Config NAT policy in version 8.3

Hi guys

I need help some of you to spend a (site to site) config VPN following ASA 8.2 a ASA v8.3

ASA 8.2

the interface Vlan x

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

Overall 176 172.28.176.10 (outside)

NAT (inside) 176-list of access policy_nat

policy_nat to access ip 192.168.1.0 scope list allow 255.255.255.0 10.190.0.0 255.255.0.0

I started to create a group object for the local and remote network, but just/still missing a "policy-nat" config...

ASA v8.3

local network object

subnet 192.168.1.0 255.255.255.0

remote network object

10.190.0.0 subnet 255.255.0.0

network policy-nat-vpn-range object

172.28.180.0 subnet 255.255.255.0

network policy-nat-WAN-IP object

Home 172.28.180.1

.....

BR,

/ S

You can go (and use your existing object):

network object obj - 172.28.176.10

Home 172.28.176.10

NAT (inside, outside) dynamic source local-network obj - 172.28.176.10 destination static remote-remote network

Tags: Cisco Security

Similar Questions

Eclipse Plugin config changes for different versions of the target operating system.

Nobody knows what changes should I make for my config Eclipse generate a cod for different target operating system versions?

Thank you

Glenn

You can configure it by clicking in the window menu, selecting Preferences, expand BlackBerry JDE, selecting installed components and choose the appropriate BlackBerry JDE or BlackBerry JDE component Package.

Config NAT - T problem

Hello. We are currently setting up a v8.0 (2) running ASA5510. We have the NAT traversal for ipsec configuration using:

Crypto isakmp nat-traversal 20

It works very well. The problem is that whenever I write the config (write mem) it does not keep this setting in the startup-config. A 'show running-config' immediately after a recharge contains the line:

No encryption isakmp nat-traversal

If I edit the config in a txt editor and add "crypto isakmp nat-traversal 20", then copy it to the startup-config, it works. It's not enough, as it lasts only until the next time that the config is updated by a "write mem" command, which case it is invalid later.

Is this a bug in 8.0 (2)? Is it possible to add a persistent entry in the config of the SAA which is * always * retained when a "write mem" command is issued? Any help/advice appreciated.

Thank you.

Yes, a bug has been filed for this:

CSCsj52581

Check the details of the bug here:

http://www.Cisco.com/cgi-bin/support/Bugtool/home.pl

~ Rohit

Config of ASA 8.3 NAT pre then no. - NAT

Hello

I'm trying to set up a VPN S2S on a SAA V8.0.

I want NAT 10.1.1.1 20.2.2.2 (as a result of conflict of IP address to the other side) then exempt from NAT cela on the remote VPN to the subnet of 30.3.3.3

10.1.1.1 is based on the 'inside' interface, the cryptomap VPN is configured and applied to 'outside' interface.

The ACL Crypto is:

VPN line 1 permit access list extended ip 10.1.1.1 host 30.3.3.3

(1) am not familiar with pre 8.3 config, only used 8.4 + in the past, can someone please send the config that NAT / No. - NAT will be.

(2) in the ACL crypto you define real address (10.1.1.1) as the source or the Natt treat (20.2.2.2)?

3) there is also an ACL on the external interface, you allow 30.3.3.3 (remote vpn) access to destination IP, the actual address (10.1.1.1) or the NATT (20.2.2.2) treat?

Thank you!!

It is not a double NAT.

So 10.1.1.1 is simply translated to 20.2.2.2 when the destination IP address is 30.3.3.3.

If this example is correct IE. your acl made reference to the real IP of 10.1.1.1 and 3.3.3.3 destination IP address.

Then the static policy statement NAT uses 20.2.2.2 and refers to the acl.

It is the NAT policy.

Jon

ASA ASA Site2Site VPN with dynamic NAT in version 8.2

I did everything for NAT to 9.x and I don't have much at all with NAT in 8.2 and earlier with this configuration.

I have some local subnets:

172.30.1.0/24
172.30.16.0/24
172.30.3.0/24
172.30.12.0/24
172.30.7.0/24
172.30.35.0/24

who will need to access a remote subnet:

10.31.255.128/25

and the requirement is to NAT the following text:

A lot of requirement much NAT.
172.30.1.0/24 NAT at 192.168.104.0/24
172.30.16.0/24 NAT at 192.168.105.0/24
172.30.3.0/24 NAT at 192.168.108.0/24
172.30.12.0/24 NAT at 192.168.106.0/24
172.30.7.0/24 NAT at 192.168.107.0/24
172.30.35.0/24 NAT at 192.168.103.0/24

When you go to the 10.31.255.128/25 subnet.

Here's what I think, I need and I'm looking for confirmation and/or messages.

Config group *.

object-group, LAN using a NAT-NETWORKS
192.168.104.0 subnet 255.255.255.0
192.168.105.0 subnet 255.255.255.0
192.168.108.0 subnet 255.255.255.0
192.168.106.0 subnet 255.255.255.0
192.168.107.0 subnet 255.255.255.0
192.168.103.0 subnet 255.255.255.0

Group of objects to REMOTE-network
subnet 10.31.255.128 255.255.255.128

ACL for the crypto-card *.

REMOTE_cryptomap_72 list extended access permitted ip object-group LOCAL-using a NAT-NETWORKS-group of objects to REMOTE-NETWORK

Config NAT

NAT (inside) 10 172.30.1.0 255.255.255.0
NAT (inside) 20 172.30.16.0 255.255.255.0
NAT (inside) 30 172.30.3.0 255.255.255.0
NAT (inside) 40 172.30.12.0 255.255.255.0
NAT (inside) 50 172.30.7.0 255.255.255.0
NAT (inside) 60 172.30.35.0 255.255.255.0

Global (outside) 10 192.168.104.0 255.255.255.0
Global (outside) 20 192.168.105.0 255.255.255.0
Global (outside) 30 192.168.108.0 255.255.255.0
Global (outside) 40 192.168.106.0 255.255.255.0
Global (outside) 50 192.168.107.0 255.255.255.0
Global (outside) 60 192.168.103.0 255.255.255.0

This sets up the set of transformation which is called in the Crypto map.* *.

Crypto ipsec transform-set ikev1 REMOTE-SET esp-3des esp-sha-hmac

This sets up the Crypto map.* *.

address for correspondence card crypto outside_map 72 REMOTE_cryptomap_72
peer set card crypto outside_map 72 5.5.5.4
card crypto outside_map 72 set transform-set REMOTE-SET ikev1
outside_map card crypto 72 the value reverse-road

Implements IKE *.

IKEv1 crypto policy 72
sha hash
preshared authentication
Group 2
lifetime 28800
3des encryption

Sets up the Group of tunnel (connection profile) *.

tunnel-group 5.5.5.4 type ipsec-l2l
IPSec-attributes tunnel-group 5.5.5.4
IKEv1 pre-shared-key * TBD *.

Thank you

Mike

With your existing global declarations, my suggestion should meet the requirement. Here is some additional info: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/gu...

Policy NAT for VPN L2L

Summary:

We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.

My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.

Here is the config:

# #List of OUR guests

the OURHosts object-group network

network-host 192.168.x.y object

# Hosts PARTNER #List

the PARTNERHosts object-group network

network-host 10.2.a.b object

###ACL for NAT

# Many - to - many outgoing

access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts

# One - to - many incoming

VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group

# #NAT

NAT (INSIDE) 2-list of access NAT2

NAT (OUTSIDE) 2 172.20.n.0

NAT (INSIDE) 3 access-list VIH3

NAT (OUTSIDE) 3 172.20.n.1

# #ACL for VPN

access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group

access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list

# #Tunnel

tunnel-group type ipsec-l2l

card <#>crypto is the VPN address

card crypto <#>the value transform-set VPN

card <#>crypto defined peer

I realize that the ACL for the VPN should read:

access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list

access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list

.. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.

What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?

Thanks in advance.

Patrick

Here is the order of operations for NAT on the firewall:

1 nat 0-list of access (free from nat)

2. match the existing xlates

3. match the static controls

a. static NAT with no access list

b. static PAT with no access list

4. match orders nat

a. nat [id] access-list (first match)

b. nat [id] [address] [mask] (best match)

i. If the ID is 0, create an xlate identity

II. use global pool for dynamic NAT

III. use global dynamic pool for PAT

If you can try

(1) a static NAT with an access list that will have priority on instruction of dynamic NAT

(2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.

I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.

Jon

Policy global config use IPS (ASA 5520)

I get an error... ERROR: Global_policy political map is already configured as a service policy when I try to configure the IP addresses. How can I fix this config?

-Change in Config attempt-

HO1ASA01 # conf t

HO1ASA01 (config) # IPS ip access list allow a whole

Class-map IPS-CLASS of HO1ASA01 (config) #.

HO1ASA01(config-CMAP) # match access-list IPS

HO1ASA01(config-CMAP) # policy - map IPS POLICY

HO1ASA01(config-pmap) # IPS - class

HO1ASA01(config-pmap-c) # ips overcrowding relief

HO1ASA01(config-pmap-c) # service - IPS - comprehensive POLICY

ERROR: Global_policy political map is already configured as a service policy

HO1ASA01 (config) #.

HO1ASA01 (config) #.

-During the running Config.

IPS-CLASS class-map

corresponds to the IP access list

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 1024

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

inspect the icmp

IPS-POLICY policy-map

IPS-class

IPS overcrowding relief

!

global service-policy global_policy

The reason why you got the warning is because you already had the global "service-policy global_policy" line in the config. You didn't have to be reintroduced in this one.

You must get rid of "policy-map IPS-POLICY.".

Policy overlapping NAT VPN

Hello community,

I'm going nuts here. We try to configure a NAT policy through a site to site VPN tunnel, but can't seem to turn it on. Here is our configuration:

access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list extended sheep allowed host ip 10.23.1.5 192.168.12.0 255.255.255.0

inside_nat_static list extended access allowed host ip 192.168.1.5 192.168.12.0 255.255.255.0

inside_nat_static2 list extended access permit ip host 192.168.1.5 everything

NAT (inside) 0 access-list sheep

NAT (inside) 2 192.168.1.0 255.255.255.0

public static 10.23.1.5 (inside, outside) - inside_nat_static access list

public static 63.123.4.56 (inside, outside) - inside_nat_static2 access list

The VPN part I omitted because it is correct. When we initiate a ping the tunnel arrives. The problem we have is on our side with policy NAT I think. With a ping from the remote desktop on our ASA, we see all incoming traffic, but our server does not transfer out.

Appreciate any input...

-Tom

Tom,

Sorry for the delay, I forgot you, I've just been very busy

Here's what you'll need:

First remove this (intentionally want NAT traffic not to 'sheep')

access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list extended sheep allowed host ip 10.23.1.5 192.168.12.0 255.255.255.0

Then add this to translate your outgoing traffic

access-list 199 permit host ip 192.168.1.5 192.168.12.0 255.255.255.0

public static 10.23.1.5 (inside, outside) access-list 199

Translate your inbound traffic also:

public static 192.168.12.0 (exterior, Interior) net of 192.168.1.0 255.255.255.0

Describe your crypto since translated ACL localhost translated to the remote subnet.

cryptomap list of allowed access host ip 10.23.1.5 192.168.12.0 255.255.255.0

You can remove the other line of the ACL.

Your host should access the 192.168.12.x which is translated remote network.

Try it and let me know how it goes.

Raga

Bi-Directional policy NAT

There's a possible two-way NATs based on strategies? I can find plenty of examples to manage a simple two-way NAT but the Cisco documentation I've read indicates that based on local addresses only translated strategies. However, I have read conflicting Cisco documentation where it says any NAT (in addition to the NAT exemption) can be configured for policy NAT I spent many hours of research a configuration that could handle this, but came up empty. I guess that I'm not the first person to run in this Cisco documentation is just not clear to me.

Site A end VPN Site B and Site C of an ASA 5520 L2L. Site A has no administrative control over B or C. Site B and C choose to expose their same private address space that overlap.

I'm not expert but forced to it by the unexpected release of our network engineer. Can anyone provide assistance?

I know I need to:

1. Enter the address to be translated

2 specify the way inside global translation

I think I do this with:
- public static 172.17.1.1 (exterior, Interior) 10.128.0.0 netmask 255.128.0.0
- access-list 101 permit ip 10.128.0.0 255.128.0.0
- Access-group 101 inside the interface outside
I think I'm going to need to create for this route and directions:
- Route outside 10.128.0.0 255.128.0.0 12.126.x.x
This satifies a VPN, but what about the Site C? Can I use policy NAT to map this client 10.128.0.0/9 to say 172.17.2.2? I know that the address space that I am mapping to does not support the 9 being exposed to me, but I will never exceed the range that I'm mapping. Once I know exactly how IP will come via the VPN, I will actually create a 1:1 translation as governed by our security policy.

I hope I am on the right track here and explained this way that is not too complicated. Any help? I do not know if a bidirectional NAT policy-based device is possible based on the Cisco documentation by what I read. Help!

-(12.126.x.x) Site B (10.128.0.0/9)

Site A - WWW Cloud

(ASA 5520)-(209.128.y.y) Site C (10.128.0.0/9)

I agree with you 100% unfortunately documentation sucks!

If you give to ASA a different public IP address on a different interface and terminate the tunnel there, you can always
Use policy NAT in Site configuration, and it should work.

Try it and tell us if you need assistance.

Federico.

How do you use the config.xml file to determine which version of an application, a user will download?

I have two APKs for the same application and I implemented the config.XML of lower version number working for all screen sizes. The config.XML for the higher version number is set up for only the scresns large and extra-large. Here's the code from the config.xml file.

Version 1

	< media screens android: anyDensity = "true" android: Center = 'true '.
	Android: smallScreens = "true".
	Android: normalScreens = 'true '.
	Android: largeScreens = "true".
	Android: xlargeScreens = "true" / >

Version 2

	< media screens android: anyDensity = "true" android: Center = 'true '.
	Android: smallScreens = "false".
	Android: normalScreens = "false".
	Android: largeScreens = "true".
	Android: xlargeScreens = "true" / >

When I try to download the app on Google game, only the top version is available, regardless of the size of the unit. When I asked Google game why this was not behave as expected, they said that the file manifest for both applications is the same. Here is the code, they shot in the manifest after having used PhoneGap Build.

< media screens android: anyDensity = "true" android: smallScreens = "true" android: normalScreens = "true" android: largeScreens = "true" android: Center = "true" android: xlargeScreens = "true" / >

Can someone explain why PhoneGap Build is not using the settings I set in the config.xml file? And how to fix this?

The tag is not a valid tag in the config.xml file. This is probably why you see the same tag in two, as the build service is ignorant.

As to how solve you this problem. Currently, you can not, but the next version of android-cordova will include the ability to add a tag which you will be able to use like this:

ASA 5505 as internet gateway (must reverse NAT)

Hi all the Cisco guru

I have this diet:

Office-> Cisco 877-> Internet-> ASA 5505-> remote network

Office network: 192.168.10.0/24

Cisco 877 IP internal: 192.168.10.200

Cisco 877 external IP: a.a.a.a

ASA 5505 external IP: b.b.b.b

ASA 5505 internal IP: 192.168.1.3 and 192.168.17.3

Remote network: 192.168.17.0/24 and 192.168.1.0/24

VPN tunnel is OK and more. I have the Office Access to the remote network and the remote network access to the bureau by the tunnel.

But when I try to access the network remotely (there are 2 VLANS: management and OLD-private) to the internet, ASA answer me:

305013 *. * NAT rules asymetrique.64.9 matched 53 for flows forward and backward; Connection for udp src OLD-Private:192.168.17.138/59949 dst WAN:*.*.64.9/53 refused due to path failure reverse that of NAT

Ping of OLD-private interface to google result:

110003 192.168.17.2 0 66.102.7.104 0 routing cannot locate the next hop for icmp NP identity Ifc:192.168.17.2/0 to OLD-Private:66.102.7.104/0

Result of traceroute

How can I fix reverse NAT and make ASA as internet gateway?

There is my full config

!
ASA Version 8.2 (2)
!
hostname ASA2
domain default.domain.invalid
activate the encrypted password password
encrypted passwd password
names of
!
interface Vlan1
Description INTERNET
1234.5678.0002 Mac address
nameif WAN
security-level 100
IP address b.b.b.b 255.255.248.0
OSPF cost 10
!
interface Vlan2
OLD-PRIVATE description
1234.5678.0202 Mac address
nameif OLD-private
security-level 0
IP 192.168.17.3 255.255.255.0
OSPF cost 10
!
interface Vlan6
Description MANAGEMENT
1234.5678.0206 Mac address
nameif management
security-level 0
192.168.1.3 IP address 255.255.255.0
OSPF cost 10
!
interface Ethernet0/0
!
interface Ethernet0/1
Shutdown
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
switchport trunk allowed vlan 2.6
switchport mode trunk
!
interface Ethernet0/7
Shutdown
!
connection of the banner * W A R N I N G *.
banner connect unauthorized access prohibited. All access is
connection banner monitored, and intruders will be prosecuted
connection banner to the extent of the law.
Banner motd * W A R N I N G *.
Banner motd unauthorised access prohibited. All access is
Banner motd monitored and trespassers will be prosecuted
Banner motd to the extent of the law.
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS domain-lookup WAN
DNS server-group DefaultDNS
Server name dns.dns.dns.dns
domain default.domain.invalid
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service RDP - tcp
RDP description
EQ port 3389 object
Access extensive list ip 192.168.17.0 LAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
Standard access list LAN_IP allow 192.168.17.0 255.255.255.0
WAN_access_in list of allowed ip extended access all any debug log
WAN_access_in list extended access permitted ip OLD-private interface WAN newspaper inactive debugging interface
WAN_access_in list extended access permit tcp any object-group RDP any RDP log debugging object-group
MANAGEMENT_access_in list of allowed ip extended access all any debug log
access-list extended OLD-PRIVATE_access_in any allowed ip no matter what debug log
access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 inactive debug log
OLD-PRIVATE_access_in allowed extended object-group TCPUDP host 192.168.10.7 access-list no matter how inactive debug log
access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.10.254 interface private OLD newspaper inactive debugging
access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.17.155 interface private OLD newspaper debugging
access-list 101 extended allow host tcp 192.168.10.7 any eq 3389 debug log
Access extensive list ip 192.168.17.0 WAN_1_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_cryptomap_2 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
Capin list extended access permit ip host 192.18.17.155 192.168.10.7
Capin list extended access permit ip host 192.168.10.7 192.168.17.155
LAN_access_in list of allowed ip extended access all any debug log
Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
Access extensive list ip 192.168.17.0 WAN_2_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0

permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
pager lines 24
Enable logging
recording of debug trap
logging of debug asdm
Debugging trace record
Debug class auth record trap
MTU 1500 WAN
MTU 1500 OLD-private
MTU 1500 management
mask 192.168.1.150 - 192.168.1.199 255.255.255.0 IP local pool VPN_Admin_IP
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP permitted host a.a.a.a WAN
ICMP deny any WAN
ICMP permitted host 192.168.10.7 WAN
ICMP permitted host b.b.b.b WAN
ASDM image disk0: / asdm - 631.bin
don't allow no asdm history
ARP timeout 14400
Global (OLD-private) 1 interface
Global interface (management) 1
NAT (WAN) 1 0.0.0.0 0.0.0.0

inside_nat0_outbound (WAN) NAT 0 access list
WAN_access_in access to the WAN interface group
Access-group interface private-OLD OLD-PRIVATE_access_in
Access-group MANAGEMENT_access_in in the management interface
Route WAN 0.0.0.0 0.0.0.0 b.b.b.185 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
local AAA authentication attempts 10 max in case of failure
Enable http server
http 192.168.1.0 255.255.255.0 WAN
http 0.0.0.0 0.0.0.0 WAN
http b.b.b.b 255.255.255.255 WAN
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Service resetoutside
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto WAN_map 1 corresponds to the address WAN_1_cryptomap
card crypto WAN_map 1 set peer a.a.a.a
WAN_map 1 transform-set ESP-DES-SHA crypto card game
card crypto WAN_map WAN interface
ISAKMP crypto enable WAN
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
sha hash
Group 1
life 86400
Telnet timeout 5
SSH a.a.a.a 255.255.255.255 WAN
SSH timeout 30
SSH version 2
Console timeout 0
dhcpd auto_config management
!

a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 129.6.15.28 source WAN prefer
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal admin group strategy
group admin policy attributes
DNS.DNS.DNS.DNS value of DNS server
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list LAN_IP
privilege of encrypted password password username administrator 15
type tunnel-group admin remote access
tunnel-group admin general attributes
address pool VPN_Admin_IP
strategy-group-by default admin
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a general-attributes
strategy-group-by default admin
a.a.a.a group of tunnel ipsec-attributes
pre-shared-key *.
NOCHECK Peer-id-validate
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!

Thank you for your time and help

Why you use this NAT type?

Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 any
NAT (OLD-private) 0-list of access WAN_nat0_outbound

You are basically saying the ASA not NAT traffic. This private IP address range is not routed on the Internet. This traffic is destined to be sent over the Internet? If so, that LAC should then not be there.

If you want NAT traffic to one IP public outside the ASA, you must remove this line and let the NAT and GLOBAL work:

NAT (OLD-private) 1 0.0.0.0 0.0.0.0

Global (WAN) 1 interface

ASA 5505 VPN Client Ipsec config problems

I configured the asa the wizard to Setup vpn, but this still does not work properly. Vpn connect without problem, but I can't access all the resources on the 192.168.1.x subnet. Don't know what I'm missing here, here's a copy of my config.

ASA Version 8.0 (3)
!
host name
domain name
activate the password
names of
!
interface Vlan1
nameif inside
security-level 100
192.168.1.3 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
"Public ip" 255.255.255.0 IP address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 192.168.1.28
domain fmrs.org
GroupVpn_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
vpngroup_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access will permit a full
inside_nat0_outbound list of allowed ip extended access all 192.168.99.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access entire 192.168.1.0 255.255.255.0
inside_access_in to access ip 192.168.1.0 scope list allow 255.255.255.0 any
access extensive list ip 192.168.99.0 inside_access_in allow 255.255.255.0 any
inside_access_in list of allowed ip extended access all 192.168.99.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 192.168.99.2 - 192.168.99.100 255.255.255.0 IP local pool GroupPool
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 602.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 192.168.1.0 255.255.255.0
public static tcp (indoor, outdoor) interface 192.168.1.62 pptp pptp netmask 255.255.255.255
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 66.76.199.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
RADIUS protocol AAA-server fmrsdc
fmrsdc AAA-server 192.168.1.28
Timeout 5
fmrsasa key
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
Console timeout 0
dhcpd outside auto_config
!

a basic threat threat detection
Statistics-list of access threat detection
GroupVpn internal group policy
GroupVpn group policy attributes
value of server WINS 192.168.1.28
value of server DNS 192.168.1.28
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list GroupVpn_splitTunnelAcl
FMRs.org value by default-field
ID password cisco
tunnel-group GroupVpn type remote access
attributes global-tunnel-group GroupVpn
address pool GroupPool
authentication-server-group fmrsdc
Group Policy - by default-GroupVpn
IPSec-attributes tunnel-group GroupVpn
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the pptp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:b5df903e690566360b38735b6d79e65e
: end

Please configure the following:

ISAKMP nat-traversal crypto

management-access inside

You should be able to ping of the SAA within the IP 192.168.1.3

nat VPN question.

Try to find what happened. I had the remote end raise the tunnel, as they can ping resources on my side. I am unable to ping 10.90.238.148 through this tunnel. I used to be able to until the interface of K_Inc has been added. The network behind this interface is 10/8.

I asked a question earlier in another post and advises him to play opposite road of Cryptography. And who did it. I was able to ping 10.90.238.148 of 192.168.141.10, with the config below.

I am at a loss to why I can't all of a sudden. A bit of history, given routes have not changed. By adding the command set opposite road to cryptography, I find myself with a static entry for the 10.90.238.0 network is what fixed it initially so I don't think it's a problem of route. The remote end had an overlap with the 192.168.141.0/24 that is why my side is natted on the 10.40.27.0. None of the nats have changed so if adding the reverse route worked for a day, it should still work. Any thoughts?

interface GigabitEthernet0/3.10

VLAN 10

nameif K_Inc

security-level 100

IP address 192.168.10.254 255.255.255.0

interface GigabitEthernet0/3.141

VLAN 141

cold nameif

security-level 100

IP 192.168.141.254 255.255.255.0

(Cold) NAT 0 access-list sheep

NAT (cold) 1 192.168.141.0 255.255.255.0

Access extensive list ip 192.168.141.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0

Access extensive list ip 10.40.27.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0

Access extensive list ip 192.168.141.0 CSVPNNAT allow 255.255.255.0 10.90.238.0 255.255.255.0

IP 10.40.27.0 allow Access-list extended sheep 255.255.255.0 10.90.238.0 255.255.255.0

static 10.40.27.0 (cold, outside) - CSVPNNAT access list

card crypto Outside_map 5 corresponds to the address CSVPNOFFSITE

card crypto Outside_map 5 the value reverse-road

card crypto Outside_map 5 set pfs

card crypto Outside_map 5 set peer 20.x.x.3

Outside_map 5 transform-set ESP-3DES-MD5 crypto card game

card crypto Outside_map 5 defined security-association life seconds 28800

card crypto Outside_map 5 set security-association kilobytes of life 4608000

tunnel-group 20.x.x.3 type ipsec-l2l

20.x.x.3 Group of tunnel ipsec-attributes

pre-shared-key *.

Route outside 0.0.0.0 0.0.0.0 7.x.x.1 1

Route 10.0.0.0 K_Inc 255.192.0.0 192.168.10.252 1

Route K_Inc 10.64.0.0 255.224.0.0 192.168.10.252 1

Route K_Inc 10.100.100.0 255.255.255.0 192.168.10.252 1

Route K_Inc 10.128.0.0 255.128.0.0 192.168.10.252 1

Tunnel is up:

14 peer IKE: 20.x.x.243

Type: L2L role: answering machine

Generate a new key: no State: MM_ACTIVE

EDIT:

I just noticed when tracer packet i run I don't get a phase VPN or encrypt:

Packet-trace entry cold tcp 192.168.141.10 80 80 10.90.238.148 det

Phase: 1

Type: FLOW-SEARCH

Subtype:

Result: ALLOW

Config:

Additional information:

Not found no corresponding stream, creating a new stream

Phase: 2

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 10.90.238.0 255.255.255.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xad048d08, priority = 0, sector = option-ip-enabled, deny = true

hits = 2954624, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 4

Type: QOS

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xb2ed4b80, priority = 72, domain = qos by class, deny = false

hits = 2954687, user_data = 0xb2ed49d8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 5

Type: FOVER

Subtype: Eve-updated

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xad090180, priority = 20, area = read, deny = false

hits = 618776, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0, Protocol = 6

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

static (ColdSpring, external) 74.x.x.50 192.168.141.10 netmask 255.255.255.255

match ip host 192.168.141.10 ColdSpring outside of any

static translation at 74.x.x.50

translate_hits = 610710, untranslate_hits = 188039

Additional information:

Definition of static 192.168.141.10/0 to 74.112.122.50/0 using subnet mask 255.255.255.255

Direct flow from returns search rule:

ID = 0xac541e50, priority = 5, area = nat, deny = false

hits = 610742, user_data = 0xac541c08, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

SRC ip = 192.168.141.10, mask is 255.255.255.255, port = 0

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (ColdSpring, dmz) 192.168.141.0 192.168.141.0 netmask 255.255.255.0

match ip ColdSpring 192.168.141.0 255.255.255.0 dmz all

static translation at 192.168.141.0

translate_hits = 4194, untranslate_hits = 20032

Additional information:

Direct flow from returns search rule:

ID = 0xace2c1a0, priority = 5, area = host, deny = false

hits = 2954683, user_data = 0xace2ce68, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 192.168.141.0, mask is 255.255.255.0, port = 0

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Reverse flow from returns search rule:

ID = 0xaacbcb90, priority = 0, sector = option-ip-enabled, deny = true

hits = 282827537, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 9

Type: QOS

Subtype:

Result: ALLOW

Config:

Additional information:

Reverse flow from returns search rule:

ID = 0xb2ed5c78, priority = 72, domain = qos by class, deny = false

hits = 4749562, user_data = 0xb2ed5ad0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 10

Type: CREATING STREAMS

Subtype:

Result: ALLOW

Config:

Additional information:

New workflow created with the 339487904 id, package sent to the next module

Information module for forward flow...

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Information for reverse flow...

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Phase: 11

Type:-ROUTE SEARCH

Subtype: output and contiguity

Result: ALLOW

Config:

Additional information:

found 7.x.x.1 of next hop using ifc of evacuation outside

contiguity Active

0007.B400.1402 address of stretch following mac typo 51982146

Result:

input interface: cold

entry status: to the top

entry-line-status: to the top

output interface: outside

the status of the output: to the top

output-line-status: to the top

Action: allow

What version are you running to ASA?

My guess is that your two static NAT is configured above policy nat you have configured for the VPN? If this is the case, move your above these static NAT NAT policy and you should see the traffic start to flow properly.

--

Please note all useful posts

Link inside the declaration of nat in outermost interface ERROR

Hi all

I'm having a problem with my PIX501 w / "Cisco PIX Firewall Version 6.3 (4)", when ordering I get this caveat, is that normal? because it works perfectly fine in version 7.2 (2)...

THE ERROR:

PIX1 (config) # nat (outside) 1 222.127.244.52 255.255.255.252

WARNING: Link inside the nat in outermost interface declaration.

WARNING: Keyword 'outside' is probably missing.

REFERENCE:

# Sh nameif PIX1

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

In addition,

Here is information on the 'outside' of the order PIX 6.3 setting

outdoors

If this interface is on a lower security interface that you identify by the corresponding overall statement, you must enter on the outside. This feature is called outside NAT or bidirectional NAT.

Note from firewall PIX 6.3.2 source translation is performed before the translation of destination. For this reason, if the political source NAT allows the connection, the xlate will create, even if the traffic is denied by the policy of destination.

Source:

http://www.Cisco.com/en/us/docs/security/PIX/pix63/command/reference/Mr.html#wp1032129

Don't forget to mark the answer as the correct answer or useful rate answers

-Jouni

Disable the NAT for VPN site-to-site

Hello world

I work in a company, and we had to make a VPN site-to site.

Everything works fine, except that the packages sent to my site are translated, in other words: the firewall on the other site (site_B) see only the IP address of my firewall (Site_A).

I tried to solve the problem, but without success, I think that natives of VPN packets is the problem.

Here is my current config running:

ASA Version 8.3(2)

hostname ciscoasa

enable password 9U./y4ITpJEJ8f.V encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 192.168.67.254 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 41.220.X.Y 255.255.255.252 (External WAN public IP Address)

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

ftp mode passive

clock timezone CET 1

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network 41.220.X1.Y1

host 41.220.X1.Y1

object network NETWORK_OBJ_192.168.67.0_24

subnet 192.168.67.0 255.255.255.0

object network NETWORK_OBJ_172.19.32.0_19

subnet 172.19.32.0 255.255.224.0

object network 194.2.176.18

host 194.2.XX.YY (External IP address public of the other site (Site_B))

description 194.2.XX.YY

access-list inside_access_in extended permit ip any any log warnings

access-list inside_access_in extended permit ip object NETWORK_OBJ_172.19.32.0_19 object NETWORK_OBJ_192.168.67.0_24 log debugging

access-list inside_access_in extended permit ip object 194.2.176.18 any log debugging

access-list inside_access_in extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list outside_1_cryptomap extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0 log debugging

access-list outside_1_cryptomap extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list 1111 standard permit 172.19.32.0 255.255.224.0

access-list 1111 standard permit 192.168.67.0 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip 172.19.32.0 255.255.224.0 any log debugging

access-list outside_1_cryptomap_1 extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list outside_1_cryptomap_2 extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0 log debugging

access-list outside_1_cryptomap_2 extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list outside_access_in extended permit ip any any log warnings

access-list outside_access_in extended permit ip object 194.2.XX.YY any log debugging

access-list outside_access_in extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list nonat extended permit ip 192.168.67.0 255.255.255.0 176.19.32.0 255.255.224.0

access-list nonat extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0

pager lines 24

logging enable

logging monitor informational

logging asdm warnings

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 41.220.X.Y 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.67.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap_2

crypto map outside_map 1 set peer 194.2.XX.YY

crypto map outside_map 1 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

telnet 192.168.67.200 255.255.255.255 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username bel_md password HSiYQZRzgeT8u.ml encrypted privilege 15

username nebia_said password qQ6OoFJ5IJa6sgLi encrypted privilege 15

tunnel-group 194.2.XX.YY type ipsec-l2l

tunnel-group 194.2.XX.YY ipsec-attributes

pre-shared-key *****

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect ipsec-pass-thru

service-policy global_policy global

prompt hostname context

Cryptochecksum:0398876429c949a766f7de4fb3e2037e

: end

If you need any other information or explanation, just ask me.

My firewall model: ASA 5505

Thank you for the help.

Hey Houari,.

I suspect something with the order of your NATing statement which is:

NAT (inside, outside) static static source NETWORK_OBJ_172.19.32.0_19 destination NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_172.19.32.0_19

Can you please have this change applied to the ASA:

No source (indoor, outdoor) nat static static NETWORK_OBJ_172.19.32.0_19 destination NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_172.19.32.0_19

NAT (inside, outside) 1 static source NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 static destination NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19

Try and let me know how it goes.

If she did not help, please put the output form a package tracer will shape your internal network to the remote VPN subnet with the release of «see the nat detail»

HTH,

Mo.

Config NAT policy in version 8.3

Similar Questions

Maybe you are looking for