Strange problem in IPSec Tunnel - 8.4 NAT (2)

Similar Questions

• Problem with IPSEC tunnel between Cisco PIX and Cisco ASA

  Hi all!

  Have a strange problem with one of our tunnel ipsec for one of our customers, we can open the tunnel of the customers of the site, but not from our site, don't understand what's wrong, if it would be a configuration problem should can we not all up the tunnel.

  On our side as initiator:

  Jan 14 13:53:26 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (initiator), 2.2.2.2/500 remotely, authentication = pre-action, encryption = 3DES-CBC, hash = SHA, group = 2, life = 86400 s)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-6-602203: ISAKMP disconnected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:56 172.27.1.254% PIX-7-702303: sa_request, CBC (MSG key in English) = 1.1.1.1, dest = 2.2.2.2, src_proxy = 172.27.1.10/255.255.255.255/0/0 (type = 1), dest_proxy = 192.168.100.18/255.255.255.255/0/0 (type = 1), Protocol is ESP transform = lifedur hmac-sha-esp, esp-3des 28800 = s and 4608000 Ko, spi = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004

  The site of the customer like an answering machine:

  14 jan 11:58:23 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (answering machine), distance 2.2.2.2/500, authentication = pre-action, encryption = 3DES-CBC, hash = MD5, group = 1, life = 86400 s)

  14 jan 11:58:23 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-6-602301: its created, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 116

  14 jan 11:58:23 172.27.1.254% PIX-7-702211: Exchange of ISAKMP Phase 2 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  Jan 14 12:28:54 172.27.1.254% PIX-6-602302: SA deletion, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645), sa_trans = esp-3desesp-sha-hmac, sa_conn_id = 116

  Kind regards

  Johan

  From my experience when a tunnel is launched on one side, but it is not on the other hand, that the problem is with an inconsistency of the isakmp and ipsec policies, mainly as ipsec policies change sets and corresponding address with ASA platform when a tunnel is not a statically defined encryption card he sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and make a "crypto ipsec to show his" when the tunnel is active on both sides, see on the SAA if the corresponding tunnel is the static encryption card set or if it presents the dynamic encryption card.

  I advise you to go to the settings on both sides and ensure that they are both in the opposite direction.

• Problems of IPSEC Tunnel & Port fowarding

  Hello

  I have a couple of 837 routers connecting two sites using an IPSEC tunnel.

  In one of the sites, I'm redirected to static NAT port to an internal IP address

  That is to say.

  IP nat inside source static tcp 192.168.57.100 3389 3389 Dialer0 interface

  transmit to RDP from the internet to internal computer.

  The user can access his computer when you use the public IP address, but if it attempts to access the other site using the internal LAN IP he can't

  Any suggestions

  Hello

  Your config NAT 192.168.57.100 over the VPN tunnel as well. Two options for access to this IP address via VPN would be.

  1.) use the IP NAT itself on the VPN tunnel working currently for you.

  2.) use NAT policy so that the VPN tunnel traffic is exempt from NAT. In this case your NAT statement should look like this.

  IP nat inside source static tcp 192.168.57.100 3389 3389 Dialer0 interface - card route

  access-list 101 deny host ip 192.168.57.100

  access-list 101 permit ip 192.168.57.100 host everything

  permitted route map 10

  corresponds to the IP 101

  HTH

  Kind regards

  GE.

• IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

  Hello

  My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

  "Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

  NAT takes place before the encryption verification!

  In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

  Thanks for any help

  Best regards

  Heiko

  Hello

  Try to change your static NAT with static NAT based policy.

  That is to say the static NAT should not be applicable for VPN traffic

  permissible static route map 1

  corresponds to the IP 104

  access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

  access-list 104 allow the host ip 10.1.110.10 all

  IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

  HTH

  Kind regards

  GE.

• NAT in the IPSec tunnel between 2 routers x IOS (877)

  Hi all

  We have a customer with 2 x 877 routers connected to the internet. These routers are configured with an IPSec tunnel (which works fine). The question is the inbound static NAT translation problems with the tunnel - port 25 is mapped to the address inside the mail server. The existing configuration works very well for incoming mail, but prevents users from access to the direct mail server (using the private IP address) on port 25.

  Here is the Config NAT:

  nat INET_POOL netmask 255.255.255.252 IP pool

  IP nat inside source map route INET_NAT pool INET_POOL overload

  IP nat inside source static tcp 10.10.0.8 25 25 expandable

  IP nat inside source static tcp 10.10.0.8 80 80 extensible

  IP nat inside source static tcp 10.10.0.8 443 443 extensible

  IP nat inside source static tcp 10.10.0.7 1433 1433 extensible

  IP nat inside source static tcp 10.10.0.7 extensible 3389 3389

  allowed INET_NAT 1 route map

  corresponds to the IP 101

  access-list 101 deny ip 10.10.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 101 permit ip 10.10.0.0 0.0.0.255 any

  On the SAA, I would setup a NAT exemption, but how do I get the same thing in the IOS?

  See you soon,.

  Luke

  Take a look at this link:

  http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t4/feature/guide/ftnatrt.html

  Concerning

  Farrukh

• IPsec client for s2s NAT problem

  Hello

  We have a remote site (Paris) with a 5512 with some s2s and RA light customer vpn (anyconnect IPsec) tunnels.  AnyConnect has no problem, but the ipsec client can not pass traffic on the LAN.  The subnet behind the fw is 10.176.0.0/16 and the RA 10.172.28.0/24 customer pool.  However, we have a s2s than nat 10.0.0.0/8 tunnel and it appears that customers vpn IPSEC RA being bound traffic matches this rule and prevents connectivity to local resources via vpn ipsec client.

  ......

  hits = 485017, user_data = 0x7fffa5d1aa10, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol

  IP/ID=10.176.0.0 SRC, mask is 255.255.0.0, port = 0

  IP/ID=10.0.0.0 DST, mask is 255.0.0.0, port = 0, dscp = 0 x 0

  input_ifc = inside, outside = output_ifc

  ...

  Manual NAT policies (Section 1)

  1 (outdoor) static source Paris_Network Paris_Network static destination Remote2_LAN_Networks Remote2_LAN_Networks non-proxy-arp-search to itinerary (inside)

  translate_hits = 58987, untranslate_hits = 807600

  2 (inside) (outside) static source Paris_Network Paris_Network static destination DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2-route search

  translate_hits = 465384, untranslate_hits = 405850

  3 (inside) (outside) static source Paris_Network Paris_Network static destination Remote1_Networks Remote1_Networks-route search

  translate_hits = 3102307, untranslate_hits = 3380754

  4 (outside) (inside) static source Paris_RA_VPN Paris_RA_VPN static destination Paris_Network Paris_Network-route search

  translate_hits = 0, untranslate_hits = 3

  This method works on other sites with almost identical configuration, but for some reason, it doesn't work here.  I can't specify different subnets for the s2s tunnel because there is too much of.  Can someone help me and tell me why I can't get this to work?

  Hello

  So you're saying that the AnyConnect is working but not IPsec? What is the the AnyConnect VPN? It is outside the 10.0.0.0/8 network?

  You should be able to substitute the NAT VPN L2L configuration by simply configuring a separate NAT for the local network for VPN pool traffic at the top of your NAT configurations

  For example

  being PARIS-LAN network

  10.176.0.0 subnet 255.255.0.0

  object netwok PARIS-VPN-POOL

  10.172.28.0 subnet 255.255.255.0

  NAT (inside, outside) 1 static source PARIS PARIS - LAN LAN destination PARIS-VPN-POOL PARIS-VPN-POOL static

  This should ensure that the first rule on the SAA is the NAT rule that matches the VPN Client for LAN traffic. Other aircraft in the L2L VPN should still hit the original NAT rule to the VPN L2L

  If this does not work then we must look closer, the configuration.

  Hope this helps

  Remember to mark a reply as the answer if it answered your question.

  Feel free to ask more if necessary

  -Jouni

• IPSEC TUNNEL... HUB & SPOKE problem

  Hi all

  I am facing a problem of site to site VPN HUB-and-spoke topology.

  Scenario: Deficit (2811) HUB makes Ipsec tunnel with 100 spokes (851). with a common pre shared key. About 90 tunnels are up but 10 tunnels do not come to the top. Same config there spoke an IOS in each router.  DPD is enabled on the HUB site.

  HUB crypto config is the same for all sites and access lists are reflected in the structure in Star...

  During debugging one of the rays, I got following messages...

  * 09:37:59.847 Mar 2: ISAKMP: (0): found peer pre-shared key x.x.x.x corresponding

  * 2 Mar 09:37:59.847: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID

  * 2 Mar 09:37:59.847: ISAKMP: (0): built the seller-07 ID NAT - t

  * 2 Mar 09:37:59.847: ISAKMP: (0): built of NAT - T of the seller-03 ID

  * 2 Mar 09:37:59.847: ISAKMP: (0): built the seller-02 ID NAT - t

  !

  !

  * 2 Mar 09:37:59.887: ISAKMP: (0): package to x.x.x.x my_port 500 peer_port 500 (I) sending MM_SA_SETUP

  * 09:37:59.887 Mar 2: ISAKMP: (0): sending a packet IPv4 IKE.

  * 09:37:59.887 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

  * 09:37:59.887 Mar 2: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

  !

  * 2 Mar 09:38:01.887: ISAKMP: (0): package of phase 1 is a duplicate of a previous package.

  * 2 Mar 09:38:01.887: ISAKMP: (0): retransmission due to phase 1 of retransmission

  * 2 Mar 09:38:04.203: ISAKMP: (0): transmit phase 1 MM_SA_SETUP...

  * 09:38:04.203 Mar 2: ISAKMP (0:0): increment the count of errors on his, try 1 5: retransmit the phase 1

  ! (5 attempts)

  * 09:38:04.887 Mar 2: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 09:38:04.887 Mar 2: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) MM_SA_SETUP (peer x.x.x.x)

  * 09:38:04.887 Mar 2: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) MM_SA_SETUP (peer x.x.x.x)

  * 09:38:04.887 Mar 2: ISAKMP: Unlocking counterpart struct 0 x 82182080 for isadb_mark_sa_deleted(), count 0

  * 09:38:04.887 Mar 2: ISAKMP: delete peer node by peer_reap for x.x.x.x: 82182080

  * 09:38:04.887 Mar 2: ISAKMP: (0): node-653888495 error suppression FALSE reason 'IKE deleted.

  * 09:38:04.887 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

  * 09:38:04.887 Mar 2: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_DEST_SA

  It is showng NAT - T in debugging, but there is no nating passing between the two... ??

  Please share your thoughts and your conclusions on that.

  Concerning

  SAHKI

  Hello

  Yes, it helped to confirm that you are limited to 100 SA IKE. The number of DH is most of the time a construction internal, so you do not have to worry too much about it. I hope this helps.

  Thank you

  Wen

• Policy Nat and IPSec tunnel

  Hello

  I have a Cisco IOS router and you want to configure an IPSec tunnel between myself and the client.  Unfortunately, we have two overlapping of 10 network IP addresses.

  Is it possible for me to just Nat addresses IP on my side or should the customer Nat as well?

  I have configured NAT on the inside of the interface for 10.134.206.1 to 192.168.156.6 so that Nat happens before that packages are encrypted in the tunnel, however tunnel is not coming.    The client uses a sonic firewall and allowed their 10.91.0.0/16 network 192.168.156.0/24.

  See attachment

  Kind regards

  They are wrong to installation.  Remote local networks are not 10.134.206.0 and 10.134.206/42.  It is simply your public IP address.

• Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers

  Hello world

  I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).

  I created a tunnel interfaces on both routers as follows.

  2620XM

  interface Tunnel0

  IP 10.1.5.2 255.255.255.252

  tunnel source x.x.x.x

  tunnel destination y.y.y.y

  end

  836

  interface Tunnel0

  IP 10.1.5.1 255.255.255.252

  tunnel source y.y.y.y

  tunnel destination x.x.x.x

  end

  and configuration of isakmp/ipsec as follows,

  2620XM

  crypto ISAKMP policy 10

  md5 hash

  preshared authentication

  ISAKMP crypto key {keys} address y.y.y.y no.-xauth

  !

  !

  Crypto ipsec transform-set esp - esp-md5-hmac to_melissia

  !

  myvpn 9 ipsec-isakmp crypto map

  defined peer y.y.y.y

  Set transform-set to_melissia

  match address 101

  2620XM-router #sh ip access list 101

  Expand the access IP 101 list

  10 permit host x.x.x.x y.y.y.y host will

  836

  crypto ISAKMP policy 10

  md5 hash

  preshared authentication

  ISAKMP crypto key {keys} address x.x.x.x No.-xauth

  !

  !

  Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi

  !

  myvpn 10 ipsec-isakmp crypto map

  defined peer x.x.x.x

  Set transform-set to_metamorfosi

  match address 101

  836-router #sh access list 101

  Expand the access IP 101 list

  10 licences will host host x.x.x.x y.y.y.y

  Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.

  CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.

  Any ideas why I get this result? Any help will be a great help

  Thank you!!!

  I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.

  As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:

  card crypto-address

  so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.

  HTH

  Rick

• Problem with IPSec GRE tunnel

  Hello, I have a radio link with a branch, but the link to the provider is not approved to set up a Tunnel GRE + IPSec, but I get that this log in my router.

  % CRYPTO-4-PKT_REPLAY_ERR: decrypt: re-read the verification failed

  The topology is:

  Router 1 C3825 IOS 12.4 (25f) Fa0/2/2 - link radio - router 2 C3825 IOS 15.1 (4) M4 Gi0/1

  I get the logs into the Router 1 only.

  Configurations are:

  Router 1:

  crypto ISAKMP policy 1

  BA aes

  md5 hash

  preshared authentication

  Group 2

  ISAKMP crypto key Andina12 address 172.20.127.114

  invalid-spi-recovery crypto ISAKMP

  !

  !

  Crypto ipsec transform-set TS aes - esp esp-md5-hmac

  !

  Profile of crypto ipsec protected-gre

  86400 seconds, life of security association set

  game of transformation-TS

  interface Tunnel0

  Description IPSec Tunnel of GRE a Víbora

  bandwidth 2000

  IP 172.20.127.117 255.255.255.252

  IP 1400 MTU

  IP tcp adjust-mss 1360

  tunnel source 172.20.127.113

  tunnel destination 172.20.127.114

  protection ipsec profile protected-gre tunnel

  interface FastEthernet0/2/2

  Description RadioEnlace a Víbora

  switchport access vlan 74

  bandwidth 2000

  No cdp enable

  interface Vlan74

  bandwidth 2000

  IP 172.20.127.113 255.255.255.252

  Router eigrp 1

  network 172.20.127.116 0.0.0.3

  Router 2:

  crypto ISAKMP policy 1

  BA aes

  md5 hash

  preshared authentication

  Group 2

  ISAKMP crypto key Andina12 address 172.20.127.113

  !

  !

  Crypto ipsec transform-set TS aes - esp esp-md5-hmac

  !

  Profile of crypto ipsec protected-gre

  86400 seconds, life of security association set

  game of transformation-TS

  interface Tunnel0

  Description IPSec Tunnel of GRE a CSZ

  bandwidth 2000

  IP 172.20.127.118 255.255.255.252

  IP 1400 MTU

  IP tcp adjust-mss 1360

  tunnel source 172.20.127.114

  tunnel destination 172.20.127.113

  protection ipsec profile protected-gre tunnel

  interface GigabitEthernet0/1

  Description Radio Enlace a CSZ

  bandwidth 2000

  IP 172.20.127.114 255.255.255.252

  automatic duplex

  automatic speed

  media type rj45

  No cdp enable

  Router eigrp 1

  network 172.20.127.116 0.0.0.3

  Thanks for the help.

  Yes, you can have just as configured:

  Crypto ipsec transform-set esp - aes TS

  transport mode

  Be sure to change it on both routers.

• DROP in flow of the IPSec tunnel

  Hello

  I am trying to use a VPN, who worked on one connection ASA months on ASA9.1 (2). I've updated to ASA9.1 11 (6) and it has stopped working.

  This is the remote ASA5505s making an IPSEC connection-a network head 5520. I can ride preceding and following 2 and 11 9.1 9.1 (6) and while the configuration does not change, the VPN starts working on 9.1 2

  Vpn connects, but there is no packets sent or received...

  I get this packet tracer...

  Output of the command: "packet - trace entry tcp teeessyou 192.168.190.2 5000 192.168.195.1 detail 80.

  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit rule
  Additional information:
  Direct flow from returns search rule:
  ID = 0xae1308e8, priority = 1, domain = allowed, deny = false
  hits = 622, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
  Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
  DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
  input_ifc = teeessyou, output_ifc = any

  Phase: 2
  Type: UN - NAT
  Subtype: static
  Result: ALLOW
  Config:
  NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
  Additional information:
  NAT divert on exit to the outside interface
  Untranslate 192.168.195.1/80 to 192.168.195.1/80

  Phase: 3
  Type: ACCESS-LIST
  Subtype: Journal
  Result: ALLOW
  Config:
  Access-group teeessyou_access_in in the teeessyou interface
  teeessyou_access_in of access allowed any ip an extended list
  Additional information:
  Direct flow from returns search rule:
  ID = 0xae24d310, priority = 13, area = allowed, deny = false
  hits = 622, user_data is 0xab6b23c0, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = teeessyou, output_ifc = any

  Phase: 4
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
  Additional information:
  Definition of static 192.168.190.2/5000 to 192.168.190.2/5000
  Direct flow from returns search rule:
  ID = 0xae1ea5a8, priority = 6, area = nat, deny = false
  hits = 622, user_data is 0xae1e9c58, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=192.168.192.0 DST, mask is 255.255.224.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = teeessyou, output_ifc = external

  Phase: 5
  Type: NAT
  Subtype: volatile
  Result: ALLOW
  Config:
  Additional information:
  Direct flow from returns search rule:
  ID = 0xa9678858, priority = 1, domain = nat-volatile, deny = true
  hits = 105, user_data = 0 x 0, cs_id = 0 x 0, reverse, use_real_addr, flags = 0 x 0, Protocol = 6
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = none, output_ifc = any

  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  Direct flow from returns search rule:
  ID = 0xae136910, priority = 0, sector = inspect-ip-options, deny = true
  hits = 622, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = teeessyou, output_ifc = any

  Phase: 7
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional information:
  Direct flow from returns search rule:
  ID = 0xaeec4328, priority = 70, domain = encrypt, deny = false
  hits = 65, user_data is 0xb7dc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=192.168.195.0 DST, mask is 255.255.255.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = none, output_ifc = external

  Phase: 8
  Type: NAT
  Subtype: rpf check
  Result: ALLOW
  Config:
  NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
  Additional information:
  Direct flow from returns search rule:
  ID = 0xae1eae48, priority = 6, area = nat-reversed, deny = false
  hits = 129, user_data is 0xae1e9d10, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=192.168.192.0 DST, mask is 255.255.224.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = teeessyou, output_ifc = external

  Phase: 9
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: DECLINE
  Config:
  Additional information:
  Reverse flow from returns search rule:
  ID = 0xaea9f6b0, priority = 69 = ipsec-tunnel-flow area, deny = false
  hits = 129, user_data = 0 x 0, cs_id = 0xaea999c0, reverse, flags = 0 x 0 = 0 protocol
  IP/ID=192.168.192.0 SRC, mask = 255.255.224.0, port = 0, = 0 tag
  IP/ID=192.168.190.0 DST, mask is 255.255.255.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = out, output_ifc = any

  Hello Spencerallsop,

  I recommend to add the keyword "no-proxy-arp" the end of the NAT statement, so the ASA try to answer queries ARP for the traffic(VPN interesting traffic), also this last phase 9 usually shows ignored due to a filter VPN defined in sometimes group policy, make sure you have not a filter VPN in a group policy that affect this tunnel then you will need to do the following:

  1. remove the NAT statement:

  -no nat (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS

  2 fix the NAT statement with the keyword "No.-proxy-arp" :

  -nat (teeessyou, outside) static source any any destination static teeessyou_ENCODERS teeessyou_ENCODERS non-proxy-arp

  3 disable the VPN ISA SA:

  -claire crypto ikev1 his

  4. run the packet tracer to check that the L2L has developed,

  To be honest I wouldn't recommend move you to 9.1.7 since it has some problems with the ARP entries, and it affects AnyConnect SSL somehow, which is still under investigation.

  In fact, this bug affects 9.1.7 (may affect your environment):

  - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy28710

  Please don't forget to rate and score as of this post, keep me posted!

  Kind regards

  David Castro,

• IPSEC VPN DMZ HOST NAT

  Hello world

  First of all thanks for the invaluable information this community offers technicians everywhere... I'm newish to IPSEC VPN and I have a question.

  I have a DMZ PATed host to a public IP address. I've set up an IPSEC tunnel (with an external body on my outside interface) to allow this host reach a host computer in this organization. The VPN is not come. I am told to implement NAT exemption for the DMZ host IPSEC traffic to the host outside. Kindly, how can I do this?

  Kind regards

  Mumo

  OK, no problem :)

  for 8.2 (5), you can try the following config:

  object network DMZ-net 172.16.1.0 255.255.255.0object network Remote-net 10.1.1.0 255.255.255.0access-list asa_dmz_nat0_outbound extended permit ip object DMZ-net object Remote-netnat (DMZ) 0 access-list asa_dmz_nat0_outbound

• ASA: VPN IPSEC Tunnel from 5505(ver=8.47) to 5512 (ver = 9.23)

  Hi-

  We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
  We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).

  Networks:

  Local: 192.168.1.0 (answering machine)
  Distance: 192.168.54.0 (initiator)

  See details below on our config:

  SH run card cry

  card crypto outside_map 2 match address outside_cryptomap_ibfw
  card crypto outside_map 2 pfs set group5
  outside_map 2 peer XX crypto card game. XX.XXX.XXX
  card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
  crypto map outside_map 2 set ikev2 AES256 ipsec-proposal

  outside_map interface card crypto outside

  Note:
  Getting to hit numbers below on rules/ACL...

  SH-access list. I have 54.0

  permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
  permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
  access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671

  SH run | I have access-group
  Access-group outside_access_out outside interface

  NOTE:
  WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...

  HS cry his ikev1

  IKEv1 SAs:

  HIS active: 2
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 2

  1 peer IKE: XX. XX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE
  2 IKE peers: XXX.XXX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE

  SH run tunnel-group XX. XX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX type ipsec-l2l
  tunnel-group XX. XX.XXX.XXX General-attributes
  Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.

  SH run | I have political ikev1

  ikev1 160 crypto policy
  preshared authentication
  aes-256 encryption
  Group 5
  life 86400

  SH run | I Dynamics
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  NAT source auto after (indoor, outdoor) dynamic one interface

  NOTE:
  To from 5512 at 5505-, we can ping a host on the remote network of ASA local

  # ping inside the 192.168.54.20
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 ms

  Determination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?

  The IPSEC tunnel check - seems OK?

  SH crypto ipsec his
  Interface: outside
  Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXX

  outside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
  local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
  current_peer: XX. XX.XXX.XXX

  #pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
  #pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
  Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
  PMTU time remaining: 0, political of DF: copy / df
  Validation of ICMP error: disabled, TFC packets: disabled
  current outbound SPI: CDC99C9F
  current inbound SPI: 06821CBB

  SAS of the esp on arrival:
  SPI: 0x06821CBB (109190331)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3914789/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xCDC99C9F (3452542111)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3913553/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  --> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...

  SH cap CAP

  34 packets captured

  1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
  2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
  3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
  4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
  5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply

  --> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)

  SH cap A2

  42 packets captured

  1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request

  --> Package trace on 5512 does no problem... but we cannot ping from host to host?

  entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20

  Phase: 4
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  class-map default class
  match any
  Policy-map global_policy
  class class by default
  Decrement-ttl connection set
  global service-policy global_policy
  Additional information:
  Direct flow from returns search rule:
  ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
  hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = output_ifc = any to inside,

  Phase: 5
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  Additional information:
  Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
  Direct flow from returns search rule:
  ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
  hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = inside, outside = output_ifc

  ...

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 7422689 id, package sent to the next module
  Information module for forward flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_inspect_icmp
  snp_fp_translate
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Information for reverse flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_translate
  snp_fp_inspect_icmp
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Result:
  input interface: inside
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  --> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?

  Destination - initiator:
   
  entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
   
  ...
  Phase: 4
  Type: UN - NAT
  Subtype: static
  Result: ALLOW
  Config:
  NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
  Additional information:
  NAT divert on exit to the outside interface
  Untranslate 192.168.1.79/0 to 192.168.1.79/0
  ...

  Summary:
  We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
  But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).

  Please let us know what other details we can provide to help solve, thanks for any help in advance.

  -SP

  Well, I think it is a NAT ordering the issue.

  Basically as static and this NAT rule-

  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)

  are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.

  To check just run a 'sh nat"and this will show you what order everthing is in.

  The ASA is working its way through the sections.

  You also have this-

  NAT source auto after (indoor, outdoor) dynamic one interface

  which does the same thing as first statement but is in section 3, it is never used.

  If you do one of two things-

  (1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line

  or

  (2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.

  There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.

  It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.

  The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).

  Then you can simply try to rearrange so your static NAT is above it just to see if it works.

  Just in case you want to see the document here is the link-

  https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

  Jon

• Unable to Ping hosts through IPSec Tunnel

  I have a configuration of lab home with a PIX 515 running code 8.03.  I've made several changes over the last week and now when I finish a VPN connection to the external interface, I'm unable to hit all internal resources.  My VPN connection comes from a 10.22.254.0/24 trying to knock the internal nodes to 10.22.1.0/24, see below.  When I finish a VPN connection with the inside interface works, so I guess that I'm dealing with a NAT problem?   I have not idea why Phase 9 is a failure:-------.  Any help would be great!

  -------

  IP 10.22.254.0 allow Access-list extended sheep 255.255.255.0 10.22.1.0 255.255.255.0

  NAT (inside) 0 access-list sheep

  -------

  Global 1 interface (outside)

  -------

  access-list extended split allow ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0

  -------

  Packet-trace entry inside tcp 10.22.1.15 1025 10.22.254.15 3389 detailed

  Phase: 1

  Type: FLOW-SEARCH

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Not found no corresponding stream, creating a new stream

  Phase: 2

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  in 0.0.0.0 0.0.0.0 outdoors

  Phase: 3

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0x2bb3450, priority = 0, sector = option-ip-enabled, deny = true

  hits = 17005, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  Phase: 4

  Type: VPN

  Subtype: ipsec-tunnel-flow

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0x304ae48, priority = 12, area = ipsec-tunnel-flow, deny = true

  hits = 17005, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  Phase: 5

  Type: NAT-FREE

  Subtype:

  Result: ALLOW

  Config:

  NAT (inside) 0 access-list sheep

  NAT-control

  is the intellectual property inside 10.22.1.0 outside 10.22.254.0 255.255.255.0 255.255.255.0

  Exempt from NAT

  translate_hits = 6, untranslate_hits = 5

  Additional information:

  Direct flow from returns search rule:

  ID = 0x2be2a00, priority = 6, free = area of nat, deny = false

  Hits = 5, user_data is 0x2be2960, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol

  SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0

  DST ip = 10.22.254.0, mask is 255.255.255.0, port = 0

  Phase: 6

  Type: NAT

  Subtype: host-limits

  Result: ALLOW

  Config:

  static (inside, DMZ) 10.22.1.0 10.22.1.0 netmask 255.255.255.0

  NAT-control

  is the intellectual property inside 10.22.1.0 255.255.255.0 DMZ all

  static translation at 10.22.1.0

  translate_hits = 10, untranslate_hits = 0

  Additional information:

  Direct flow from returns search rule:

  ID = 0x2d52800, priority = 5, area = host, deny = false

  hits = 21654, user_data = 0x2d51dc8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0

  DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  Phase: 7

  Type: NAT

  Subtype:

  Result: ALLOW

  Config:

  NAT (inside) 1 0.0.0.0 0.0.0.0

  NAT-control

  is the intellectual property inside everything outside of any

  dynamic translation of hen 1 (192.168.20.20 [Interface PAT])

  translate_hits = 2909, untranslate_hits = 9

  Additional information:

  Direct flow from returns search rule:

  ID = 0x2d4a7d0, priority = 1, sector = nat, deny = false

  hits = 16973, user_data = 0x2d4a730, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  Phase: 8

  Type: VPN

  Subtype: encrypt

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0 x 3328000, priority = 70, domain = encrypt, deny = false

  hits = 0, user_data is 0x1efa0cc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0

  DST ip = 10.0.0.0, mask is 255.0.0.0, port = 0

  Phase: 9

  Type: ACCESS-LIST

  Subtype: ipsec-user

  Result: DECLINE

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0x3329a48, priority = 69, domain = ipsec - user, deny = true

  Hits = 37, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 10.0.0.0, mask is 255.0.0.0, port = 0

  Result:

  input interface: inside

  entry status: to the top

  entry-line-status: to the top

  output interface: outside

  the status of the output: to the top

  output-line-status: to the top

  Action: drop

  Drop-reason: flow (acl-drop) is denied by the configured rule

  No, the sheep ACL requires that defining the internal network traffic to the

  Pool VPN.  You must remove the other entries.

  Delete:

  allowed to Access-list sheep line 8 extended ip 10.22.254.0 255.255.255.0 DM_INLINE_NETWORK_18 object-group
  allowed to Access-list sheep line 8 extended ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

• ASA 8.6 - l2l IPsec tunnel established - not possible to ping

  Hello world

  I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).

  The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.

  I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).

  The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...

  Here is the output of "show run":

  ---------------------------------------------------------------------------------------------------------------------------------------------

  ASA 1.0000 Version 2

  !

  ciscoasa hostname

  activate oBGOJTSctBcCGoTh encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface GigabitEthernet0/0

  nameif outside

  security-level 0

  address IP X.X.X.X 255.255.255.0

  !

  interface GigabitEthernet0/1

  nameif inside

  security-level 100

  the IP 192.168.0.1 255.255.255.0

  !

  interface GigabitEthernet0/2

  nameif DMZ

  security-level 50

  IP 192.168.2.1 255.255.255.0

  !

  interface GigabitEthernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/4

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/5

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.1 255.255.255.0

  management only

  !

  passive FTP mode

  internal subnet object-

  192.168.0.0 subnet 255.255.255.0

  object Web Server external network-ip

  host Y.Y.Y.Y

  Network Web server object

  Home 192.168.2.100

  network vpn-local object - 192.168.2.0

  Subnet 192.168.2.0 255.255.255.0

  network vpn-remote object - 192.168.3.0

  subnet 192.168.3.0 255.255.255.0

  outside_acl list extended access permit tcp any object Web server

  outside_acl list extended access permit tcp any object webserver eq www

  access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0

  dmz_acl access list extended icmp permitted an echo

  pager lines 24

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  MTU 1500 DMZ

  management of MTU 1500

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0

  !

  internal subnet object-

  NAT dynamic interface (indoor, outdoor)

  Network Web server object

  NAT (DMZ, outside) Web-external-ip static tcp www www Server service

  Access-Group global dmz_acl

  Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac

  Crypto ipsec ikev2 proposal ipsec 3des-GNAT

  Esp 3des encryption protocol

  Esp integrity md5 Protocol

  Crypto dynamic-map dynMidgeMap 1 match l2l-address list

  Crypto dynamic-map dynMidgeMap 1 set pfs

  Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set

  Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT

  Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800

  Crypto dynamic-map dynMidgeMap 1 the value reverse-road

  midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap

  midgeMap interface card crypto outside

  ISAKMP crypto identity hostname

  IKEv2 crypto policy 1

  3des encryption

  the md5 integrity

  Group 2

  FRP md5

  second life 86400

  Crypto ikev2 allow outside

  Crypto ikev1 allow outside

  IKEv1 crypto policy 1

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management of 192.168.1.2 - dhcpd address 192.168.1.254

  enable dhcpd management

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal midgeTrialPol group policy

  attributes of the strategy of group midgeTrialPol

  L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2

  enable IPSec-udp

  tunnel-group midgeVpn type ipsec-l2l

  tunnel-group midgeVpn General-attributes

  Group Policy - by default-midgeTrialPol

  midgeVpn group of tunnel ipsec-attributes

  IKEv1 pre-shared-key *.

  remote control-IKEv2 pre-shared-key authentication *.

  pre-shared-key authentication local IKEv2 *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606

  : end

  ------------------------------------------------------------------------------------------------------------------------------

  X.X.X.X - ASA public IP

  Y.Y.Y.Y - a web server

  Z.Z.Z.Z - default gateway

  -------------------------------------------------------------------------------------------------------------------------------

  ASA PING:

  ciscoasa # ping DMZ 192.168.3.1

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:

  ?????

  Success rate is 0% (0/5)

  PING from router (debug on CISCO):

  NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40

  -------------------------------------------------------------------------------------------------------------------------------

  ciscoasa # show the road outside

  Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP

  D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

  N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

  E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP

  i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone

  * - candidate by default, U - static route by user, o - ODR

  P periodical downloaded static route

  Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0

  C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the

  S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors

  S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors

  -------------------------------------------------------------------------------------------------------------------------------

  Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...

  Please, if you have an idea, let me know! Thank you very much!

  Hello

  I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.

  "The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "

  You ACL: access-list extended dmz_acl to any any icmp echo

  For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.

  Then to initiate router, the ASA Launches echo-reply being blocked again.

  Try to add permit-response to echo as well.

  In addition, you can use both "inspect icmp" in world politics than the ACL.

  If none does not work, you can run another t-shoot with control packet - trace on SAA.

  THX

  MS