Avatar of redcell5
redcell5Flag for United States of America

asked on 

Cannot nat across Site to site VPN

I have network A as 10.201.10.0/23 and it is connected to network b 128.1.0.0/16 via site to site VPN on cisco 5505.
This is working as needed, but I need just one host on network A to be natted from 10.201.10.6 to 128.1.1.5 when it reaches network B.

Here is a jpg of the configuration and the configs for both router A and router.

 User generated image

Here are the configs....
network A
ASA Version 8.2(1)
!
hostname CPF
enable password z3Vhv168HZLEetUh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.201.10.2 255.255.254.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0
.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255
.0.0
access-list decanat extended permit ip host 10.201.10.6 host 128.1.1.5
pager lines 24
logging enable
logging console informational
logging asdm debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 128.1.1.5 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 2 access-list decanat
static (inside,outside) 128.1.1.5 10.201.10.6 netmask 255.255.255.255
!
router eigrp 500
 neighbor 172.16.1.2 interface outside
 network 128.0.0.0 255.0.0.0
 network 172.16.1.0 255.255.255.0
 network 192.168.2.0 255.255.255.0
 redistribute static
!
route inside 10.201.10.0 255.255.254.0 10.201.10.2 1
route outside 128.1.0.0 255.255.0.0 172.16.1.2 1
route outside 172.16.253.0 255.255.255.0 172.16.1.2 1
route outside 192.168.2.0 255.255.255.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.201.10.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map oustide_map 20 match address 100
crypto map oustide_map 20 set peer 192.168.2.1
crypto map oustide_map 20 set transform-set myset
crypto map oustide_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.201.10.6-10.201.10.133 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fe6d39603080d6c6b8ce09178c26a8ed
: end



Network B
 
ASA Version 8.2(1)
!
hostname MDV
enable password z3Vhv168HZLEetUh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 128.1.70.100 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit intra-interface
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 10.201.10.0 255.255.254
.0
access-list nonat extended permit ip 128.1.0.0 255.255.0.0 10.201.10.0 255.255.2
54.0
access-list deca_100 standard permit 128.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 128.1.0.0 255.255.0.0 128.1.
0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 1 98.141.40.151
nat (inside) 0 access-list nonat
nat (inside) 1 128.1.0.0 255.255.0.0
!
router eigrp 500
 eigrp stub connected static redistributed
 neighbor 192.168.2.2 interface outside
 network 192.168.1.0 255.255.255.0
 network 192.168.2.0 255.255.255.0
!
route outside 10.201.10.0 255.255.254.0 192.168.2.2 1
route outside 172.16.1.0 255.255.255.0 192.168.2.2 1
route inside 172.16.253.0 255.255.255.0 128.1.250.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 128.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 172.16.1.1
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 128.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 128.1.70.104-128.1.71.103 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context


VPNCisco

Avatar of undefined
Last Comment
redcell5
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

forgot to say that when host a comes across to host b it is retaining its original address...


Avatar of John Meggers
John Meggers
Flag of United States of America image

So, first, is it as simple as a typo of 10.201.10.x versus 10.206.10.x?  Make sure you know how it's supposed to be.

If that's not it, though, does the network at the other end know where the address used in your "global (outside)" statement is located?  Your ACL of what gets encrypted specifies the inside address, so chances are their ACL at the other end specifies the reverse of yours -- but doesn't in any way mention the 128.1.1.x subnet.  

I haven't played with this kind of NAT situation too much, but my guess is your ACL should probably specify 128.1.1.x as the source subnet, and you probably need to modify your NAT criteria to base it off an ACL that specifies traffic specifically destined for 128.1.0.11.

See if the first suggestion works and lets go from there.
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

it's a typo in the visio...it should be 10.201.10
Avatar of gavving
gavving
Flag of United States of America image

You need to reconfigure some things to setup policy NAT.

On Network A ASA
access-list nonat line 1 deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
no access-list decanat extended permit ip host 10.201.10.6 host 128.1.1.5
no nat (inside) 2 access-list decanat
no static (inside,outside) 128.1.1.5 10.201.10.6 netmask 255.255.255.255
access-list nat-siteb permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
static (inside,outside) 128.1.1.5 access-list nat-siteb

! The above will cause only the traffic coming from 10.201.10.6 to 128.1.0.0/16 to be NATed.  The rest will flow non-nated.

access-list 100 permit ip host 128.1.1.5 128.1.0.0 255.255.0.0

! This causes the NATed traffic to be sent through the Tunnel.

On Network B ASA:

access-list 100 permit ip 128.1.0.0 255.255.0.0 host 128.1.1.5
route outside 128.1.1.5 255.255.255.0 192.168.2.2

! This routes the traffic back through the VPN tunnel for the NATed traffic.

Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

I keep getting this

CPF(config)# %ASA-3-305005: No translation group found for icmp src outside:128.
1.70.107 dst inside:10.201.10.6 (type 8, code 0)
%ASA-3-305005: No translation group found for icmp src outside:128.1.70.107 dst
inside:10.201.10.6 (type 8, code 0)
%ASA-3-305005: No translation group found for icmp src outside:128.1.70.107 dst
inside:10.201.10.6 (type 8, code 0)

for any address inside the 10 net now
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

update....
I put this in...
access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0

and then this....
static (inside,outside) 128.1.1.5  access-list nat-siteb
static (inside,outside) 10.201.10.0  access-list 100



now the console is showing for site A
CPF(config)# %ASA-6-302020: Built inbound ICMP connection for faddr 128.1.70.107
/768 gaddr 10.201.10.6/0 laddr 10.201.10.6/0

when I ping to 10.201.10.6 from the 128.0.0.0 network.


from site B I ping 128.1.70.107 and this is what shows in B console...
%ASA-6-302020: Built outbound ICMP connection for faddr 10.201.10.6/0 gaddr 128.
1.70.107/768 laddr 128.1.70.107/768


But I get request timed out at each host.
Avatar of gavving
gavving
Flag of United States of America image

Lets try:

no global (outside) 2 128.1.1.5 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
clear xlate


Avatar of gavving
gavving
Flag of United States of America image

I dont think we need to use policy nating for the traffic you dont want to nat.  That traffic should be in the nonat ACL and the nat (inside) 0 command.

no static (inside,outside) 10.201.10.0  access-list 100
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
nat (inside) 0 access-list nonat
static (inside,outside) 128.1.1.5  access-list nat-siteb
clear xlate

That should cause the traffic to be NATed the way we want.  Check the tunnel to see if theres any traffic being sent /received.  Use 'show crypto ipsec'
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

removed policy nat and put in the config mod you said and here is the result..
%ASA-3-305005: No translation group found for icmp src outside:128.1.70.107 dst
inside:10.201.10.6 (type 8, code 0)


access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 172.16.253.0 255.255.255.0


nat (inside) 0 access-list nonat
static (inside,outside) 128.1.1.5  access-list nat-siteb
Avatar of gavving
gavving
Flag of United States of America image

Where are you originating the Ping from?  The ASA itself or from a device on the inside interface of Site A's firewall or Site B's firewall?  Is the traffic actually going through the VPN?
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

I have a laptop on each side and a router on each side .....so to answer the ? I am originating from laptop 128.1.70.107 to laptop 10.201.10.6...traffic is passing because I can ping from laptop 128.1.70.107 to the router on the other side 10.201.10.1
Avatar of gavving
gavving
Flag of United States of America image

I'll try to lab it up and test the configs.  I'm pretty sure what I've tried to do should work, there maybe a detail I'm missing though.
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

Thanks....
Do you do hard labs? (I mean actual hardware?)
Avatar of gavving
gavving
Flag of United States of America image

I have a couple extra 5505's that I can use.  
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

OK...that's what I have with the router in the middle.
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

anyone else have some ideas?
I am struggling on this.
Avatar of gavving
gavving
Flag of United States of America image

I got it working.  There is an issue with doing it the way you've setup though.  The problem is that even if you setup everything perfectly, the traffic will not route back correctly from the 128.1.0.11 device without a static route on that device specifically for the 128.1.1.5 IP.  128.1.1.5 is in the same network as 128.1.0.11 so the traffic never gets routed back to the ASA to go through the VPN tunnel.  So in addition to the below configurations I had to add a route on my 128.1.0.11 device like:

ip route 128.1.1.5 255.255.255.255 128.1.70.100
(I was using a router)

Once I did that I was able to ping through from 10.201.10.6, get natted to 128.1.1.5, go through the VPN, then come all the way back.... Using the below configurations.

 
SITE A config:
:
ASA Version 8.2(1) 
!
hostname Site-A
domain-name default.domain.invalid
enable password NuLKvvWGg.x9HEKO encrypted
passwd NuLKvvWGg.x9HEKO encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.201.10.2 255.255.254.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0 
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0 
access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0 
access-list 100 extended permit ip host 128.1.1.5 128.1.0.0 255.255.0.0 
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0 
access-list acl-outside extended permit icmp any any 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 128.1.1.5  access-list nat-siteb 
access-group acl-outside in interface outside
route outside 128.1.0.0 255.255.0.0 172.16.1.2 1
route outside 192.168.2.0 255.255.255.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 6:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set AES128SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map oustide_map 20 match address 100
crypto map oustide_map 20 set peer 192.168.2.1 
crypto map oustide_map 20 set transform-set myset
crypto map oustide_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption aes
 hash sha
 group 2      
 lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 67.67.4.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context 
Cryptochecksum:0d6699320fc7f09b256766c862d3f5f0

Open in new window

SITE B Config:
: Saved
:
ASA Version 8.2(1) 
!
hostname Site-B
enable password NuLKvvWGg.x9HEKO encrypted
passwd NuLKvvWGg.x9HEKO encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 128.1.70.100 255.255.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.2.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!             
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 10.201.10.0 255.255.254.0 
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 host 128.1.1.5 
access-list nonat extended permit ip 128.1.0.0 255.255.0.0 10.201.10.0 255.255.254.0 
access-list nonat extended permit ip 128.1.0.0 255.255.0.0 host 128.1.1.5 
access-list acl-outside extended permit icmp any any 
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 128.1.0.0 255.255.0.0
access-group acl-outside in interface outside
route outside 10.201.10.0 255.255.254.0 192.168.2.2 1
route outside 128.1.1.5 255.255.255.255 192.168.2.2 1
route outside 172.16.1.0 255.255.255.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 172.16.1.1 
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context

Open in new window

Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

OK Gavving,
I put in the configs.  I put in the static routes on all routers involved (3 of them, one for each site and one for the site to site VPN)

Now I can ping my routers on each side.

I can ping from my Site A router to a host on Site B and vice versa. (E.G. from 10.201.10.1 to 128.1.70.107)

I can ping from my router on Site B to the router on Site A and to 128.1.1.5
Sending 5, 100-byte ICMP Echos to 128.1.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent

I can ping from 10.201.10.6 to the router in Site B (10.201.10.6 to 128.1.250.0)
I cannot ping from 10.201.10.6 to a host in Site B (10.201.10.6 to 128.1.70.107) see below from the logs...Both ASA's thinks it happens, but the request times out on the host...

Log entry from Site B ASA:
MDV(config)# %ASA-6-302020: Built inbound ICMP connection for faddr 128.1.1.5/51
2 gaddr 128.1.70.107/0 laddr 128.1.70.107/0
%ASA-6-302021: Teardown ICMP connection for faddr 128.1.1.5/512 gaddr 128.1.70.1
07/0 laddr 128.1.70.107/0


Log entry from Site A ASA:
CPF(config)# %ASA-6-302020: Built outbound ICMP connection for faddr 128.1.70.10
7/0 gaddr 128.1.1.5/512 laddr 10.201.10.6/512
%ASA-6-302021: Teardown ICMP connection for faddr 128.1.70.107/0 gaddr 128.1.1.5
/512 laddr 10.201.10.6/512

Then pinging 10.201.10.6 OR 128.1.1.5 from host in site B 128.1.70.107 the ping also times out....
Here is the log entry from Site B asa

MDV(config)# %ASA-6-302020: Built outbound ICMP connection for faddr 10.201.10.6
/0 gaddr 128.1.70.107/768 laddr 128.1.70.107/768
%ASA-6-302021: Teardown ICMP connection for faddr 10.201.10.6/0 gaddr 128.1.70.1
07/768 laddr 128.1.70.107/768


Log entry from Site A ASA for same ping...
CPF(config)# %ASA-3-305005: No translation group found for icmp src outside:128.
1.70.107 dst inside:10.201.10.6 (type 8, code 0)

Do you need to see anymore to see if this works?










ASKER CERTIFIED SOLUTION
Avatar of gavving
gavving
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

I wish I could give more points!!!
The static route on the host did the trick!
Cisco
Cisco

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo