HOW connection NAT on ASA 5505

Hello guys

first of all, thank fully any community of cisco, they helped me a lot withouth expert and University...

Today, I have some question on NAT

We HAVE site-to-site VPN, his job very well.  our company demand of patern to use the public Ip address instead of the ip address private field of encryption. and they said, you have to NAT for you the private to the PUblic ip address. really, we don't know how NAT for cisco ASA 5505.

THIS IS THE CASE

OUR COMPANY = USES CISCO ASA 5505

OUR PUBLIC IP ADDRESS: 155.155.1555.20

PRIVATE IP: 192.168.7.2 SOUND LINUX SERVER, THEN HOW WE CAN NAT THIS IP PRIVATE AND CHANGE IN PUBLIC

Thank you very much

Advertisement

If you have 1 public IP address and it is assigned to your ASA outside interface, then you need to configure static PAT (you will need to know what exactly they want to access and configure the specific port they need).

However, if you have a free public IP address, then you need not to know exactly what they need to get to and you can configure the linux server using the public IP to spare.

Also, they need access to the linux server using public IP via the VPN tunnel (encrypted)? or they are happy to access only via the internet (clear text)?

Tags: Cisco Security

Similar Questions

  • How much of VLAN asa 5505 security plus support

    Hello guys. I have asa 5505 Adaptive Security more. and I have only 3 VLAN. outside, inside, restricted DMZ.

    If it works well, but I want to connect my inside another private network, so please can someone help me out here. or I have to buy a license.

    and how can I activate the license key

    Thank you very much

    Here is the explanation since I have no idea about your topology.

    The devices allowed for this platform:

    The maximum physical Interfaces: 8

    VLAN: 3, restricted DMZ

    Inside guests:10

    Failover: disabled

    VPN - A: enabled

    VPN-3DES-AES: enabled

    Peer VPN: 10

    WebVPN peers: 2

    Double ISP: disabled

    Junction ports VLAN: 0

    This platform includes a basic license.

    Here is an example of the license feature set more security:

    The devices allowed for this platform:
    The maximum physical Interfaces: 8
    VLAN: 20, unrestricted DMZ
    The hosts on the inside: unlimited
    Failover: Active / standby
    VPN - A: enabled
    VPN-3DES-AES: enabled
    VPN peer: 25
    WebVPN peers: 2
    Two Internet service providers: enabled
    VLAN Trunk Ports: 8

    This platform includes an ASA 5505 Security Plus license.

    No explanation for DMZ limited.

    • Only 10 of the hosts in the DMZ and LAN combined may contacted outside interface at any time.
    • Only 2 VLAN fully functional (inside and outside generally) are allowed.  The 3rd VLAN, usually a demilitarized zone can only be activated with the command 'no attacking vlan n'that prevents connections to one of the other VLANS, usually inside

    Just in case where if you have basic servers then put inside dmz connections do not allow. If you have more security then should not be any problem. As you mentioned on the IP ranges vlan if all belong to the inside and then connecting with outside shouldn't be a problem.

    Thank you

    Ajay

  • NAT error ASA 5505 to 5510

    Connection refused because of the failure of path opposite of that of NAT

    I put a second location of ASA and not can communicate through the VPN is implemented. The error I get is (rules asymmetrical NAT matched for flows forward and backward; Connection for icmp outside CBC: 192.168.72.14 internal dst: 192.168.73.103 (type 0, code 0) rejected due to the failure of reverse NAT) when trying to ping a host on the network iinsde the 73 to a host within the network of 72.

    I mirrored the statements of nat VPN work. I see an ACL to a group of objects but don't see where this is important. Am I missing something obvious?

    HOST:
    ASA Version 8.3 (1)
    !
    host name 5510
    !
    interface Ethernet0/0
    Outside of the interface description
    nameif OUTSIDE
    security-level 0
    IP 72.54.197.28 255.255.255.248
    !
    interface Ethernet0/1
    Interior of a description of the network interface internal
    nameif inside
    security-level 100
    IP 192.168.72.2 255.255.255.0
    !
    boot system Disk0: / asa831 - k8.bin
    permit same-security-traffic intra-interface
    network object obj - 192.168.72.0
    192.168.72.0 subnet 255.255.255.0
    network object obj - 192.168.74.0
    192.168.74.0 subnet 255.255.255.0
    network object obj - 192.168.72.100
    Home 192.168.72.100
    network obj_any object
    subnet 0.0.0.0 0.0.0.0
    network obj_any-01 object
    subnet 0.0.0.0 0.0.0.0
    network object obj - 0.0.0.0
    host 0.0.0.0
    object network obj_any-02
    subnet 0.0.0.0 0.0.0.0
    network object obj - 192.168.73.0
    192.168.73.0 subnet 255.255.255.0
    Rye description
    Citrix1494 tcp service object-group
    port-object eq citrix-ica
    port-object eq www
    EQ object of the https port
    Beach of port-object 445 447
    the ValleywoodInternalNetwork object-group network
    object-network 192.168.72.0 255.255.255.0
    permit access list extended ip object obj - object obj 192.168.72.0 - OUTSIDE_1_cryptomap 192.168.74.0
    Access extensive list ip 192.168.72.0 INSIDE_nat0_inbound allow 255.255.255.0 192.168.74.0 255.255.255.0
    access extensive list ip 192.168.74.0 outside_1_cryptomap allow 255.255.255.0 ValleywoodInternalNetwork object-group
    extended permitted outside-ACL access list tcp any host 192.168.72.100 object - group Citrix1494
    permit access list extended ip object obj - object obj 192.168.72.0 - OUTSIDE_2_cryptomap 192.168.73.0

    NAT (inside, inside) source static obj - 192.168.72.0 obj - 192.168.72.0 destination static obj - 192.168.74.0 obj - 192.168.74.0
    NAT (INSIDE, OUTSIDE) source static obj - 192.168.72.0 obj - 192.168.72.0 destination static obj - 192.168.74.0 obj - 192.168.74.0
    NAT (INSIDE, OUTSIDE) source static obj - 192.168.72.0 obj - 192.168.72.0 destination static obj - 192.168.73.0 obj - 192.168.73.0
    NAT (inside, inside) source static obj - 192.168.72.0 obj - 192.168.72.0 destination static obj - 192.168.73.0 obj - 192.168.73.0
    !
    network object obj - 192.168.72.100
    NAT (INSIDE, OUTSIDE) static 72.54.197.26
    network obj_any object
    dynamic NAT interface (INSIDE, OUTSIDE)
    network obj_any-01 object
    NAT (INSIDE, OUTSIDE) dynamic obj - 0.0.0.0
    object network obj_any-02
    NAT (management, outside) dynamic obj - 0.0.0.0
    Access-group outside-ACL in interface OUTSIDE
    Route outside 0.0.0.0 0.0.0.0 72.54.197.25 100

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto outside_map 1 match address outside_1_cryptomap
    outside_map map 1 lifetime of security association set seconds 28800 crypto
    card crypto outside_map 1 set security-association life kilobytes 4608000
    card crypto OUTSIDE_map 1 corresponds to the address OUTSIDE_1_cryptomap
    card crypto OUTSIDE_map 1 set pfs Group1


    card crypto OUTSIDE_map 1 set peer 72.54.178.126
    OUTSIDE_map 1 transform-set ESP-3DES-SHA crypto card game
    card crypto OUTSIDE_map 2 corresponds to the address OUTSIDE_2_cryptomap
    card crypto OUTSIDE_map 2 set pfs Group1
    card crypto OUTSIDE_map 2 set peer 69.15.200.138
    card crypto OUTSIDE_map 2 game of transformation-ESP-3DES-SHA
    OUTSIDE_map interface card crypto OUTSIDE
    ISAKMP crypto identity hostname
    crypto ISAKMP allow outside
    crypto ISAKMP allow inside
    activate the crypto isakmp management
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    tunnel-group 72.54.178.126 type ipsec-l2l
    IPSec-attributes tunnel-group 72.54.178.126
    pre-shared key *.
    tunnel-group 69.15.200.138 type ipsec-l2l
    IPSec-attributes tunnel-group 69.15.200.138
    pre-shared key *.
    !

    DISTANCE:
    : Saved
    :
    ASA Version 8.3 (1)
    !
    host name 5505

    interface Vlan1
    nameif inside
    security-level 100
    IP 192.168.73.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP 69.15.200.138 255.255.255.252
    !

    boot system Disk0: / asa831 - k8.bin

    network obj_any object
    subnet 0.0.0.0 0.0.0.0
    network of the 192.168.72.0 object
    192.168.72.0 subnet 255.255.255.0
    Description Sixpines
    network of the NETWORK_OBJ_192.168.73.0_24 object
    192.168.73.0 subnet 255.255.255.0
    network object obj - 192.168.73.0
    192.168.73.0 subnet 255.255.255.0
    network of the Sixpines object
    192.168.72.0 subnet 255.255.255.0
    the SixpinesInternalNetwork object-group network
    object-network Sixpines 255.255.255.0
    outside_1_cryptomap extended access list permit ip object obj - 192.168.73.0 object Sixpines

    NAT (dmz, external) NETWORK_OBJ_192.168.73.0_24 NETWORK_OBJ_192.168.73.0_24 Shared static source 192.168.72.0 destination 192.168.72.0
    NAT (inside, all) source static obj - 192.168.73.0 obj - 192.168.73.0 static destination Sixpines Sixpines
    NAT (inside, outside) source static obj - 192.168.73.0 obj - 192.168.73.0 static destination Sixpines Sixpines
    !
    network obj_any object
    NAT dynamic interface (indoor, outdoor)
    Route outside 0.0.0.0 0.0.0.0 69.15.200.137 1

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 set pfs Group1
    peer set card crypto outside_map 1 72.54.197.28
    card crypto outside_map 1 set of transformation-ESP-3DES-SHA
    card crypto outside_map 1 the value reverse-road
    outside_map interface card crypto outside
    crypto ISAKMP allow inside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    tunnel-group 72.54.197.28 type ipsec-l2l
    IPSec-attributes tunnel-group 72.54.197.28
    pre-shared key *.
    !
    !

    Any suggestion would be greatly apperciated

    You may need to remove the following ASA remote. I don't know what it is for

    NAT (dmz, external) NETWORK_OBJ_192.168.73.0_24 NETWORK_OBJ_192.168.73.0_24 Shared static source 192.168.72.0 destination 192.168.72.0

  • Error of customer Cisco VPN connection ASA 5505

    I am unable to connect to the vpn I created on my ASA 5505 using the Cisco VPN Client on a Windows machine. The log of the vpn client and the config of the ASA 5505 is lower. Any help to solve this is appreciated.

    CISCO VPN CLIENT LOG

    Cisco Systems VPN Client Version 5.0.06.0160

    Copyright (C) 1998-2009 Cisco Systems, Inc.. All rights reserved.

    Customer type: Windows, Windows NT

    Running: 6.1.7600

    Config files directory: C:\Program Cisco Systems Client\

    1 09:34:23.030 13/04/11 Sev = Info/4 CM / 0 x 63100002

    Start the login process

    2 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100004

    Establish a secure connection

    3 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100024

    Attempt to connect with the server "71.xx.xx.253".

    4 09:34:23.061 13/04/11 Sev = Info/6 IKE/0x6300003B

    Attempts to establish a connection with 71.xx.xx.253.

    5 09:34:23.061 13/04/11 Sev = Info/4 IKE / 0 x 63000001

    From IKE Phase 1 negotiation

    6 09:34:23.077 13/04/11 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 71.xx.xx.253

    7 09:34:23.170 13/04/11 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = 71.xx.xx.253

    8 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

    9 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

    Peer is a compatible peer Cisco-Unity

    10 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

    Peer supports XAUTH

    11 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

    Peer supports the DPD

    12 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

    Peer supports NAT - T

    13 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

    Peer supports fragmentation IKE payloads

    14 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000001

    IOS Vendor ID successful construction

    15 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000013

    SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) at 71.xx.xx.253

    16 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000055

    Sent a keepalive on the IPSec Security Association

    17 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000083

    IKE port in use - Local Port = 0xEB07, Remote Port = 0 x 1194

    18 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000072

    Automatic NAT detection status:

    Remote endpoint is NOT behind a NAT device

    This effect is behind a NAT device

    19 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E

    ITS established Phase 1.  1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

    20 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E

    ITS established Phase 1.  1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

    21 09:34:23.186 13/04/11 Sev = Info/5 IKE/0x6300005E

    Customer address a request from firewall to hub

    22 09:34:23.186 13/04/11 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 71.xx.xx.253

    23 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = 71.xx.xx.253

    24 09:34:23.248 13/04/11 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

    25 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 172.26.6.1

    26 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.0.0

    27 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 172.26.0.250

    28 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 172.26.0.251

    29 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000

    30 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = TLCUSA

    31 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

    32 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E

    MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (1) built by manufacturers on Wednesday 5 May 09 22:45

    33 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

    34 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194

    35 09:34:23.248 13/04/11 Sev = Info/4 CM / 0 x 63100019

    Data in mode Config received

    36 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000056

    Received a request from key driver: local IP = 172.26.6.1, GW IP = 71.xx.xx.253, Remote IP = 0.0.0.0

    37 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000013

    SEND to > QM ISAKMP OAK * (HASH, SA, NO, ID, ID) to 71.xx.xx.253

    38 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = 71.xx.xx.253

    39 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

    40 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000045

    Answering MACHINE-LIFE notify has value of 86400 seconds

    41 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000047

    This AA is already living from 0 seconds, setting the expiration to 86400 seconds right now

    42 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = 71.xx.xx.253

    43 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">

    44 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK INFO *(HASH, DEL) to 71.xx.xx.253

    45 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000049

    IPsec security association negotiation made scrapped, MsgID = 89EE7032

    46 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000017

    Marking of IKE SA delete (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED

    47 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = 71.xx.xx.253

    48 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000058

    Received an ISAKMP for a SA message no assets, I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8

    49 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">

    50 09:34:26.696 13/04/11 Sev = Info/4 IKE/0x6300004B

    IKE negotiation to throw HIS (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED

    51 09:34:26.696 13/04/11 Sev = Info/4 CM / 0 x 63100012

    ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED".  Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system

    52 09:34:26.696 13/04/11 Sev = Info/5 CM / 0 x 63100025

    Initializing CVPNDrv

    53 09:34:26.696 13/04/11 Sev = Info/6 CM / 0 x 63100046

    Set indicator established tunnel to register to 0.

    54 09:34:26.696 13/04/11 Sev = Info/4 IKE / 0 x 63000001

    Signal received IKE to complete the VPN connection

    ----------------------------------------------------------------------------------------

    ASA 5505 CONFIG

    : Saved

    :

    ASA Version 8.2 (1)

    !

    ciscoasa hostname

    domain masociete.com

    activate tdkuTUSh53d2MT6B encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 172.26.0.252 255.255.0.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address 71.xx.xx.253 255.255.255.240

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    passive FTP mode

    clock timezone IS - 5

    clock to summer time EDT recurring

    DNS server-group DefaultDNS

    domain masociete.com

    access-list LIMU_Split_Tunnel_List note the network of the company behind the ASA

    Standard access list LIMU_Split_Tunnel_List allow 172.26.0.0 255.255.0.0

    outside_access_in list extended access permit icmp any one

    outside_access_in list extended access udp allowed any any eq 4500

    outside_access_in list extended access udp allowed any any eq isakmp

    outside_access_in list extended access permit tcp any host 71.xx.xxx.251 eq ftp

    outside_access_in list extended access permit tcp any host 71.xx.xxx.244 eq 3389

    inside_outbound_nat0_acl list of allowed ip extended access all 172.26.5.192 255.255.255.240

    inside_outbound_nat0_acl list of allowed ip extended access all 172.26.6.0 255.255.255.128

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    local pool VPN_POOL 172.26.6.1 - 172.26.6.100 255.255.0.0 IP mask

    ICMP unreachable rate-limit 1 burst-size 1

    enable ASDM history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_outbound_nat0_acl

    NAT (inside) 1 0.0.0.0 0.0.0.0

    static (inside, outside) 71.xx.xxx.251 172.26.5.9 netmask 255.255.255.255

    static (inside, outside) 71.xx.xxx.244 172.26.0.136 netmask 255.255.255.255

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 71.xx.xxx.241 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    Enable http server

    http 172.26.0.0 255.255.0.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5

    Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5

    Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA

    Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    crypto ISAKMP policy 30

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    dhcpd outside auto_config

    !

    no basic threat threat detection

    no statistical access list - a threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal DefaultRAGroup group strategy

    attributes of Group Policy DefaultRAGroup

    value of server WINS 172.26.0.250 172.26.0.251

    value of 172.26.0.250 DNS server 172.26.0.251

    Protocol-tunnel-VPN IPSec l2tp ipsec svc

    value by default-field TLCUSA

    internal LIMUVPNPOL1 group policy

    LIMUVPNPOL1 group policy attributes

    value of 172.26.0.250 DNS server 172.26.0.251

    VPN-idle-timeout 30

    Protocol-tunnel-VPN IPSec l2tp ipsec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list LIMU_Split_Tunnel_List

    the address value VPN_POOL pools

    internal TLCVPNGROUP group policy

    TLCVPNGROUP group policy attributes

    value of 172.26.0.250 DNS server 172.26.0.251

    Protocol-tunnel-VPN IPSec l2tp ipsec svc

    Re-xauth disable

    enable IPSec-udp

    value by default-field TLCUSA

    barry.julien YCkQv7rLwCSNRqra06 + QXg password user name is nt encrypted privilege 0

    username barry.julien attributes

    VPN-group-policy TLCVPNGROUP

    Protocol-tunnel-VPN IPSec l2tp ipsec

    bjulien bhKBinDUWhYqGbP4 encrypted password username

    username bjulien attributes

    VPN-group-policy TLCVPNGROUP

    attributes global-tunnel-group DefaultRAGroup

    address VPN_POOL pool

    Group Policy - by default-DefaultRAGroup

    IPSec-attributes tunnel-group DefaultRAGroup

    pre-shared-key *.

    tunnel-group DefaultRAGroup ppp-attributes

    no authentication ms-chap-v1

    ms-chap-v2 authentication

    type tunnel-group TLCVPNGROUP remote access

    attributes global-tunnel-group TLCVPNGROUP

    address VPN_POOL pool

    Group Policy - by default-TLCVPNGROUP

    IPSec-attributes tunnel-group TLCVPNGROUP

    pre-shared-key *.

    ISAKMP ikev1-user authentication no

    tunnel-group TLCVPNGROUP ppp-attributes

    PAP Authentication

    ms-chap-v2 authentication

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:b94898c163c59cee6c143943ba87e8a4

    : end

    enable ASDM history

    can you try to change the transformation of dynamic value ESP-3DES-SHA map.

    for example

    remove the encryption scheme dynamic-map outside_dyn_map 20 transform-set TRANS_ESP_3DES_MD5

    and replace with

    Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

  • Internet VERY slow connection on SD2008 connected to ASA 5505

    I recently bought a SD2008 (2008/11/28) to replace an older Linksys 10/100 switch for my home network. This switch connects to an ASA 5505 to go to the internet. I have improved since most of my pc have 10/100/1000 and the new NAS I purchased also connects to 1000 so I wanted to speed internally.

    The cries of network domestic now

    BUT...

    Get out to the internet has now slowed to crawl of a lily "slowski". I used to get 16-18Mbps using the 10/100 switch. Now, I'm lucky to get 1 MB/s dl speed.

    Any suggestions would be greatly appreciated.

    Too bad. I found the answer on a completely different thread that actually worked. I've linked the SD2008 to the ASA 5505 with a crossover cable, set the port speed/duplex AUTO/AUTO, restarted the ASA, and everything was back to normal.

    So much for the detection of cut MDI/MDI-X auto...

    Hope this helps someone else.

  • Problem with ASA 5505 VPN remote access

    After about 1 year to have the VPN Client from Cisco connection to an ASA 5505 with no problems, all of a sudden one day it stops working. The customer is able to get a connection to the ASA and browse the local network for only about 30 seconds after the connection. After that, no access is available to the network behind the ASA. I have tried everything I can think of to try to solve the problem, but at this point, I'm just banging my head against a wall. Anyone know what could cause this?

    Here is the cfg running of the ASA

    ----------------------------------------------------------------------------------------

    : Saved

    :

    ASA Version 8.4 (1)

    !

    hostname NCHCO

    enable encrypted password xxxxxxxxxxxxxxx

    xxxxxxxxxxx encrypted passwd

    names of

    description of NCHCO name 192.168.2.0 City offices

    name 192.168.2.80 VPN_End

    name 192.168.2.70 VPN_Start

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.2.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address **. ***. 255.255.255.248

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    boot system Disk0: / asa841 - k8.bin

    passive FTP mode

    network of the NCHCO object

    Subnet 192.168.2.0 255.255.255.0

    network object obj - 192.168.1.0

    subnet 192.168.1.0 255.255.255.0

    network object obj - 192.168.2.64

    subnet 192.168.2.64 255.255.255.224

    network object obj - 0.0.0.0

    subnet 0.0.0.0 255.255.255.0

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    the Web server object network

    the FINX object network

    Home 192.168.2.11

    rdp service object

    source between 1-65535 destination eq 3389 tcp service

    Rdp description

    outside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

    outside_nat0_outbound extended access list permit ip object NCHCO 192.168.2.0 255.255.255.0

    inside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

    inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224

    permit access list extended ip 0.0.0.0 inside_nat0_outbound 255.255.255.0 192.168.2.64 255.255.255.224

    outside_1_cryptomap extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

    outside_1_cryptomap_1 extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

    LAN_Access list standard access allowed 192.168.2.0 255.255.255.0

    LAN_Access list standard access allowed 0.0.0.0 255.255.255.0

    NCHCO_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0

    AnyConnect_Client_Local_Print deny ip extended access list a whole

    AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd

    Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

    AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631

    print the access-list AnyConnect_Client_Local_Print Note Windows port

    AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100

    access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

    AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353

    AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

    AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355

    Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

    AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137

    AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns

    outside_access_in list extended access permit tcp any object FINX eq 3389

    outside_access_in_1 list extended access allowed object rdp any object FINX

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 649.bin

    don't allow no asdm history

    ARP timeout 14400

    NAT (inside, all) static source NCHCO destination NCHCO static obj - 192.168.1.0 obj - 192.168.1.0

    NAT (inside, all) static source any any destination static obj - 192.168.2.64 obj - 192.168.2.64

    NAT (inside, all) source static obj - 0.0.0.0 0.0.0.0 - obj destination static obj - 192.168.2.64 obj - 192.168.2.64

    !

    network obj_any object

    NAT dynamic interface (indoor, outdoor)

    the FINX object network

    NAT (inside, outside) interface static service tcp 3389 3389

    Access-group outside_access_in_1 in interface outside

    Route outside 0.0.0.0 0.0.0.0 69.61.228.177 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    network-acl outside_nat0_outbound

    WebVPN

    SVC request to enable default svc

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    http *. **. ***. 255.255.255.255 outside

    http *. **. ***. 255.255.255.255 outside

    http NCHCO 255.255.255.0 inside

    http 96.11.251.186 255.255.255.255 outside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

    Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2tp-transform

    IKEv1 crypto ipsec transform-set l2tp-transformation mode transit

    Crypto ipsec transform-set vpn-transform ikev1 esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1

    transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1

    Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5 ikev1

    transport mode encryption ipsec transform-set TRANS_ESP_3DES_MD5 ikev1

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    crypto dynamic-map dyn-map 10 set pfs Group1

    crypto dynamic-map dyn-map 10 set transform-set l2tp vpn-transform processing ikev1

    dynamic-map encryption dyn-map 10 value reverse-road

    Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1

    Crypto-map dynamic outside_dyn_map 20 the value reverse-road

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set pfs Group1

    peer set card crypto outside_map 1 74.219.208.50

    card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1

    map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    inside crypto map inside_map interface

    card crypto vpn-map 1 match address outside_1_cryptomap_1

    card crypto vpn-card 1 set pfs Group1

    set vpn-card crypto map peer 1 74.219.208.50

    card crypto 1 set transform-set ESP-3DES-SHA ikev1 vpn-map

    dynamic vpn-map 10 dyn-map ipsec isakmp crypto map

    crypto isakmp identity address

    Crypto ikev1 allow inside

    Crypto ikev1 allow outside

    IKEv1 crypto ipsec-over-tcp port 10000

    IKEv1 crypto policy 10

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    IKEv1 crypto policy 15

    preshared authentication

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 35

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    enable client-implementation to date

    Telnet 192.168.1.0 255.255.255.0 inside

    Telnet NCHCO 255.255.255.0 inside

    Telnet timeout 5

    SSH 192.168.1.0 255.255.255.0 inside

    SSH NCHCO 255.255.255.0 inside

    SSH timeout 5

    Console timeout 0

    dhcpd address 192.168.2.150 - 192.168.2.225 inside

    dhcpd dns 216.68.4.10 216.68.5.10 interface inside

    lease interface 64000 dhcpd inside

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal DefaultRAGroup group strategy

    attributes of Group Policy DefaultRAGroup

    value of server DNS 192.168.2.1

    L2TP ipsec VPN-tunnel-Protocol ikev1

    nchco.local value by default-field

    attributes of Group Policy DfltGrpPolicy

    value of server DNS 192.168.2.1

    L2TP ipsec VPN-tunnel-Protocol ikev1 ssl-clientless ssl-client

    allow password-storage

    enable IPSec-udp

    enable dhcp Intercept 255.255.255.0

    the address value VPN_Pool pools

    internal NCHCO group policy

    NCHCO group policy attributes

    value of 192.168.2.1 DNS Server 8.8.8.8

    Ikev1 VPN-tunnel-Protocol

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list NCHCO_splitTunnelAcl_1

    value by default-field NCHCO.local

    admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username

    username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg

    username NCHvpn99 password dhn. JzttvRmMbHsP encrypted

    attributes global-tunnel-group DefaultRAGroup

    address (inside) VPN_Pool pool

    address pool VPN_Pool

    authentication-server-group (inside) LOCAL

    authentication-server-group (outside LOCAL)

    LOCAL authority-server-group

    authorization-server-group (inside) LOCAL

    authorization-server-group (outside LOCAL)

    Group Policy - by default-DefaultRAGroup

    band-Kingdom

    band-band

    IPSec-attributes tunnel-group DefaultRAGroup

    IKEv1 pre-shared-key *.

    NOCHECK Peer-id-validate

    tunnel-group DefaultRAGroup ppp-attributes

    No chap authentication

    no authentication ms-chap-v1

    ms-chap-v2 authentication

    tunnel-group DefaultWEBVPNGroup ppp-attributes

    PAP Authentication

    ms-chap-v2 authentication

    tunnel-group 74.219.208.50 type ipsec-l2l

    IPSec-attributes tunnel-group 74.219.208.50

    IKEv1 pre-shared-key *.

    type tunnel-group NCHCO remote access

    attributes global-tunnel-group NCHCO

    address pool VPN_Pool

    Group Policy - by default-NCHCO

    IPSec-attributes tunnel-group NCHCO

    IKEv1 pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    context of prompt hostname

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:a2110206e1af06974c858fb40c6de2fc

    : end

    ASDM image disk0: / asdm - 649.bin

    ASDM VPN_Start 255.255.255.255 inside location

    ASDM VPN_End 255.255.255.255 inside location

    don't allow no asdm history

    ---------------------------------------------------------------------------------------------------------------

    And here are the logs of the Cisco VPN Client when sailing, then is unable to browse the network behind the ASA:

    ---------------------------------------------------------------------------------------------------------------

    Cisco Systems VPN Client Version 5.0.07.0440

    Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.

    Customer type: Windows, Windows NT

    Running: 6.1.7601 Service Pack 1

    Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\

    1 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600026

    Try to find a certificate using hash Serial.

    2 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600027

    Found a certificate using hash Serial.

    3 09:44:55.693 01/10/13 Sev = Info/6 GUI/0x63B00011

    RELOADED successfully certificates in all certificate stores.

    4 09:45:02.802 10/01/13 Sev = Info/4 CM / 0 x 63100002

    Start the login process

    5 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100004

    Establish a secure connection

    6 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100024

    Attempt to connect with the server "*." **. ***. *** »

    7 09:45:02.802 10/01/13 Sev = Info/6 IKE/0x6300003B

    Try to establish a connection with *. **. ***. ***.

    8 09:45:02.818 10/01/13 Sev = Info/4 IKE / 0 x 63000001

    From IKE Phase 1 negotiation

    9 09:45:02.865 10/01/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***

    10 09:45:02.896 10/01/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    11 09:45:02.896 10/01/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

    12 09:45:02.896 10/01/13 Sev = Info/5 IKE / 0 x 63000001

    Peer is a compatible peer Cisco-Unity

    13 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

    Peer supports XAUTH

    14 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

    Peer supports the DPD

    15 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

    Peer supports NAT - T

    16 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

    Peer supports fragmentation IKE payloads

    17 09:45:02.927 01/10/13 Sev = Info/6 IKE / 0 x 63000001

    IOS Vendor ID successful construction

    18 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***

    19 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000083

    IKE port in use - Local Port = 0xDD3B, Remote Port = 0x01F4

    20 09:45:02.927 01/10/13 Sev = Info/5 IKE / 0 x 63000072

    Automatic NAT detection status:

    Remote endpoint is NOT behind a NAT device

    This effect is NOT behind a NAT device

    21 09:45:02.927 01/10/13 Sev = Info/4 CM/0x6310000E

    ITS established Phase 1.  1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

    22 09:45:02.943 10/01/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    23 09:45:02.943 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

    24 09:45:02.943 01/10/13 Sev = Info/4 CM / 0 x 63100015

    Launch application xAuth

    25 09:45:03.037 01/10/13 Sev = Info/6 GUI/0x63B00012

    Attributes of the authentication request is 6: 00.

    26 09:45:03.037 01/10/13 Sev = Info/4 CM / 0 x 63100017

    xAuth application returned

    27 09:45:03.037 10/01/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

    28 09:45:03.037 10/01/13 Sev = Info/4 IPSEC / 0 x 63700008

    IPSec driver started successfully

    29 09:45:03.037 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    30 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    31 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

    32 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

    33 09:45:03.083 01/10/13 Sev = Info/4 CM/0x6310000E

    ITS established Phase 1.  1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

    34 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300005E

    Customer address a request from firewall to hub

    35 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

    36 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    37 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="" **.**.***.***="" isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

    38 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70

    39 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0

    40 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1

    41 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8

    42 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001

    43 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

    44 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000F

    SPLIT_NET #1

    = 192.168.2.0 subnet

    mask = 255.255.255.0

    Protocol = 0

    SRC port = 0

    port dest = 0

    45 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000E

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO.local

    46 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0 x 00002710

    47 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

    48 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000E

    MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = 8.4 (1) Cisco systems, Inc. ASA5505 Version built by manufacturers on Tuesday, January 31, 11 02:11

    49 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

    50 09:45:03.146 01/10/13 Sev = Info/4 CM / 0 x 63100019

    Data in mode Config received

    51 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000056

    Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0

    52 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***

    53 09:45:03.177 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    54 09:45:03.177 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

    55 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000045

    Answering MACHINE-LIFE notify has value of 86400 seconds

    56 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000047

    This SA was already alive for 1 second, expiration of adjustment to 86399 seconds now

    57 09:45:03.193 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    58 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" qm="" *(hash,="" sa,="" non,="" id,="" id,="" notify:status_resp_lifetime)="" from="">

    59 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000045

    Answering MACHINE-LIFE notify is set to 28800 seconds

    60 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK QM * (HASH) to *. **. ***. ***

    61 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000059

    IPsec Security Association of loading (MsgID = SPI OUTBOUND SPI INCOMING = 0x3EBEBFC5 0xAAAF4C1C = 967A3C93)

    62 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000025

    OUTGOING ESP SPI support: 0xAAAF4C1C

    63 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000026

    Charges INBOUND ESP SPI: 0x3EBEBFC5

    64 09:45:03.193 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

    Destination mask subnet Gateway Interface metric

    0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

    96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

    96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

    96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

    127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

    127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

    192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

    192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

    224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

    224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

    255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    65 09:45:03.521 01/10/13 Sev = Info/6 CVPND / 0 x 63400001

    Launch VAInst64 for controlling IPSec virtual card

    66 09:45:03.896 01/10/13 Sev = Info/4 CM / 0 x 63100034

    The virtual card has been activated:

    IP=192.168.2.70/255.255.255.0

    DNS = 192.168.2.1, 8.8.8.8

    WINS = 0.0.0.0 0.0.0.0

    Domain = NCHCO.local

    Split = DNS names

    67 09:45:03.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

    Destination mask subnet Gateway Interface metric

    0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

    96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

    96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

    96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

    127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

    127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

    192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

    192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

    224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

    224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

    224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261

    255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261

    68 09:45:07.912 01/10/13 Sev = Info/4 CM / 0 x 63100038

    Were saved successfully road to file changes.

    69 09:45:07.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

    Destination mask subnet Gateway Interface metric

    0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

    **. **. ***. 255.255.255.255 96.11.251.1 96.11.251.149 100

    96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

    96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

    96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

    127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

    127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

    192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

    192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261

    192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100

    192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261

    192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261

    224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

    224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

    224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

    224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261

    255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261

    70 09:45:07.912 01/10/13 Sev = Info/6 CM / 0 x 63100036

    The routing table has been updated for the virtual card

    71 09:45:07.912 01/10/13 Sev = Info/4 CM/0x6310001A

    A secure connection established

    72 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B

    Look at address added to 96.11.251.149.  Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.

    73 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B

    Look at address added to 192.168.2.70.  Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.

    74 09:45:07.943 01/10/13 Sev = Info/5 CM / 0 x 63100001

    Did not find the smart card to watch for removal

    75 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    76 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010

    Creates a new key structure

    77 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F

    Adding key with SPI = 0x1c4cafaa in the list of keys

    78 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010

    Creates a new key structure

    79 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F

    Adding key with SPI = 0xc5bfbe3e in the list of keys

    80 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370002F

    Assigned WILL interface private addr 192.168.2.70

    81 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700037

    Configure the public interface: 96.11.251.149. SG: **.**.***.***

    82 09:45:07.943 10/01/13 Sev = Info/6 CM / 0 x 63100046

    Define indicator tunnel set up in the registry to 1.

    83 09:45:13.459 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

    84 09:45:13.459 01/10/13 Sev = Info/6 IKE/0x6300003D

    Upon request of the DPD to *. **. ***. , our seq # = 107205276

    85 09:45:13.474 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    86 09:45:13.474 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

    87 09:45:13.474 01/10/13 Sev = Info/5 IKE / 0 x 63000040

    Receipt of DPO ACK to *. **. ***. seq # receipt = 107205276, seq # expected is 107205276

    88 09:45:15.959 01/10/13 Sev = Info/4 IPSEC / 0 x 63700019

    Activate key dating SPI = 0x1c4cafaa key with SPI = 0xc5bfbe3e

    89 09:46:00.947 10/01/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

    90 09:46:00.947 01/10/13 Sev = Info/6 IKE/0x6300003D

    Upon request of the DPD to *. **. ***. , our seq # = 107205277

    91 09:46:01.529 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    92 09:46:01.529 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

    93 09:46:01.529 01/10/13 Sev = Info/5 IKE / 0 x 63000040

    Receipt of DPO ACK to *. **. ***. seq # receipt = 107205277, seq # expected is 107205277

    94 09:46:11.952 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

    95 09:46:11.952 01/10/13 Sev = Info/6 IKE/0x6300003D

    Upon request of the DPD to *. **. ***. , our seq # = 107205278

    96 09:46:11.979 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    97 09:46:11.979 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

    98 09:46:11.979 01/10/13 Sev = Info/5 IKE / 0 x 63000040

    Receipt of DPO ACK to *. **. ***. seq # receipt = 107205278, seq # expected is 107205278

    ---------------------------------------------------------------------------------------------------------------

    Any help would be appreciated, thanks!

    try to refuse the ACL (access-list AnyConnect_Client_Local_Print extended deny ip any one) at the end of the ACL.

  • SCP behind the ASA 5505 may not help ping an internet address,.

    There must be a problem of ACL configuration.  How to configure the ASA 5505 so that computers

    behind an internet can ping 4.2.2.2 such IP address or www.google.com.

    Thank you

    David

    If you have no ACLs on the external interface, please use the following command to allow ICMP through the ASA.

    fixup protocol icmp.

    So try and ping. Let me know if this helps.

    Also, please give us a little more in detail so that we can understand and help you better

    See you soon,.

    Nash.

  • ASA 5505 as internet gateway (must reverse NAT)

    Hi all the Cisco guru

    I have this diet:

    Office-> Cisco 877-> Internet-> ASA 5505-> remote network

    Office network: 192.168.10.0/24

    Cisco 877 IP internal: 192.168.10.200

    Cisco 877 external IP: a.a.a.a

    ASA 5505 external IP: b.b.b.b

    ASA 5505 internal IP: 192.168.1.3 and 192.168.17.3

    Remote network: 192.168.17.0/24 and 192.168.1.0/24

    VPN tunnel is OK and more. I have the Office Access to the remote network and the remote network access to the bureau by the tunnel.

    But when I try to access the network remotely (there are 2 VLANS: management and OLD-private) to the internet, ASA answer me:

    305013 *. * NAT rules asymetrique.64.9 matched 53 for flows forward and backward; Connection for udp src OLD-Private:192.168.17.138/59949 dst WAN:*.*.64.9/53 refused due to path failure reverse that of NAT

    Ping of OLD-private interface to google result:

    110003 192.168.17.2 0 66.102.7.104 0 routing cannot locate the next hop for icmp NP identity Ifc:192.168.17.2/0 to OLD-Private:66.102.7.104/0

    Result of traceroute

    How can I fix reverse NAT and make ASA as internet gateway?

    There is my full config

    !
    ASA Version 8.2 (2)
    !
    hostname ASA2
    domain default.domain.invalid
    activate the encrypted password password
    encrypted passwd password
    names of
    !
    interface Vlan1
    Description INTERNET
    1234.5678.0002 Mac address
    nameif WAN
    security-level 100
    IP address b.b.b.b 255.255.248.0
    OSPF cost 10
    !
    interface Vlan2
    OLD-PRIVATE description
    1234.5678.0202 Mac address
    nameif OLD-private
    security-level 0
    IP 192.168.17.3 255.255.255.0
    OSPF cost 10
    !
    interface Vlan6
    Description MANAGEMENT
    1234.5678.0206 Mac address
    nameif management
    security-level 0
    192.168.1.3 IP address 255.255.255.0
    OSPF cost 10
    !
    interface Ethernet0/0
    !
    interface Ethernet0/1
    Shutdown
    !
    interface Ethernet0/2
    Shutdown
    !
    interface Ethernet0/3
    Shutdown
    !
    interface Ethernet0/4
    Shutdown
    !
    interface Ethernet0/5
    Shutdown
    !
    interface Ethernet0/6
    switchport trunk allowed vlan 2.6
    switchport mode trunk
    !
    interface Ethernet0/7
    Shutdown
    !
    connection of the banner * W A R N I N G *.
    banner connect unauthorized access prohibited. All access is
    connection banner monitored, and intruders will be prosecuted
    connection banner to the extent of the law.
    Banner motd * W A R N I N G *.
    Banner motd unauthorised access prohibited. All access is
    Banner motd monitored and trespassers will be prosecuted
    Banner motd to the extent of the law.
    boot system Disk0: / asa822 - k8.bin
    passive FTP mode
    DNS domain-lookup WAN
    DNS server-group DefaultDNS
    Server name dns.dns.dns.dns
    domain default.domain.invalid
    permit same-security-traffic intra-interface
    object-group Protocol TCPUDP
    object-protocol udp
    object-tcp protocol
    object-group service RDP - tcp
    RDP description
    EQ port 3389 object
    Access extensive list ip 192.168.17.0 LAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
    Standard access list LAN_IP allow 192.168.17.0 255.255.255.0
    WAN_access_in list of allowed ip extended access all any debug log
    WAN_access_in list extended access permitted ip OLD-private interface WAN newspaper inactive debugging interface
    WAN_access_in list extended access permit tcp any object-group RDP any RDP log debugging object-group
    MANAGEMENT_access_in list of allowed ip extended access all any debug log
    access-list extended OLD-PRIVATE_access_in any allowed ip no matter what debug log
    access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 inactive debug log
    OLD-PRIVATE_access_in allowed extended object-group TCPUDP host 192.168.10.7 access-list no matter how inactive debug log
    access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.10.254 interface private OLD newspaper inactive debugging
    access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.17.155 interface private OLD newspaper debugging
    access-list 101 extended allow host tcp 192.168.10.7 any eq 3389 debug log
    Access extensive list ip 192.168.17.0 WAN_1_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0
    WAN_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
    WAN_cryptomap_2 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
    Capin list extended access permit ip host 192.18.17.155 192.168.10.7
    Capin list extended access permit ip host 192.168.10.7 192.168.17.155
    LAN_access_in list of allowed ip extended access all any debug log
    Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
    Access extensive list ip 192.168.17.0 WAN_2_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0

    permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
    pager lines 24
    Enable logging
    recording of debug trap
    logging of debug asdm
    Debugging trace record
    Debug class auth record trap
    MTU 1500 WAN
    MTU 1500 OLD-private
    MTU 1500 management
    mask 192.168.1.150 - 192.168.1.199 255.255.255.0 IP local pool VPN_Admin_IP
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP permitted host a.a.a.a WAN
    ICMP deny any WAN
    ICMP permitted host 192.168.10.7 WAN
    ICMP permitted host b.b.b.b WAN
    ASDM image disk0: / asdm - 631.bin
    don't allow no asdm history
    ARP timeout 14400
    Global (OLD-private) 1 interface
    Global interface (management) 1
    NAT (WAN) 1 0.0.0.0 0.0.0.0

    inside_nat0_outbound (WAN) NAT 0 access list
    WAN_access_in access to the WAN interface group
    Access-group interface private-OLD OLD-PRIVATE_access_in
    Access-group MANAGEMENT_access_in in the management interface
    Route WAN 0.0.0.0 0.0.0.0 b.b.b.185 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    the ssh LOCAL console AAA authentication
    local AAA authentication attempts 10 max in case of failure
    Enable http server
    http 192.168.1.0 255.255.255.0 WAN
    http 0.0.0.0 0.0.0.0 WAN
    http b.b.b.b 255.255.255.255 WAN
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Service resetoutside
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto WAN_map 1 corresponds to the address WAN_1_cryptomap
    card crypto WAN_map 1 set peer a.a.a.a
    WAN_map 1 transform-set ESP-DES-SHA crypto card game
    card crypto WAN_map WAN interface
    ISAKMP crypto enable WAN
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 30
    preshared authentication
    the Encryption
    sha hash
    Group 1
    life 86400
    Telnet timeout 5
    SSH a.a.a.a 255.255.255.255 WAN
    SSH timeout 30
    SSH version 2
    Console timeout 0
    dhcpd auto_config management
    !

    a basic threat threat detection
    host of statistical threat detection
    Statistics-list of access threat detection
    a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
    NTP server 129.6.15.28 source WAN prefer
    WebVPN
    attributes of Group Policy DfltGrpPolicy
    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
    internal admin group strategy
    group admin policy attributes
    DNS.DNS.DNS.DNS value of DNS server
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list LAN_IP
    privilege of encrypted password password username administrator 15
    type tunnel-group admin remote access
    tunnel-group admin general attributes
    address pool VPN_Admin_IP
    strategy-group-by default admin
    tunnel-group a.a.a.a type ipsec-l2l
    tunnel-group a.a.a.a general-attributes
    strategy-group-by default admin
    a.a.a.a group of tunnel ipsec-attributes
    pre-shared-key *.
    NOCHECK Peer-id-validate
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !

    Thank you for your time and help

    Why you use this NAT type?

    Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 any
    NAT (OLD-private) 0-list of access WAN_nat0_outbound

    You are basically saying the ASA not NAT traffic. This private IP address range is not routed on the Internet. This traffic is destined to be sent over the Internet? If so, that LAC should then not be there.

    If you want NAT traffic to one IP public outside the ASA, you must remove this line and let the NAT and GLOBAL work:

    NAT (OLD-private) 1 0.0.0.0 0.0.0.0

    Global (WAN) 1 interface

  • Strange behavior of NAT ASA 5505

    Hello

    We have an ASA 5505 version 9.1 (5) and we need to open port TCP 55055 firewall that redirect to TCP port 80 on ip QNAP Viostor 192.168.11.254

    I added a network object in this way:

    The Viostor object network

    Home 192.168.11.54

    Description QNAP_Viostor

    NAT rule:

    NAT (inside, outside) interface static service tcp 80 55055

    Firewall rule:

    access-list outside_access_in line 8 Note Viostor

    allowed to Access-list outside_access_in line 9 extended tcp any Viostor eq 55055 object

    When I try to connect with the application Android Vmobile I see that notify the journal of the ASA:

    Request TCP and eliminated from MY_EXTERNAL_IP to outside:X.Y:Z.W/55055

    The ASA has no server UDP which serves the UDP request

    I don't understand why UDP instead of TCP.

    Please help me!

    Thank you

    Ahmed, thanks for your replies... However're missing you something important (sw ASA version). Tracer package shows THAT NAT is not affected; and on this sw version ACL does not use external_IP or mapped IP, but the real_IP instead.

    s.be00001, follow these steps:

    object service 55055 service tcp source eq 55055object service www service tcp source www!nat (inside,outside) 1 source static Viostor interface service www 55055!access-list outside_access_in line 9 extended permit tcp any object Viostor eq www
    Run the packet - trace and send us the results:
    packet-tracer input outside tcp 8.8.8.8 1025 [outside interface IP] 55055 detailed
  • VPN IPSec passthrough ASA 5505 (v9.2.4) - connected but no access

    Hello

    Here's my situation:

    I am trying to connect a client IPSec VPN via an ASA 5505 to an other ASA 5505. In fact, I can make the connection to the VPN but all accesses are blocked (ping or IP access).

    When I use a router ISP directly or at home, I have no problem (ping and IP access follow the firewall rules). Connection and access are allowed.

    Schema:

    I have attached both the configuration for this post

    I've recently updated 8.2.5 ASA 8.4.6 and 9.2.4. An another ASA 5505 v8.2.5 works well in both way (via ASA VPN connection) and the VPN through ASA1 this ASA.

    I have tried many solution to solve the problem (nat/ipsec static inspection), but I failed to solve it. I tried to see asp in ASA1 drop, but I was right to drop only "nat-xlate-failed".

    Thanks for your help because I'm going crazy...

    Olivier,

    PS: Sorry for my English...

    Hi Olivier,.

    Could enable you icmp on the ASA inspection?

    Use this command and check:

    fixup protocol icmp

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

  • connect Cisco VPN client v5 to asa 5505

    I have remote vpn configuration issues between ASA5505 and Cisco VPN client v5. Successfully, I can establish a connection between the client Vpn and ASA and receive the IP address of the ASA. Statistical customer VPN windows shows that packets are sent and encrypted but none of the packages is received/decrypted.

    Cannot ping asa 5505

    Any ideas on what I missed?

    Try adding...

    ISAKMP nat-traversal crypto

    In addition, you cannot ping the inside interface of the ASA vpn without this command...

    management-access inside

    Please evaluate the useful messages.

  • Ikev1 ASA 5505 VPN connection error

    Hello

    I had previously defined our VPN using IPsec on our ASA 5505 via the ASDM.   It was workign fine until an outtage power loses my settings on the device.  (possibly a recording of order is not pressed)

    Now when I try and put in place, once again I am recieveing an error to port binding.  I have configured as normal using the wizard and activate split defintion and exempt the network inside.

    The isssue when you apply the settings that I get is:

    "[ERROR] crypto ikev 1 activate outdoors.

    IkevReceiverInit, cannot bind the port. "

    When I try to connect to the VPN I then get an error "the server cannot be reached" or something similar to that...

    Could someone please shed some light on what can cause this problem?

    Best regards, the Paris

    William.

    Hello

    Thanks for the information!

    We will need to know why this host using UDP 4500 and if this host really needs to use this port.

    What type of application is running on this host?

    What is a host internal or external?

    You may also block the host on the SAA on the incoming interface to avoid the use of the UDP 4500 port using a group of access (outside or inside). Don't forget that you will need a ip to allow a at the end of the ACL to avoid any problems. Another option would be to use IKEv1/IPsec over TCP

    IKEv1/IPsec over TCP allows a Cisco VPN client operate in an environment in which IKEv1 or standard ESP may not work or may work only with the change of the existing firewall rules. IPsec over TCP encapsulates IPsec protocols both IKEv1 in a TCP packet as and allows a tunnel secure two firewalls and NAT and PAT devices. This feature is disabled by default.

    The default port is 10000.

    HostName (config) # ikev1 crypto ipsec-over-tcp

    You also need to activate on the VPN client under the profile.

    Change > Transport > IPSec over TCP.

    I hope this helps.

    Luis.

  • ASA 5505 Anyconnect traversal nat error

    Good afternoon gents,

    I installed an ASA 5505 and can connect with anyconnect, but when I do, I can't access my LAN, then my LAN can access my laptop.  In the newspapers, I see the following error message:

    Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside;10.139.50.1/64506 dst inside 10.201.180.5/53 refused because of the failure of path opposite of that of NAT.

    I can't seem to figure this point and nothing I read to try worked. Here's the relevant config, any help would be GREATLY appreciated.

    interface Vlan1
    nameif inside
    security-level 100
    IP 10.201.180.10 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP 67.200.133.107 255.255.255.248
    !

    access extensive list ip 10.139.50.0 inside_nat0_outbound allow 255.255.255.0 10.201.180.0 255.255.255.0
    access extensive list ip 10.201.180.0 inside_nat0_outbound allow 255.255.255.0 10.139.50.0 255.255.255.0

    mask 10.139.50.1 - 10.139.50.50 255.255.255.0 IP local pool SSLClientPool

    Global 1 interface (outside)
    NAT (inside) 0 inside_nat0_outbound list of outdoor access
    NAT (inside) 1 0.0.0.0 0.0.0.0

    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    AAA authentication enable LOCAL console
    the ssh LOCAL console AAA authentication

    Try the nat statement 0 without the keyword on the outside.

    NAT (inside) 0-list of access inside_nat0_outbound

    In addition,

    sh run sysopt and stick out.

    Manish

  • ASA 5505 AnyConnect 8.2 connect other subnets from site to site

    Hello

    I'm somehwat new Cisco and routing. I have an installation of two ASA 5505 that are configured for the site to site vpn and AnyConnect. The AnyConnect subnet can connect to inside VLANs to the SiteA but I can't for the remote to Site B subnet when you use AnyConnect. Any ideas? I have to add the subnet of 10.0.7.0/24 to the site to site policy? Do I need to set up several NAT rules? Details below.

    Site A: ASA 5505 8.2

    Outside: 173.X.X.X/30

    Inside: 10.0.5.0/24

    AnyConnect: 10.0.7.0/24

    Site b: ASA 5505 8.2

    Outsdie: 173.X.X.X/30

    Inside: 10.0.6.0/24

    The AnyConnect subnet cannot access the network of 10.0.6.0/24.

    Any help would be greatly appreciated! Thank you!

    Hello Kevin,

    You must go back to identity (outdoors, outdoor) identity NAT (essentially for two subnets (Anyconnect and Remote_IPSec).

    And of course to include traffic in the ACL for IPSec crypto and (if used) split with the Anyconnect tunnel.

    Note all useful posts!

    Kind regards

    Jcarvaja

    Follow me on http://laguiadelnetworking.com

  • ASA 5505 IPSEC VPN connected but cannot access the local network

    ASA: 8.2.5

    ASDM: 6.4.5

    LAN: 10.1.0.0/22

    Pool VPN: 172.16.10.0/24

    Hi, we purcahsed a new ASA 5505 and try to configure IPSEC VPN via ASDM; I simply run the wizards, installation vpnpool, split tunnelling, etc.

    I can connect to the ASA using the cisco VPN client and internet works fine on the local PC, but it can not access the local network (can not impossible. ping remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile, I created worked very well.

    Here is my setup, wrong set up anything?

    ASA Version 8.2 (5)

    !

    hostname asatest

    domain XXX.com

    activate 8Fw1QFqthX2n4uD3 encrypted password

    g9NiG6oUPjkYrHNt encrypted passwd

    names of

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 10.1.1.253 255.255.252.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    address IP XXX.XXX.XXX.XXX 255.255.255.240

    !

    passive FTP mode

    clock timezone PST - 8

    clock summer-time recurring PDT

    DNS server-group DefaultDNS

    domain vff.com

    vpntest_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.252.0

    access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.252.0 172.16.10.0 255.255.255.0

    pager lines 24

    Enable logging

    timestamp of the record

    logging trap warnings

    asdm of logging of information

    logging - the id of the device hostname

    host of logging inside the 10.1.1.230

    Within 1500 MTU

    Outside 1500 MTU

    IP local pool 172.16.10.1 - 172.16.10.254 mask 255.255.255.0 vpnpool

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 0.0.0.0 0.0.0.0

    Route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    AAA-server protocol nt AD

    AAA-server host 10.1.1.108 AD (inside)

    NT-auth-domain controller 10.1.1.108

    Enable http server

    http 10.1.0.0 255.255.252.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH 10.1.0.0 255.255.252.0 inside

    SSH timeout 20

    Console timeout 0

    dhcpd outside auto_config

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal group vpntest strategy

    Group vpntest policy attributes

    value of 10.1.1.108 WINS server

    Server DNS 10.1.1.108 value

    Protocol-tunnel-VPN IPSec l2tp ipsec

    disable the password-storage

    disable the IP-comp

    Re-xauth disable

    disable the PFS

    IPSec-udp disable

    IPSec-udp-port 10000

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list vpntest_splitTunnelAcl

    value by default-domain XXX.com

    disable the split-tunnel-all dns

    Dungeon-client-config backup servers

    the address value vpnpool pools

    admin WeiepwREwT66BhE9 encrypted privilege 15 password username

    username user5 encrypted password privilege 5 yIWniWfceAUz1sUb

    the encrypted password privilege 3 umNHhJnO7McrLxNQ util_3 username

    tunnel-group vpntest type remote access

    tunnel-group vpntest General attributes

    address vpnpool pool

    authentication-server-group AD

    authentication-server-group (inside) AD

    Group Policy - by default-vpntest

    band-Kingdom

    vpntest group tunnel ipsec-attributes

    pre-shared-key BEKey123456

    NOCHECK Peer-id-validate

    !

    !

    privilege level 3 mode exec cmd command perfmon

    privilege level 3 mode exec cmd ping command

    mode privileged exec command cmd level 3

    logging of the privilege level 3 mode exec cmd commands

    privilege level 3 exec command failover mode cmd

    privilege level 3 mode exec command packet cmd - draw

    privilege show import at the level 5 exec mode command

    privilege level 5 see fashion exec running-config command

    order of privilege show level 3 exec mode reload

    privilege level 3 exec mode control fashion show

    privilege see the level 3 exec firewall command mode

    privilege see the level 3 exec mode command ASP.

    processor mode privileged exec command to see the level 3

    privilege command shell see the level 3 exec mode

    privilege show level 3 exec command clock mode

    privilege exec mode level 3 dns-hosts command show

    privilege see the level 3 exec command access-list mode

    logging of orders privilege see the level 3 exec mode

    privilege, level 3 see the exec command mode vlan

    privilege show level 3 exec command ip mode

    privilege, level 3 see fashion exec command ipv6

    privilege, level 3 see the exec command failover mode

    privilege, level 3 see fashion exec command asdm

    exec mode privilege see the level 3 command arp

    command routing privilege see the level 3 exec mode

    privilege, level 3 see fashion exec command ospf

    privilege, level 3 see the exec command in aaa-server mode

    AAA mode privileged exec command to see the level 3

    privilege, level 3 see fashion exec command eigrp

    privilege see the level 3 exec mode command crypto

    privilege, level 3 see fashion exec command vpn-sessiondb

    privilege level 3 exec mode command ssh show

    privilege, level 3 see fashion exec command dhcpd

    privilege, level 3 see the vpnclient command exec mode

    privilege, level 3 see fashion exec command vpn

    privilege level see the 3 blocks from exec mode command

    privilege, level 3 see fashion exec command wccp

    privilege see the level 3 exec command mode dynamic filters

    privilege, level 3 see the exec command in webvpn mode

    privilege control module see the level 3 exec mode

    privilege, level 3 see fashion exec command uauth

    privilege see the level 3 exec command compression mode

    level 3 for the show privilege mode configure the command interface

    level 3 for the show privilege mode set clock command

    level 3 for the show privilege mode configure the access-list command

    level 3 for the show privilege mode set up the registration of the order

    level 3 for the show privilege mode configure ip command

    level 3 for the show privilege mode configure command failover

    level 5 mode see the privilege set up command asdm

    level 3 for the show privilege mode configure arp command

    level 3 for the show privilege mode configure the command routing

    level 3 for the show privilege mode configure aaa-order server

    level mode 3 privilege see the command configure aaa

    level 3 for the show privilege mode configure command crypto

    level 3 for the show privilege mode configure ssh command

    level 3 for the show privilege mode configure command dhcpd

    level 5 mode see the privilege set privilege to command

    privilege level clear 3 mode exec command dns host

    logging of the privilege clear level 3 exec mode commands

    clear level 3 arp command mode privileged exec

    AAA-server of privilege clear level 3 exec mode command

    privilege clear level 3 exec mode command crypto

    privilege clear level 3 exec command mode dynamic filters

    level 3 for the privilege cmd mode configure command failover

    clear level 3 privilege mode set the logging of command

    privilege mode clear level 3 Configure arp command

    clear level 3 privilege mode configure command crypto

    clear level 3 privilege mode configure aaa-order server

    context of prompt hostname

    no remote anonymous reporting call

    Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4

    : end

    Captures we can see packets going from the pool to the internal LAN, but we do not reply back packages.

    The routing must be such that for 172.16.10.0/24 packages should reach the inside interface of the ASA.

    On client machines or your internal LAN switch, you need to add route for 172.16.10.0/24 pointing to the inside interface of the ASA.

Maybe you are looking for