Road by default from version 6.3 PIX IPsec tunnel

Similar Questions

• ASA ASA from Site to Site VPN IPSec Tunnel

  Any help would be greatly appreciated...

  I have two devices Cisco ASA with a Site for the configuration of the tunnel VPN IPSec Site as follows: -.

  Site #1 - Cisco ASA running version 8.2 (1) with an internal range of 10.0.0.x/24

  Site #2 - Cisco ASA running version 8.2 (1) with an internal range of 10.1.1.x/24

  Site #1 is simple and has a dynamic NAT rule which translates all of the inside and the outside (public IP) of the SAA.

  Internet access works very well in all workstations of this site.  A static route is configured to redirect all traffic to a public router upstream.

  Site #2 is slightly more complicated; the Cisco ASA is configured with 10.1.1.254/24 as its interior IP address and 10.1.2.254/24 as its external IP address.  A dynamic NAT rule is configured to translate everything inside as the 10.1.2.254 (outside) address of the ASA.  A default static route is then configured to redirect all traffic to a Draytek device on 10.1.2.253.  This device then performs its own private Public NAT.  Again the Internet works fine all hosts inside the Cisco ASA (10.1.1.x)

  The IPSec tunnel is created with the networks local and remote endpoint as above (10.0.0.x/24) and (10.1.1.x/24).  The Draytek at the Site #2 device is configured with a form of DMZ that allows essentially ALL traffic toward the front directly on the external interface of the ASA (10.1.2.254).  The Phase 1 and Phase 2 negotiation of the tunnel ends correctly, and the tunnel is formed without any problem.  However, all traffic passing on networks ICMP does not end and the Syslog reports the following-

  Site #1-

  6

  January 19, 2011

  15:27:21

  302020

  ZEFF-SB-01_LAN

  1

  10.1.1.51

  0

  Built of outbound ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

  6

  January 19, 2011

  15:27:23

  302021

  10.1.1.51

  0

  ZEFF-SB-01_LAN

  1

  Connection of ICMP disassembly for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

  Site #2-

  6

  January 19, 2011

  15:24:47

  302020

  10.1.1.51

  0

  10.0.0.30

  1

  Built of outbound ICMP connection for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1

  6

  January 19, 2011

  15:24:49

  302021

  10.0.0.30

  1

  10.1.1.51

  0

  Connection of disassembly for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 ICMP

  It's the same for any form of traffic passing over the tunnel.  The ACL is configured to allow segments of LAN out to any destination.  At this point, I left scratching my head, as my original theory was to blame the Draytek, but after reading the documentation given to the DMZ host configuration, it appears this parameter is configured all traffic is simply forwarded to the IP address (in this case, the Cisco ASA interface outside).

  Anyone can shed light on a possible cause of this problem?

  Thank you

  Nick

  did you bypass the vpn traffic between 10.0.0 and 10.1.1 to be NAT - ed on the two ASA?

  Please provide the following information

  -set up the tunnel

  -show the isa cry his

  -show the ipsec cry his

  -ping of the site 1 site 2 via tunnel

  -capture "crypto ipsec to show his" once again

  -ping from site 2 to 1 by the tunnel of the site

  -capture "crypto ipsec to show his" once again

  -two ASA configuration.

• PIX IPSec tunnel - IOS, routing Options

  Hello

  I have an IPSec Tunnel between a PIX firewall and a router Cisco 1721.

  Have I not all options about any routing protocol can I use?

  Are there plans to add GRE support to PIX, so that EIGRP, OSPF can be used?

  ------Naman

  Here's a URL that tells how to configure GRE over IPSEC with OSPF. http://www.Cisco.com/warp/public/707/gre_ipsec_ospf.html

• Win2K NAT would be from 1650 to a PIX 515 - does not

  Hello

  :

  I have a working VPN config on my 515 (6.2.2) and can tunnel from one host with a valid external IP without any problem. But, with a NAT would be customer, nothing seems to work.

  I use RADIUS to authenticate after using a password for the group. Here is the sequence of events.

  (1) client machine as a 10.0.0.1 address, NAT had a public address to come into the port of 'outside '.

  (2) the client connects, the user enters GANYMEDE password and is connected.

  (3) the user tries to browse any service and can not.

  (4) if the user switches DNS to an external server, the portion of the split tunnel internet works fine but inside is still broken.

  (5) clients with static IP addresses that are publicly routable connect and can perform all internal and external activities of split tunnel.

  Excerpts from config. I'm doing something wrong?

  Permitted connection ipsec sysopt

  No sysopt route dnat

  Crypto ipsec transform-set esp - esp-md5-hmac noaset

  Crypto dynnoamap dynamic-map 10 transform-set noaset

  noamap 10 card crypto ipsec-isakmp dynamic dynnoamap

  Harpy of authentication card crypto client noamap

  noamap interface card crypto outside

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup address noapool pool noagroup

  vpngroup dns 66.119.192.1 Server noagroup

  vpngroup noagroup wins server - 66.119.192.4

  vpngroup noagroup by default-field noanet.net

  vpngroup split-tunnel vpn - IP noagroup

  vpngroup idle 3600 noagroup-time

  vpngroup password noagroup *.

  Help and thanks in advance.

  Mike

  You do not have something wrong. The problem is that NAT (NAT actually PAT, port) and IPSec is not working very well, and many features PAT can PAT IPSec traffic to all (PIX included until version 6.3).

  The problem is that PAT depends on using the port number TCP or UDP source as a way to differentiate between sessions, because they are all PAT would be from the same source IP address. However IPSec (ESP at least), tracks right on top of IP, in other words, it is NOT a TCP or UDP protocol, and therefore has no associated port number. It breaks most of the PAT devices.

  The reason for which you can build your tunnel initially, it is that it is all done by ISAKMP, which is a UDP protocol, which can be PAT would be fine. Once the tunnel is built however, all encrypted data are sent by packs of ESP, which as I said, is not a TCP or UDP protocol.

  Trnalsations NAT static work cause they do not rely on the use of the port number, they just change the address of the source that works very well with ESP.

  There is not much you can do about it. If you were closing the VPN into a VPN3000 concentrator, it has a feature called IPSec through NAT, which encapsulates all ESP packets in a UDP packet, which can then be PAT would be properly. The PIX, unfortunately, doesn't have this feature. The only solution is to get a NAT device that manages properly the IPSEc. Surprisingly, some of the less expensive devices on the market handle it, but you should check with each manufacturer to be sure.

• In the latest versions of FireFox, there's a display option which allowed a change in the size of the fonts and objects on the screen temporarily on the fly. This seems to be missing from version 6.

  In the latest versions of FireFox, there's a display option which allowed a change in the size of the fonts and objects on the screen temporarily on the fly. This seems to be missing from version 6. It was very useful and should be added to version 6.

  https://support.Mozilla.com/en-us/KB/how-do-i-customize-toolbars

  If you mean the - and + Zoom control so it is always there in Firefox 6.0

  or
  View-> Zoom

  Edit: I see that you are using Windows 7 where the menu bar is hidden as a Firefox orange button by default. Some menus objects much may not be visible in the menu of the Firefox button. Show the Menu bar or use the - and + Zoom controls buttons.

• "How to change the gateway by default from the command prompt"

  "How to change the gateway by default from the command prompt"

  How to change the default gateway on the windows command line

  Microsoft Windows XP - route

• How can I get back my default from Itunes to window media

  How can I get back my default from Itunes to window media

  http://Windows.Microsoft.com/en-us/Windows-Vista/change-which-programs-Windows-uses-by-default

  Change the programs that Windows uses by default

  http://www.vista4beginners.com/set-your-default-programs

  Read the above info.

  How to set file Associations:

  http://articles.TechRepublic.com.com/5100-10878_11-6172036.html

  How do I... Change file extension associations in Windows Vista?

  See you soon.

  Mick Murphy - Microsoft partner

• BlackBerry OS Smartphones Blackberry Bold 9900 software update from version 7.0.0 to version 7.1.0

  HELO everyone

  I tried to upgrade my device software Blackberry Bold 9900 version 7.0.0 to version 7.1.0 but with difficulties. I tried to use the Blackberry Desktop Manager, but there was no version 7.1.0 figure among the available updates. Even when I tried to do it directly through the official website of Blackberry, also Version 7.1.0 was not shown. Finally, I tried to do the update with my phone directly by going to: Options > device > software updates.

  It shows my Version 7.0.0 Bundle 2406 current and available in a version 7.1.0 Bundle 1149. But when I clicked Perform Update to download the new version, he has shown preparing to download but then displays an error message such as "Download cannot continue because your device cannot connect to the update server using the following methods: Wi - Fi.

  During this time, I did not upgrade with a Wi - Fi connection because I have an active blackberry data subscription of 2 GB of my mobile operator.

  Please I need help on how to perform the upgrade from version 7.0.0 to version 7.1.0 with the last packet.

  Thanks to you all I'm waiting for your helpful solution.

  Hello and welcome to the community!

  The easiest way is, on a PC (you can not do on MAC):

  (1) make sure that you have a current backup and your BB complete... you can find the instructions at the link in my auto-sig below.

  2) uninstall all the BB OS packages from your PC,

  (3) make sure you have the BB Desktop Software already installed

  • http://us.BlackBerry.com/software/desktop.html

  (4) download and install on your computer, the BB OS package you want:

  • http://us.BlackBerry.com/support/downloads/download_sites.jsp
  • If all you want are the levels of BONE, it is first sorted by carrier - the carrier supports, your search will be fast. However, some carriers are much slower than others to release updates. To really get the package up-to-date OS for your BB, you need to dig through and find all businesses that support your specific model BB and then compare the BONE levels they support.

  5) remove all copies of the SELLER on your PC. XML... There will be at least one and maybe 2, and they will be located in the same way or to (it changes based on your version of Windows) these files:

  • C:\Program Files (x 86) \Common Files\Research In Motion\AppLoader
  • C:\Users\(your Windows username) \AppData\Roaming\Research In Motion\BlackBerry\Loader XML

  6 (a) to change your level of BB OS installed (at level or lower), you can run the Desktop software and connect your BB... the software should offer the operating system package you have installed on your PC.

  6 (b) or, for recharging your BB OS level installed as well to change, work around the Desktop software and use the CHARGER. EXE directly, through step 2 in this process:

  • http://supportforums.BlackBerry.com/T5/BlackBerry-device-software/how-to-reload-your-operating-syste...
  • Note Although written to "recharge" and the storm, it can be used to upgrade, downgrade or recharge any BB device model - depends on the operating system package you download and install on your PC.

  If, during the process of 6a or 6 b, your BB has an error '507', simply unplug the USB of the BB cord and reinsert it. do nothing else... This should allow the installation to continue.

  If you are on a MAC, you are limited to only your sanctioned carriers OS packages... but can still use any level they currently have to sanction. See this procedure:

  • KB19915 How to perform a clean reload of the smartphone BlackBerry using BlackBerry Desktop Software application software

  Good luck and let us know!

• Next version of FOS PIX?

  Cisco Announces again when it's released the next version of the PIX OS or what will be in it?

  Hello

  The next version will be version 7.0, but we do not have a firm date committed at that time for the release date. It takes some time in 2004, but certainly not in the January/February period. I don't think regarding the features in this release, we have released this information publicly at this point. I would contact the local Cisco account team and see if they can share that info with you after you have signed a Non Disclosure Agreement form. Sorry for the lack of definitive information, but I hope you understand the reasoning for this.

  Scott

• nik software/filters have gone after update from version 2015cc photoshop?

  nik software/filters have gone after update from version 2015cc photoshop?

  Hello

  Must copy CC 2014 Photoshop plugin folder and replace the file in Photoshop CC 2015.

  In windows, please go to C:\Program Adobe Photoshop CC 2014. Copy the plugin folder

  and paste the folder inside the Photoshop CC 2015

  In Mac, please go to application. There will be a folder of Photoshop CC 2014 inside it will be a plugin folder and copy it and replace the same folder in Photoshop CC 2015.

  Let us know if this helps

  Thank you

• Is it possible to upgrade from version Extended CS6 13.0 x 64 to the latest version?

  Is it possible to upgrade from version Extended CS6 13.0 x 64 to the latest version?

  Not sure what you mean by there. Cs6 is the "last" standalone version. For anything else you need to register for creative cloud and at best your existing license will be good for a discount on the first year. The rest is irrelevant by all means.

  Mylenium

• Trying to export a table from version 11.2.0.3 to 10.2.0.3. Get an IMP-0

  Trying to export a table from version 11.2.0.3 to 10.2.0.3. Get an IMP-00010: not an export file is valid, the header check failed
  How to export to another version in Oracle

  Use the VERSION parameter in expdp - http://docs.oracle.com/cd/E11882_01/server.112/e22490/dp_export.htm#sthref150

  Then use impdp to import the file to 10.2.0.3 - http://docs.oracle.com/cd/B19306_01/server.102/b14215/dp_import.htm#i1007653

  HTH
  Srini

• Opening a project from version control

  RH11 | WebHelp

  This may be related to my previous post ("New version available" file status), but I now cannot open a project from version control using the lock button in the dialog box, open a RoboHelp project. It allows me to select a project to open it, but then just sitting there, doing nothing.

  Any ideas?

  Thank you

  Jonathan

  It is all the time, but I recall it being related to the performance of the intermediate layer RSO3 on a 64-bit computer Service. I have downloaded a newer file of the RSO3MiddleTierService.exe of the page below and replace the existing. If you haven't already done so, give it a try.

  https://helpx.Adobe.com/RoboHelp/KB/cant-check-files-RoboSource-Control.html

  Jonathan

• Changing from PC to Mac and the upgrade from versions CS4 to CS6

  Is it possible to upgrade from versions CS4 to CS6 and change to a Mac from a PC?

  Note that you have until December 31, 2012 to upgrade from versions CS4 to CS6.

  http://www.Adobe.com/products/creativesuite/FAQ/upgrade-policy.html

  After this date, you pay the full price.

• ASA: VPN IPSEC Tunnel from 5505(ver=8.47) to 5512 (ver = 9.23)

  Hi-

  We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
  We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).

  Networks:

  Local: 192.168.1.0 (answering machine)
  Distance: 192.168.54.0 (initiator)

  See details below on our config:

  SH run card cry

  card crypto outside_map 2 match address outside_cryptomap_ibfw
  card crypto outside_map 2 pfs set group5
  outside_map 2 peer XX crypto card game. XX.XXX.XXX
  card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
  crypto map outside_map 2 set ikev2 AES256 ipsec-proposal

  outside_map interface card crypto outside

  Note:
  Getting to hit numbers below on rules/ACL...

  SH-access list. I have 54.0

  permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
  permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
  access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671

  SH run | I have access-group
  Access-group outside_access_out outside interface

  NOTE:
  WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...

  HS cry his ikev1

  IKEv1 SAs:

  HIS active: 2
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 2

  1 peer IKE: XX. XX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE
  2 IKE peers: XXX.XXX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE

  SH run tunnel-group XX. XX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX type ipsec-l2l
  tunnel-group XX. XX.XXX.XXX General-attributes
  Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.

  SH run | I have political ikev1

  ikev1 160 crypto policy
  preshared authentication
  aes-256 encryption
  Group 5
  life 86400

  SH run | I Dynamics
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  NAT source auto after (indoor, outdoor) dynamic one interface

  NOTE:
  To from 5512 at 5505-, we can ping a host on the remote network of ASA local

  # ping inside the 192.168.54.20
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 ms

  Determination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?

  The IPSEC tunnel check - seems OK?

  SH crypto ipsec his
  Interface: outside
  Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXX

  outside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
  local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
  current_peer: XX. XX.XXX.XXX

  #pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
  #pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
  Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
  PMTU time remaining: 0, political of DF: copy / df
  Validation of ICMP error: disabled, TFC packets: disabled
  current outbound SPI: CDC99C9F
  current inbound SPI: 06821CBB

  SAS of the esp on arrival:
  SPI: 0x06821CBB (109190331)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3914789/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xCDC99C9F (3452542111)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3913553/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  --> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...

  SH cap CAP

  34 packets captured

  1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
  2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
  3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
  4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
  5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply

  --> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)

  SH cap A2

  42 packets captured

  1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request

  --> Package trace on 5512 does no problem... but we cannot ping from host to host?

  entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20

  Phase: 4
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  class-map default class
  match any
  Policy-map global_policy
  class class by default
  Decrement-ttl connection set
  global service-policy global_policy
  Additional information:
  Direct flow from returns search rule:
  ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
  hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = output_ifc = any to inside,

  Phase: 5
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  Additional information:
  Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
  Direct flow from returns search rule:
  ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
  hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = inside, outside = output_ifc

  ...

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 7422689 id, package sent to the next module
  Information module for forward flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_inspect_icmp
  snp_fp_translate
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Information for reverse flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_translate
  snp_fp_inspect_icmp
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Result:
  input interface: inside
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  --> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?

  Destination - initiator:
   
  entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
   
  ...
  Phase: 4
  Type: UN - NAT
  Subtype: static
  Result: ALLOW
  Config:
  NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
  Additional information:
  NAT divert on exit to the outside interface
  Untranslate 192.168.1.79/0 to 192.168.1.79/0
  ...

  Summary:
  We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
  But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).

  Please let us know what other details we can provide to help solve, thanks for any help in advance.

  -SP

  Well, I think it is a NAT ordering the issue.

  Basically as static and this NAT rule-

  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)

  are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.

  To check just run a 'sh nat"and this will show you what order everthing is in.

  The ASA is working its way through the sections.

  You also have this-

  NAT source auto after (indoor, outdoor) dynamic one interface

  which does the same thing as first statement but is in section 3, it is never used.

  If you do one of two things-

  (1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line

  or

  (2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.

  There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.

  It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.

  The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).

  Then you can simply try to rearrange so your static NAT is above it just to see if it works.

  Just in case you want to see the document here is the link-

  https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

  Jon