA B. The following is possible:

  • If I can make the ASA Site B to use inside interface as its address management (I already have management access to the inside Interface)
  • I have NAT can address external interfaces to Site B before moving through the VPN tunnel management traffic so that it appears to come from Site B inside the address
  • I can NAT VPN traffic as it appears in the Site A for management traffic to Site B on the right address.

  The problem is that my PRACTICE Please also come from this address and I need the application before being on an internal address to even if my CA.

  Thanks for any help.

  Ian

  Thanks, I understand what you are trying to achieve now.

  However, I think that I don't have good news for you. Unfortunately PEIE request can be initiated of the SAA within the interface, as there is no option to start the query from the inside interface. With other features of management such as AAA, logging, you have an option to specify what ASA desired originally to demand from interface, but CEP doesn't have this option.

  Here's how you can configure under the trustpoint crypto, but unfortunately by specifying the interface doesn't not part of option:

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/C5.html#wp2262210

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• ASA ASA from Site to Site VPN IPSec Tunnel

  Any help would be greatly appreciated...

  I have two devices Cisco ASA with a Site for the configuration of the tunnel VPN IPSec Site as follows: -.

  Site #1 - Cisco ASA running version 8.2 (1) with an internal range of 10.0.0.x/24

  Site #2 - Cisco ASA running version 8.2 (1) with an internal range of 10.1.1.x/24

  Site #1 is simple and has a dynamic NAT rule which translates all of the inside and the outside (public IP) of the SAA.

  Internet access works very well in all workstations of this site.  A static route is configured to redirect all traffic to a public router upstream.

  Site #2 is slightly more complicated; the Cisco ASA is configured with 10.1.1.254/24 as its interior IP address and 10.1.2.254/24 as its external IP address.  A dynamic NAT rule is configured to translate everything inside as the 10.1.2.254 (outside) address of the ASA.  A default static route is then configured to redirect all traffic to a Draytek device on 10.1.2.253.  This device then performs its own private Public NAT.  Again the Internet works fine all hosts inside the Cisco ASA (10.1.1.x)

  The IPSec tunnel is created with the networks local and remote endpoint as above (10.0.0.x/24) and (10.1.1.x/24).  The Draytek at the Site #2 device is configured with a form of DMZ that allows essentially ALL traffic toward the front directly on the external interface of the ASA (10.1.2.254).  The Phase 1 and Phase 2 negotiation of the tunnel ends correctly, and the tunnel is formed without any problem.  However, all traffic passing on networks ICMP does not end and the Syslog reports the following-

  Site #1-

  6

  January 19, 2011

  15:27:21

  302020

  ZEFF-SB-01_LAN

  1

  10.1.1.51

  0

  Built of outbound ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

  6

  January 19, 2011

  15:27:23

  302021

  10.1.1.51

  0

  ZEFF-SB-01_LAN

  1

  Connection of ICMP disassembly for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

  Site #2-

  6

  January 19, 2011

  15:24:47

  302020

  10.1.1.51

  0

  10.0.0.30

  1

  Built of outbound ICMP connection for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1

  6

  January 19, 2011

  15:24:49

  302021

  10.0.0.30

  1

  10.1.1.51

  0

  Connection of disassembly for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 ICMP

  It's the same for any form of traffic passing over the tunnel.  The ACL is configured to allow segments of LAN out to any destination.  At this point, I left scratching my head, as my original theory was to blame the Draytek, but after reading the documentation given to the DMZ host configuration, it appears this parameter is configured all traffic is simply forwarded to the IP address (in this case, the Cisco ASA interface outside).

  Anyone can shed light on a possible cause of this problem?

  Thank you

  Nick

  did you bypass the vpn traffic between 10.0.0 and 10.1.1 to be NAT - ed on the two ASA?

  Please provide the following information

  -set up the tunnel

  -show the isa cry his

  -show the ipsec cry his

  -ping of the site 1 site 2 via tunnel

  -capture "crypto ipsec to show his" once again

  -ping from site 2 to 1 by the tunnel of the site

  -capture "crypto ipsec to show his" once again

  -two ASA configuration.