ASA VPN works not

Similar Questions

• ASA 5520 8.0 (4) port depending on the ACLs vpn works not

  Hi all

  I have a problem with an ASA (5520 8.0 (4)) for lack of working with a port based acl for remote clients. I have a simple acl from a single line to split traffic, if I allowed the tunnel IP works fine, if I lock it up to TCP 3389 rdp will not work. I don't see anything in the logs and debug output, I did have a problem with a similar configuration (5510 8.0 (4) and I'm at a loss to explain it.)

  Everyone knows about this problem before? I have nat exclusions etc and as I said, the tunnel only works if the acl permits all IP traffic between client and server.

  THX in advance

  Split-tunnel list cannot IP, if you want to restrict which ports are are sent via the tunnel vpn for your clients vpn, you need to use VPN filters under Group Policy:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

• Split DNS on ASA 5510 access remote vpn works not

  I connect successfully to the tunnel and can ping hosts remotely by IP but am unable to browse the internet from the VPN client. Also, the resolution of host name on the remote end does not work... can only connect through the IP address. Ideas? Thanks again!

  Your group policy will SUFFER a good split tunneling and divide the dns settings. But I think that you are awarded the DfltGrpPolicy rather than your group policy will SUFFER because group policy is not set in your group of tunnel, nor be transmitted from authentication.

  Make a vpn-sessiondb distance 'show' to confirm what group policy is assigned to fix it, assign your group policy will BE to your group of tunnel as follows:

  global-tunnel-group attributes

  Will BE by default-group-policy

  -heather

• Site to site VPN works not

  Hello

  I can't get my work vpn site-to-site. Not only that but I am unable to get an internet connection through my ASA. I need to use the IP address public for my local network provided by IPS = 99.143.97.186 - 190 = 255.255.255.248 subnet mask

  I followed this tutorial: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-nex...

  can someone please take a look at my settings and help out me? Very much appreciated. Thank you.

  See the ciscoasa config (config) #.
  : Saved
  : Written by enable_15 at 01:12:15.869 UTC Thu Sep 4 2008
  !
  ASA Version 8.2 (5)
  !
  ciscoasa hostname
  activate 8Ry2YjIyt7RRXU24 encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 99.143.97.186 255.255.255.248
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 192.168.1.84 255.255.255.0
  !
  interface Vlan3
  No nameif
  no level of security
  no ip address
  !
  passive FTP mode
  access-list extended 100 permit ip 99.143.97.184 255.255.255.248 host 206.127.20.63
  99.143.97.184 IP Access-list extended sheep 255.255.255.248 allow host 206.127.20.63
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0 access-list sheep
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Route outside 206.127.20.63 255.255.255.255 192.168.1.254 1
  Route outside 206.127.21.3 255.255.255.255 192.168.1.254 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 99.143.97.184 255.255.255.248 inside
  http 99.143.97.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  correspondence address card crypto outside_map 20 100
  peer set card crypto outside_map 20 206.127.21.3
  card crypto outside_map 20 transform-set RIGHT
  outside_map interface card crypto outside
  Crypto ca trustpoint _SmartCallHome_ServerCA
  Configure CRL
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  dhcpd outside auto_config
  !
  dhcpd address 99.143.97.187 - 99.143.97.190 inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  tunnel-group 206.127.21.3 type ipsec-l2l
  IPSec-attributes tunnel-group 206.127.21.3
  pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  anonymous reporting remote call
  Cryptochecksum:0ab759de3926ddb63f79f18a8422409e

  ciscoasa (config) # show crypto isakmp his

  There is no isakmp sas

  ciscoasa (config) # show ip performance
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 99.143.97.186 255.255.255.248
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 192.168.1.84 255.255.255.0
  !

  You have an interface incorrect configuration: -.

  Add these lines and share how it rates:

  interface Vlan1
  no address ip 99.143.97.186 255.255.255.248
  IP 192.168.1.84 255.255.255.0

  interface Vlan2
  no address ip 192.168.1.84 255.255.255.0
  IP 99.143.97.186 255.255.255.248

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Conncetion VPN works not-Tecra A8 / WXP

  Hello

  I have a Toshiba Tecra A8 (3 years) with Windows XP / SP3.
  Everything works fine (network cable or wireless; Bluetooth too), with when I tried to configure a VPN connection to my company's server, it does not work.

  The router in my house works well, as well the firewall in the work of the company.
  I know that because the other Win XP or Win 7 PC and laptop can connect to the company.
  I got the Error Message "721" (from component VPN) which could also be a network adapter error (unsupported protocol or if)- but there might be another reason too.

  I tried to update the network adapter driver, but did not find a more recent software.
  And currently, I am unwilling to upgrade to Windows 7 without knowing it, the error seems too.

  Any ideas? Advice and links to possible answers, I would like to say thank you in advance.
  Concerning
  Peter

  Don't know if this problem of card s really a LAN as described above; the network administrator must check everything first and determine if this problem of client for s (VPN) software.

• R7000 PPTP VPN works not

  I have a windows VPN (PPTP) Server behimd my Nighthawk R7000 router but the router does not allow for VPN passthrough? Any ideas?

  I have port 47 GRE TCP/UDP and TCP 1723/UDP sent to my IP address of the VPN server. Am I missing something? It be a checkbox to enable VPN passthrough but I don't see on the R7000 nighthawk? Its not me to VPN in my network. Help, please. Once again it is for Windows VPN not the customer to Open VPN (that I don't want to use)

  Yes, I have forwarded manually and yes I have chosen pptp vpn in the drop down menu. I managed to solve the problem though! I just removed the pptp vpn service from the drop down and added service pptp again and now everything works fine.

• After ASA 7.1 (2) upgrade 8.0 (4) remote VPN is not working properly.

  I just upgraded my ASA from 7 to 8 and now, my remote access VPN working properly. The tunnels connect and I can ping anything, but I can't browse network shares or connect to Exchange.

  No idea as to what I'm missing?

  Thank you

  Dan

  IPSec VPN packets are removed when compression is enabled, when you configure the enable command ip-comp under Group Policy, then large packages that are eligible for compression are deleted in silence by the security apparatus. VPN compression is only useful for very slow Internet connections, so we suggest you disable compression (ip-comp disable). Alternatively, you can move on to build interim 8.0 (4.16) or later. (CSCsu26649)

  Release notes for Cisco 8.0.4.

• What VPN work as a PPTP vpn firewall CISCO-ASA-5520.

  Hi all

  Can you please tell me which replace the VPN I can configure PPTP on ASA 5520 firewall. What VPN work as a PPTP vpn firewall CISCO-ASA-5520.

  You can use the wizard VPN of RA with ASDM and confiugre L2TP IPSEC VPN that does not need a VPN Client must be installed.

  Michael

  Please note all useful posts

• I can't access my email works through outlook over a VPN. The signin VPN works ok, I can see my network co., but can not use outlook. 'Microsoft Exchange Server' reported an error (0 x 80040115)

  prospects for bt infinity

  I recently changed my home to infinity of BT broadband.  Now I can't access my email works through outlook over a VPN.  The signin VPN works ok, I can see my network co., but can not use outlook.   I get the following error at startup of outlook.

  Task 'Microsoft Exchange Server' reported an error (0 x 80040115): ' the connection to the Microsoft Exchange Server is unavailable.  Outlook must be online or connected to complete this action. »

  Anyone have any ideas?

  Allan M

  Hello

  Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the TechNet Windows 7 networking forum.

  http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads

  Kind regards

  Ramata Thakur

• After the upgrade yesterday from Vista to Windows 7, now my Cisco VPN does not work and I get an error message titled: grounds 440 driver fault. Any ideas to fix this?

  After the upgrade yesterday from Vista to Windows 7, now my Cisco VPN does not work and I get an error message titled: grounds 440 driver fault.  Any ideas to fix this?

  This was the solution!  The works of vpn as $ 1 million now.  I followed the instructions above to enter the uninstall program and selecting the repair option.  I rebooted the machine, then used the troubleshooting on vpn software compatibility option.  Selected Windows windows xp (service pack 2) as the correct software and cisco vpn client started right up.

  Thanks, Nick!

  Rick

• Site to Site VPN working without Crypto Card (ASA 8.2 (1))

  Hi all

  Find a strange situation on our firewall to ASA5540:

  We have a few Site to Site VPN and also activate on the ASA VPN cleint, all are working properly. But finding that a VPN from Site to Site is running without crypto map configuration. Is this possible?

  I tried to erase isa his and claire ipsec his then VPN came once again. Tested too, it's the ping requests to a remote site through the VPN.

  I saw there are config tunnel-group for VPN but saw no card crypto and ACL.

  How is the firewall knows what traffic should be encrypted for this VPN tunnel without crypto card?

  This is the bug?

  Thanks in advance,

  It can be an easy vpn configuration.

  Could you post output config operation remove any sensitive information.  This could help us answer your question more specifically.

• IPSec sequence numbers not working not for the multi VPN

  a site at a single site VPN works no problem, but when I add the second peer in the concentrator, router it does not connect. There is no routing in place that all routers are connected to the same switch, and with no crypto card they can all two ping 192.168.2.1. With crypto card only 192.168.2.2 can ping 192.168.2.1. I'm at a loss as to what I'm doing wrong, it seems simple I just add the Test input with a different number, but it won't work.

  Ask any other question you can think of. I followed the same controls on both spoke routers so that it seems that it would be in the hub, router, but he beat me as to why.

  Thanks for the help.

  Concentrator, router:

  ----------------------------------------------------------------------------------------------------------------------------------------------

  R1 #sh card crypto

  1 test card crypto ipsec-isakmp

  Peer = 192.168.2.2

  Expand the IP 110 access list

  access ip-list 110 permit a whole

  Current counterpart: 192.168.2.2

  Life safety association: 4608000 kilobytes / 86400 seconds

  PFS (Y/N): N

  Transform sets = {}

  Test,

  }

  Interfaces using crypto sheet test:

  FastEthernet0/0

  2 ipsec-isakmp crypto map test

  Peer = 192.168.2.3

  Expand the IP 110 access list

  access ip-list 110 permit a whole

  Current counterpart: 192.168.2.3

  Life safety association: 4608000 kilobytes / 86400 seconds

  PFS (Y/N): N

  Transform sets = {}

  Test,

  }

  Interfaces using crypto sheet test:

  FastEthernet0/0

  ---------------------------------------------------------------------------------------------------------------------------------------------

  R2 #sh card crypto

  1 test card crypto ipsec-isakmp

  Peer = 192.168.2.1

  Expand the IP 110 access list

  access ip-list 110 permit a whole

  Current counterpart: 192.168.2.1

  Life safety association: 4608000 kilobytes / 86400 seconds

  PFS (Y/N): N

  Transform sets = {}

  Test,

  }

  Interfaces using crypto sheet test:

  FastEthernet0/0

  ----------------------------------------------------------------------------------------------------------------------------------------------

  R3 #sh card crypto

  1 test card crypto ipsec-isakmp

  Peer = 192.168.2.1

  Expand the IP 110 access list

  access ip-list 110 permit a whole

  Current counterpart: 192.168.2.1

  Life safety association: 4608000 kilobytes / 86400 seconds

  PFS (Y/N): N

  Transform sets = {}

  Test,

  }

  Interfaces using crypto sheet test:

  FastEthernet0/0

  There is a typing error in the IP for the PSK on R3.

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• ASA VPN

  Hello

  I have a question concerning the VPN, is it possible to configure the two IPsec VPN site-to-site and remote access vpn on the same ASA and working at the same time, does require one or two different public ip addresses?

  I have cisco ASA 5540 - version 9.1

  Best regards

  Hello

  Yes, you can with 1 single public ip address. You need to activate the same-security-traffic allow intra-interface functionality to allow a customer vpn site-to-site vpn access if you need.

  Take a look at the Cisco documentation;

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  Thank you

  PS: Please do not forget to rate and score as good response if this solves your problem

• ASA: VPN IPSEC Tunnel from 5505(ver=8.47) to 5512 (ver = 9.23)

  Hi-

  We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
  We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).

  Networks:

  Local: 192.168.1.0 (answering machine)
  Distance: 192.168.54.0 (initiator)

  See details below on our config:

  SH run card cry

  card crypto outside_map 2 match address outside_cryptomap_ibfw
  card crypto outside_map 2 pfs set group5
  outside_map 2 peer XX crypto card game. XX.XXX.XXX
  card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
  crypto map outside_map 2 set ikev2 AES256 ipsec-proposal

  outside_map interface card crypto outside

  Note:
  Getting to hit numbers below on rules/ACL...

  SH-access list. I have 54.0

  permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
  permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
  access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671

  SH run | I have access-group
  Access-group outside_access_out outside interface

  NOTE:
  WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...

  HS cry his ikev1

  IKEv1 SAs:

  HIS active: 2
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 2

  1 peer IKE: XX. XX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE
  2 IKE peers: XXX.XXX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE

  SH run tunnel-group XX. XX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX type ipsec-l2l
  tunnel-group XX. XX.XXX.XXX General-attributes
  Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.

  SH run | I have political ikev1

  ikev1 160 crypto policy
  preshared authentication
  aes-256 encryption
  Group 5
  life 86400

  SH run | I Dynamics
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  NAT source auto after (indoor, outdoor) dynamic one interface

  NOTE:
  To from 5512 at 5505-, we can ping a host on the remote network of ASA local

  # ping inside the 192.168.54.20
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 ms

  Determination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?

  The IPSEC tunnel check - seems OK?

  SH crypto ipsec his
  Interface: outside
  Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXX

  outside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
  local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
  current_peer: XX. XX.XXX.XXX

  #pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
  #pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
  Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
  PMTU time remaining: 0, political of DF: copy / df
  Validation of ICMP error: disabled, TFC packets: disabled
  current outbound SPI: CDC99C9F
  current inbound SPI: 06821CBB

  SAS of the esp on arrival:
  SPI: 0x06821CBB (109190331)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3914789/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xCDC99C9F (3452542111)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3913553/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  --> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...

  SH cap CAP

  34 packets captured

  1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
  2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
  3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
  4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
  5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply

  --> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)

  SH cap A2

  42 packets captured

  1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request

  --> Package trace on 5512 does no problem... but we cannot ping from host to host?

  entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20

  Phase: 4
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  class-map default class
  match any
  Policy-map global_policy
  class class by default
  Decrement-ttl connection set
  global service-policy global_policy
  Additional information:
  Direct flow from returns search rule:
  ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
  hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = output_ifc = any to inside,

  Phase: 5
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  Additional information:
  Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
  Direct flow from returns search rule:
  ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
  hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = inside, outside = output_ifc

  ...

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 7422689 id, package sent to the next module
  Information module for forward flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_inspect_icmp
  snp_fp_translate
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Information for reverse flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_translate
  snp_fp_inspect_icmp
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Result:
  input interface: inside
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  --> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?

  Destination - initiator:
   
  entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
   
  ...
  Phase: 4
  Type: UN - NAT
  Subtype: static
  Result: ALLOW
  Config:
  NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
  Additional information:
  NAT divert on exit to the outside interface
  Untranslate 192.168.1.79/0 to 192.168.1.79/0
  ...

  Summary:
  We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
  But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).

  Please let us know what other details we can provide to help solve, thanks for any help in advance.

  -SP

  Well, I think it is a NAT ordering the issue.

  Basically as static and this NAT rule-

  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)

  are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.

  To check just run a 'sh nat"and this will show you what order everthing is in.

  The ASA is working its way through the sections.

  You also have this-

  NAT source auto after (indoor, outdoor) dynamic one interface

  which does the same thing as first statement but is in section 3, it is never used.

  If you do one of two things-

  (1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line

  or

  (2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.

  There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.

  It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.

  The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).

  Then you can simply try to rearrange so your static NAT is above it just to see if it works.

  Just in case you want to see the document here is the link-

  https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

  Jon

• Site to Site between ASA VPN connection and router 2800

  I'm trying to get a L2L VPN working between a ASA code 8.4 and a 2800 on 12.4.

  I first saw the following errors in the debug logs on the side of the ASA:

  Error message % PIX | ASA-6-713219: KEY-GAIN message queues to deal with when
  ITS P1 is complete.

  I see the following on the end of 2800:

  ISAKMP: (0): treatment charge useful vendor id
  ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
  ISAKMP: (0): provider ID is NAT - T v3
  ISAKMP: (0): treatment charge useful vendor id
  ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
  ISAKMP (0): provider ID is NAT - T RFC 3947
  ISAKMP: (0): treatment charge useful vendor id
  ISAKMP: (0): treatment of frag vendor id IKE payload
  ISAKMP: (0): IKE Fragmentation support not enabled
  ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

  ISAKMP: (0): built NAT - T of the seller-rfc3947 ID
  ISAKMP: (0): send package to x.x.x.x my_port 500 peer_po0 (R) MM_SA_SETUP
  ISAKMP: (0): sending a packet IPv4 IKE.
  ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

  ISAKMP (0): packet received from x.x.x.x dport 500 sports global (R)

  MM_SA_SETUP
  ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

  ISAKMP: (0): processing KE payload. Message ID = 0
  ISAKMP: (0): processing NONCE payload. Message ID = 0
  ISAKMP: (0): found peer pre-shared key x.x.x.x corresponding
  ISAKMP: (2345): treatment charge useful vendor id
  ISAKMP: (2345): provider ID is the unit
  ISAKMP: (2345): treatment charge useful vendor id
  ISAKMP: (2345): provider ID seems the unit/DPD but major incompatibility of 54
  ISAKMP: (2345): provider ID is XAUTH
  ISAKMP: (2345): treatment charge useful vendor id
  ISAKMP: (2345): addressing another box of IOS!
  ISAKMP: (2345): treatment charge useful vendor id
  ISAKMP: (2345): vendor ID seems the unit/DPD but hash mismatch
  ISAKMP: receives the payload type 20
  ISAKMP (2345): sound not hash no match - this node outside NAT
  ISAKMP: receives the payload type 20
  ISAKMP (2345): no NAT found for oneself or peer
  ISAKMP: (2345): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  ISAKMP: (2345): former State = new State IKE_R_MM3 = IKE_R_MM3

  ISAKMP: (2345): sending package x.x.x.x my_port Exchange 500 500 (R)

  MM_KEY_EXCH

  ----------

  This is part of the configuration of the ASA:

  network of the ABCD object
  10.20.30.0 subnet 255.255.255.0
   
  network of the ABCD-Net object
  172.16.10.0 subnet 255.255.255.0
   
  cry-map-77-ip object-group XXXX object abc-site_Network allowed extended access list
   
  access list abc-site extended permitted ip object-group XXXX object abc-site_Network
   
  ip access list of abc-site allowed extended object abc-site_Network object-group XXXX-60
   
  NAT (any, any) static source 20 XXXX XXXX-20 destination static abc-site_Network abc-site_Network
   
  NAT (any, any) static source 20 XXXX XXXX-20 destination static abc-site_Network abc-site_Network
   
  XXXX-20
   
  object-group network XXXX-20
  ABCD-Net network object
  object-abcd-Int-Net Group
   
  XXXX_127
   
  object-group network XXXX-20
  ABCD-Net network object
  object-abcd-Int-Net Group
   
  ip access list of abc-site allowed extended object abc-site_Network object-group XXXX-60
   
   
  Crypto card off-map-44 11 match address cry-map-77
  card crypto out-map-44 11 counterpart set 62.73.52.xxx
  card crypto out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  cry-map-77-ip object-group XXXX object abc-site_Network allowed extended access list

  Crypto card off-map-44 11 match address cry-map-77
  card crypto out-map-44 11 counterpart set 62.73.52.xxx
  card crypto out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto out-map-44 11 set transform-set ESP-3DES-SHA ikev1

  object-group network XXXX
  ABCD-Net network object
  object-abcd-Int-Net Group

  ------------------------

  Here is a part of the 2800:

  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  ISAKMP crypto key r2374923 address 72.15.21.xxx
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  card crypto cry-map-1 1 ipsec-isakmp
  the value of 72.15.21.xxx peer
  game of transformation-ESP-3DES-SHA
  match address VPN
  !
  type of class-card inspect match class-map-vpn
  game group-access 100
  type of class-card inspect cm-inspect-1 correspondence
  group-access name inside-out game
  type of class-card inspect correspondence cm-inspect-2
  match the name of group-access outside
  !
  !
  type of policy-card inspect policy-map-inspect
  class type inspect cm-inspect-1
  inspect
  class class by default
  drop
   
  type of policy-card inspect policy-map-inspect-2
  class type inspect class-map-vpn
  inspect
  class type inspect cm-inspect-2
  class class by default
  drop
  !

  !
  interface FastEthernet0
  IP address 74.25.89.xxx 255.255.255.252
  NAT outside IP
  IP virtual-reassembly
  security of the outside Member area
  automatic duplex
  automatic speed
  crypto cry-card-1 card
  !
  interface FastEthernet1
  no ip address
  Shutdown
  automatic duplex
  automatic speed
  !
  IP nat inside source overload map route route-map-1 interface FastEthernet0
  !
  IP access-list extended inside-out
  IP 172.16.10.0 allow 0.0.0.255 any
  IP nat - acl extended access list
  deny ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  deny ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  deny ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  deny ip 0.0.255.255 28.20.14.xxx.0.0 172.16.10.0 0.0.0.255
  refuse the 10.10.10.0 ip 0.0.0.255 172.16.10.0 0.0.0.255
  refuse the 172.16.10.0 ip 0.0.0.255 192.168.0.0 0.0.255.255
  refuse the 172.16.10.0 ip 0.0.0.255 10.200.0.0 0.0.255.255
  refuse the 172.16.10.0 ip 0.0.0.255 192.168.0.0 0.0.255.255
  refuse the 172.16.10.0 ip 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
  refuse the 172.16.10.0 ip 0.0.0.255 10.10.10.0 0.0.0.255
  allow an ip
  outside extended IP access list
  allow an ip
  list of IP - VPN access scope
  IP 172.16.10.0 allow 0.0.0.255 192.168.0.0 0.0.255.255
  IP 172.16.10.0 allow 0.0.0.255 10.200.0.0 0.0.255.255
  IP 172.16.10.0 allow 0.0.0.255 192.168.0.0 0.0.255.255
  IP 172.16.10.0 allow 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
  IP 172.16.10.0 allow 0.0.0.255 10.10.10.0 0.0.0.255
  IP 192.168.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
  IP 10.200.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
  IP 192.168.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
  28.20.14.xxx.0.0 0.0.255.255 ip permit 172.16.10.0 0.0.0.255
  ip licensing 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255

  access-list 23 allow 192.168.0.0 0.0.255.255
  access-list 23 allow 10.200.0.0 0.0.255.255
  access-list 23 allow 172.16.10.0 0.0.0.255
  access-list 123 note category class-map-LCA-4 = 0
  access-list 123 allow ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  access-list 123 allow ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  access-list 123 allow ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  access-list 123 allow ip 0.0.255.255 28.20.14.xxx.0.0 172.16.10.0 0.0.0.255
  access-list 123 allow ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 10.200.0.0 0.0.255.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  !
  !
  !

  !
  route-map-1 allowed route map 1
  match the IP nat - acl
  !

  Hello

  I quickly browsed your config and I could notice is

  your game of transformation (iskamp) on SAA and router are not the same, try to configure the same on both sides.

  in the statement of the ASA NAT you gave (any, any) try to give the name of the interface instead of a whole.