Solved

Having a problem getting ASA5510 and ASA5505 VPN Site to Site running

Posted on 2010-09-07
7
485 Views
Last Modified: 2012-05-10
I am having issues getting site to site vpn tunnel between two offices running.

Site 1 ----- ASA5510   inside IP 10.1.1.1 - servers running on 10.1.2.X and 10.1.5.X

Site 2 ----- ASA5505  inside IP 10.2.2.2 - server running at ip 10.2.2.6 all other workstations are running DHCP from address pool 10.2.2.7 to 10.2.3.5

Site 1 running config
ASA Version 8.3(1)
!
hostname ticasaenid
domain-name trianglecompanies.coop
enable password smthuUugAEI13ukJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.1.2.3 PCMSAPP
name 10.1.2.7 Exchange
name 10.1.2.5 AtReportSrv
name 10.1.4.201 SupportPC
name 10.1.2.8 CitrixSrv
name 10.1.2.11 TICVPN
name 10.1.5.20 CLICWS01DR
name 10.1.5.21 SPC02S01DR
name 10.1.5.22 PCMSWS01DR
name 10.1.5.23 IMFIWS01DR
name 10.1.5.24 VIEWS01DR
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address XX.68.119.XX 255.255.255.192
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.0.0
!
interface Ethernet0/2
 shutdown
 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.1.1.2 255.255.255.0
 management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name trianglecompanies.coop
object network Exchange
 host 10.1.2.7
object network NETWORK_OBJ_10.1.0.0_16
 subnet 10.1.0.0 255.255.0.0
object-group icmp-type Ping
 icmp-object echo
 icmp-object echo-reply
 icmp-object unreachable
object-group service WebServciesWithOutFTP tcp
 port-object eq www
 port-object eq https
object-group service WebservicesWithFTP tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object host 10.2.0.0
 network-object host 255.255.0.0
access-list outside_access extended permit ip host XX.117.233.XXX object Exchang
e
access-list outside_access extended permit tcp host XX.117.233.XXX object Exchan
ge eq domain
access-list outside_access extended permit ip host XX.117.233.XXX object Exchang
e
access-list outside_access extended permit tcp host XX.117.233.XXX object Exchan
ge eq domain
access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 object-g
roup DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging trap debugging
logging host inside 10.1.4.2
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-632.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (outside,outside) source static NETWORK_OBJ_10.1.0.0_16 NETWORK_OBJ_10.1.0.0
_16 destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1
!
object network Exchange
 nat (inside,outside) static 65.68.119.72
access-group outside_access in interface outside
route outside 0.0.0.0 0.0.0.0 XX.68.119.XX 1
route inside 10.1.0.0 255.255.255.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.0.0 255.255.0.0 management
http 10.1.4.0 255.255.255.0 inside
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer XX.117.233.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group XX.117.233.XXX type ipsec-l2l
tunnel-group XX.117.233.XXX ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1e5357edf6047d55429ca8f0729bda4b
: end

Site 2 running-config
ASA Version 8.2(1)
!
hostname ticasaar
domain-name trianglecompanies.coop
enable password smthuUugAEI13ukJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.2.2.2 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.117.233.XXX 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name trianglecompanies.coop
object-group network DM_INLINE_NETWORK_1
 network-object host 10.1.0.0
 network-object host 255.255.0.0
access-list outside_access_in extended permit ip host XX.68.119.XX any
access-list outside_access_in extended permit tcp host XX.68.119.XX any eq domai
n
access-list outside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 object
-group DM_INLINE_NETWORK_1
access-list outside_1_cryptomap extended permit ip 10.2.0.0 255.255.0.0 object-g
roup DM_INLINE_NETWORK_1
access-list inbound extended permit icmp any any
pager lines 24
logging enable
logging trap debugging
logging host inside 10.2.2.9
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 XX.117.233.XXX netmask 255.255.255.255
nat (inside) 1 10.2.2.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
static (inside,outside) XX.117.233.XXX 10.2.2.6 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.117.233.XXX 1
route inside 10.2.2.0 255.255.255.0 10.2.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.2.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer XX.68.119.XX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.2.2.0 255.255.255.0 inside
telnet XX.68.119.XX 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.2.2.7-10.2.3.5 inside
dhcpd dns 10.2.2.6 interface inside
dhcpd wins 10.2.2.6 interface inside
dhcpd domain trianglecompanies.coop interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password fyw7P427eIutZ8F1 encrypted privilege 13
username admin attributes
 service-type admin
tunnel-group XX.68.119.XX type ipsec-l2l
tunnel-group XX.68.119.XX ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:737a101362210d847fddcef872bf117a
: end

I want both offices to be able to connect to servers on either side of their firewall.

IE: 10.1.0.0 address can connect to 10.2.2.X   servers - and 10.2.2.X machine to be able to connect to the 10.1.0.0 machines.
0
Comment
Question by:cunnke
  • 3
  • 2
  • 2
7 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
So when you try to connect, the tunnel does come up? When you're monitoring (one of) the asa's does anything show in the logs?

0
 

Author Comment

by:cunnke
Comment Utility
The tunnel never comes up.  Nothing shows in the logs
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
I think I see something in your config:

object-group network DM_INLINE_NETWORK_1
 network-object host 10.2.0.0
 network-object host 255.255.0.0

There are two single host objects incorrectely defined here.

Try to replace the existing accesslists:

access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1
 
with

access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0

For site one

and

ccess-list outside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1
access-list outside_1_cryptomap extended permit ip 10.2.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1

With

access-list outside_1_cryptomap extended permit ip 10.2.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list outside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.1.0.0 255.255.0.0

For site two.

Then lets see if we can get some tunneling.

Personally I'm not that fond of using objects and groups (which happens automatically when using ASDM). It's not allways wysiwyg.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:cunnke
Comment Utility
I changed the lines above and am still not getting tunnel traffic.

I am still gettting on a     sh crypto ipsec sa        There are no ipsec sa

And        sh crypto isakmp sa    There are no isakmp sas

Site one running config:
ASA Version 8.3(1)
!
hostname ticasaenid
domain-name trianglecompanies.coop
enable password smthuUugAEI13ukJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.1.2.3 PCMSAPP
name 10.1.2.7 Exchange
name 10.1.2.5 AtReportSrv
name 10.1.4.201 SupportPC
name 10.1.2.8 CitrixSrv
name 10.1.2.11 TICVPN
name 10.1.5.20 CLICWS01DR
name 10.1.5.21 SPC02S01DR
name 10.1.5.22 PCMSWS01DR
name 10.1.5.23 IMFIWS01DR
name 10.1.5.24 VIEWS01DR
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address XX.68.119.XXX 255.255.255.192
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.0.0
!
interface Ethernet0/2
 shutdown
 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.1.1.2 255.255.255.0
 management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name trianglecompanies.coop
object network Exchange
 host 10.1.2.7
object network NETWORK_OBJ_10.1.0.0_16
 subnet 10.1.0.0 255.255.0.0
object-group icmp-type Ping
 icmp-object echo
 icmp-object echo-reply
 icmp-object unreachable
object-group service WebServciesWithOutFTP tcp
 port-object eq www
 port-object eq https
object-group service WebservicesWithFTP tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object host 10.2.0.0
 network-object host 255.255.0.0
access-list outside_access extended permit ip host XX.117.233.XXX object Exchang
e
access-list outside_access extended permit tcp host XX.117.233.XXX object Exchan
ge eq domain
access-list outside_access extended permit ip host XX.117.233.XXX object Exchang
e
access-list outside_access extended permit tcp host XX.117.233.XXX object Exchan
ge eq domain
access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0
 255.255.0.0
access-list outside_cryptomap_1 extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0
 255.255.0.0
pager lines 24
logging enable
logging trap debugging
logging host inside 10.1.4.2
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-632.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (outside,outside) source static NETWORK_OBJ_10.1.0.0_16 NETWORK_OBJ_10.1.0.0
_16 destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1
!
object network Exchange
 nat (inside,outside) static XX.68.119.XXX
access-group outside_access in interface outside
route outside 0.0.0.0 0.0.0.0 XX.68.119.XXX 1
route inside 10.1.0.0 255.255.255.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.0.0 255.255.0.0 management
http 10.1.4.0 255.255.255.0 inside
http Exchange 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer XX.117.233.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group XX.117.233.XXX type ipsec-l2l
tunnel-group XX.117.233.XXX ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cb1a4d46563ebac09ce732a61357e3fe
: end
ticasaenid(config)#
ticasaar(config)# sh run
: Saved
:

Site 2 config
ASA Version 8.2(1)
!
hostname ticasaar
domain-name trianglecompanies.coop
enable password smthuUugAEI13ukJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.2.2.2 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.117.233.XXX 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name trianglecompanies.coop
object-group network DM_INLINE_NETWORK_1
 network-object host 10.1.0.0
 network-object host 255.255.0.0
access-list outside_access_in extended permit ip host XX.68.119.XXX any
access-list outside_access_in extended permit tcp host XX.68.119.XXX any eq domai
n
access-list outside_1_cryptomap extended permit ip 10.2.0.0 255.255.0.0 10.1.0.0
 255.255.0.0
access-list outside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.1.0
.0 255.255.0.0
access-list inbound extended permit icmp any any
access-list outside_cryptomap_1 extended permit ip 10.2.2.0 255.255.255.0 10.1.0
.0 255.255.0.0
pager lines 24
logging enable
logging trap debugging
logging host inside 10.2.2.9
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 XX.117.233.XXX netmask 255.255.255.255
nat (inside) 1 10.2.2.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) XX.117.233.XXX 10.2.2.6 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.117.233.XXX 1
route inside 10.2.2.0 255.255.255.0 10.2.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.2.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer XX.68.119.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.2.2.0 255.255.255.0 inside
telnet XX.68.119.XXX 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.2.2.7-10.2.3.5 inside
dhcpd dns 10.2.2.6 interface inside
dhcpd wins 10.2.2.6 interface inside
dhcpd domain trianglecompanies.coop interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password fyw7P427eIutZ8F1 encrypted privilege 13
username admin attributes
 service-type admin
tunnel-group XX.68.119.XXX type ipsec-l2l
tunnel-group XX.68.119.XXX ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e35176e2da98b59b46e4a2c864a9c69b
0
 

Author Comment

by:cunnke
Comment Utility
Could it be that PAT is running on the devices? And if so how do it shutoff the PAT and have it do a static NAT translation?
0
 
LVL 6

Accepted Solution

by:
kuoh earned 500 total points
Comment Utility
I'm not sure if 8.3 will affect things, but I'd make the following changes.

Site 1
CHAGE
access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0
 255.255.0.0

TO
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.2.0
.0 255.255.0.0

ADD
nat (Inside) 0 access-list inside_nat0_outbound

DELETE
nat (outside,outside) source static NETWORK_OBJ_10.1.0.0_16 NETWORK_OBJ_10.1.0.0
_16 destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1


Site 2
CHANGE
access-list outside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.1.0
.0 255.255.0.0
access-list outside_cryptomap_1 extended permit ip 10.2.2.0 255.255.255.0 10.1.0
.0 255.255.0.0

TO
access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.1.0
.0 255.255.0.0
access-list outside_cryptomap_1 extended permit ip 10.2.0.0 255.255.0.0 10.1.0
.0 255.255.0.0

ADD
nat (Inside) 0 access-list inside_nat0_outbound

Also, I'm not sure I see the need for the "route inside" commands on both ASAs, but it's late so I may be missing something.
0
 
LVL 6

Assisted Solution

by:kuoh
kuoh earned 500 total points
Comment Utility
It looks like 8.3 will affect the site 1 config, but site 2 should be ok, since it's still on 8.2.

Site 1
ADD
object network NETWORK_OBJ_10.2.0.0_16
 subnet 10.2.0.0 255.255.0.0
nat (inside,any) source static  NETWORK_OBJ_10.1.0.0_16  NETWORK_OBJ_10.1.0.0_16 destination static  NETWORK_OBJ_10.2.0.0_16  NETWORK_OBJ_10.2.0.0_16
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now