Cannot nat across Site to site VPN

redcell5
redcell5 used Ask the Experts™
on
I have network A as 10.201.10.0/23 and it is connected to network b 128.1.0.0/16 via site to site VPN on cisco 5505.
This is working as needed, but I need just one host on network A to be natted from 10.201.10.6 to 128.1.1.5 when it reaches network B.

Here is a jpg of the configuration and the configs for both router A and router.

 network dwg

Here are the configs....
network A
ASA Version 8.2(1)
!
hostname CPF
enable password z3Vhv168HZLEetUh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.201.10.2 255.255.254.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0
.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255
.0.0
access-list decanat extended permit ip host 10.201.10.6 host 128.1.1.5
pager lines 24
logging enable
logging console informational
logging asdm debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 128.1.1.5 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 2 access-list decanat
static (inside,outside) 128.1.1.5 10.201.10.6 netmask 255.255.255.255
!
router eigrp 500
 neighbor 172.16.1.2 interface outside
 network 128.0.0.0 255.0.0.0
 network 172.16.1.0 255.255.255.0
 network 192.168.2.0 255.255.255.0
 redistribute static
!
route inside 10.201.10.0 255.255.254.0 10.201.10.2 1
route outside 128.1.0.0 255.255.0.0 172.16.1.2 1
route outside 172.16.253.0 255.255.255.0 172.16.1.2 1
route outside 192.168.2.0 255.255.255.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.201.10.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map oustide_map 20 match address 100
crypto map oustide_map 20 set peer 192.168.2.1
crypto map oustide_map 20 set transform-set myset
crypto map oustide_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.201.10.6-10.201.10.133 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fe6d39603080d6c6b8ce09178c26a8ed
: end



Network B
 
ASA Version 8.2(1)
!
hostname MDV
enable password z3Vhv168HZLEetUh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 128.1.70.100 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit intra-interface
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 10.201.10.0 255.255.254
.0
access-list nonat extended permit ip 128.1.0.0 255.255.0.0 10.201.10.0 255.255.2
54.0
access-list deca_100 standard permit 128.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 128.1.0.0 255.255.0.0 128.1.
0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 1 98.141.40.151
nat (inside) 0 access-list nonat
nat (inside) 1 128.1.0.0 255.255.0.0
!
router eigrp 500
 eigrp stub connected static redistributed
 neighbor 192.168.2.2 interface outside
 network 192.168.1.0 255.255.255.0
 network 192.168.2.0 255.255.255.0
!
route outside 10.201.10.0 255.255.254.0 192.168.2.2 1
route outside 172.16.1.0 255.255.255.0 192.168.2.2 1
route inside 172.16.253.0 255.255.255.0 128.1.250.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 128.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 172.16.1.1
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 128.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 128.1.70.104-128.1.71.103 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context


Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
forgot to say that when host a comes across to host b it is retaining its original address...


John MeggersNetwork Architect

Commented:
So, first, is it as simple as a typo of 10.201.10.x versus 10.206.10.x?  Make sure you know how it's supposed to be.

If that's not it, though, does the network at the other end know where the address used in your "global (outside)" statement is located?  Your ACL of what gets encrypted specifies the inside address, so chances are their ACL at the other end specifies the reverse of yours -- but doesn't in any way mention the 128.1.1.x subnet.  

I haven't played with this kind of NAT situation too much, but my guess is your ACL should probably specify 128.1.1.x as the source subnet, and you probably need to modify your NAT criteria to base it off an ACL that specifies traffic specifically destined for 128.1.0.11.

See if the first suggestion works and lets go from there.

Author

Commented:
it's a typo in the visio...it should be 10.201.10
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
You need to reconfigure some things to setup policy NAT.

On Network A ASA
access-list nonat line 1 deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
no access-list decanat extended permit ip host 10.201.10.6 host 128.1.1.5
no nat (inside) 2 access-list decanat
no static (inside,outside) 128.1.1.5 10.201.10.6 netmask 255.255.255.255
access-list nat-siteb permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
static (inside,outside) 128.1.1.5 access-list nat-siteb

! The above will cause only the traffic coming from 10.201.10.6 to 128.1.0.0/16 to be NATed.  The rest will flow non-nated.

access-list 100 permit ip host 128.1.1.5 128.1.0.0 255.255.0.0

! This causes the NATed traffic to be sent through the Tunnel.

On Network B ASA:

access-list 100 permit ip 128.1.0.0 255.255.0.0 host 128.1.1.5
route outside 128.1.1.5 255.255.255.0 192.168.2.2

! This routes the traffic back through the VPN tunnel for the NATed traffic.

Author

Commented:
I keep getting this

CPF(config)# %ASA-3-305005: No translation group found for icmp src outside:128.
1.70.107 dst inside:10.201.10.6 (type 8, code 0)
%ASA-3-305005: No translation group found for icmp src outside:128.1.70.107 dst
inside:10.201.10.6 (type 8, code 0)
%ASA-3-305005: No translation group found for icmp src outside:128.1.70.107 dst
inside:10.201.10.6 (type 8, code 0)

for any address inside the 10 net now

Author

Commented:
update....
I put this in...
access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0

and then this....
static (inside,outside) 128.1.1.5  access-list nat-siteb
static (inside,outside) 10.201.10.0  access-list 100



now the console is showing for site A
CPF(config)# %ASA-6-302020: Built inbound ICMP connection for faddr 128.1.70.107
/768 gaddr 10.201.10.6/0 laddr 10.201.10.6/0

when I ping to 10.201.10.6 from the 128.0.0.0 network.


from site B I ping 128.1.70.107 and this is what shows in B console...
%ASA-6-302020: Built outbound ICMP connection for faddr 10.201.10.6/0 gaddr 128.
1.70.107/768 laddr 128.1.70.107/768


But I get request timed out at each host.

Commented:
Lets try:

no global (outside) 2 128.1.1.5 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
clear xlate


Commented:
I dont think we need to use policy nating for the traffic you dont want to nat.  That traffic should be in the nonat ACL and the nat (inside) 0 command.

no static (inside,outside) 10.201.10.0  access-list 100
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
nat (inside) 0 access-list nonat
static (inside,outside) 128.1.1.5  access-list nat-siteb
clear xlate

That should cause the traffic to be NATed the way we want.  Check the tunnel to see if theres any traffic being sent /received.  Use 'show crypto ipsec'

Author

Commented:
removed policy nat and put in the config mod you said and here is the result..
%ASA-3-305005: No translation group found for icmp src outside:128.1.70.107 dst
inside:10.201.10.6 (type 8, code 0)


access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 172.16.253.0 255.255.255.0


nat (inside) 0 access-list nonat
static (inside,outside) 128.1.1.5  access-list nat-siteb

Commented:
Where are you originating the Ping from?  The ASA itself or from a device on the inside interface of Site A's firewall or Site B's firewall?  Is the traffic actually going through the VPN?

Author

Commented:
I have a laptop on each side and a router on each side .....so to answer the ? I am originating from laptop 128.1.70.107 to laptop 10.201.10.6...traffic is passing because I can ping from laptop 128.1.70.107 to the router on the other side 10.201.10.1

Commented:
I'll try to lab it up and test the configs.  I'm pretty sure what I've tried to do should work, there maybe a detail I'm missing though.

Author

Commented:
Thanks....
Do you do hard labs? (I mean actual hardware?)

Commented:
I have a couple extra 5505's that I can use.  

Author

Commented:
OK...that's what I have with the router in the middle.

Author

Commented:
anyone else have some ideas?
I am struggling on this.

Commented:
I got it working.  There is an issue with doing it the way you've setup though.  The problem is that even if you setup everything perfectly, the traffic will not route back correctly from the 128.1.0.11 device without a static route on that device specifically for the 128.1.1.5 IP.  128.1.1.5 is in the same network as 128.1.0.11 so the traffic never gets routed back to the ASA to go through the VPN tunnel.  So in addition to the below configurations I had to add a route on my 128.1.0.11 device like:

ip route 128.1.1.5 255.255.255.255 128.1.70.100
(I was using a router)

Once I did that I was able to ping through from 10.201.10.6, get natted to 128.1.1.5, go through the VPN, then come all the way back.... Using the below configurations.

 
SITE A config:
:
ASA Version 8.2(1) 
!
hostname Site-A
domain-name default.domain.invalid
enable password NuLKvvWGg.x9HEKO encrypted
passwd NuLKvvWGg.x9HEKO encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.201.10.2 255.255.254.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0 
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0 
access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0 
access-list 100 extended permit ip host 128.1.1.5 128.1.0.0 255.255.0.0 
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0 
access-list acl-outside extended permit icmp any any 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 128.1.1.5  access-list nat-siteb 
access-group acl-outside in interface outside
route outside 128.1.0.0 255.255.0.0 172.16.1.2 1
route outside 192.168.2.0 255.255.255.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 6:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set AES128SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map oustide_map 20 match address 100
crypto map oustide_map 20 set peer 192.168.2.1 
crypto map oustide_map 20 set transform-set myset
crypto map oustide_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption aes
 hash sha
 group 2      
 lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 67.67.4.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context 
Cryptochecksum:0d6699320fc7f09b256766c862d3f5f0

Open in new window

SITE B Config:
: Saved
:
ASA Version 8.2(1) 
!
hostname Site-B
enable password NuLKvvWGg.x9HEKO encrypted
passwd NuLKvvWGg.x9HEKO encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 128.1.70.100 255.255.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.2.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!             
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 10.201.10.0 255.255.254.0 
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 host 128.1.1.5 
access-list nonat extended permit ip 128.1.0.0 255.255.0.0 10.201.10.0 255.255.254.0 
access-list nonat extended permit ip 128.1.0.0 255.255.0.0 host 128.1.1.5 
access-list acl-outside extended permit icmp any any 
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 128.1.0.0 255.255.0.0
access-group acl-outside in interface outside
route outside 10.201.10.0 255.255.254.0 192.168.2.2 1
route outside 128.1.1.5 255.255.255.255 192.168.2.2 1
route outside 172.16.1.0 255.255.255.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 172.16.1.1 
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context

Open in new window

Author

Commented:
OK Gavving,
I put in the configs.  I put in the static routes on all routers involved (3 of them, one for each site and one for the site to site VPN)

Now I can ping my routers on each side.

I can ping from my Site A router to a host on Site B and vice versa. (E.G. from 10.201.10.1 to 128.1.70.107)

I can ping from my router on Site B to the router on Site A and to 128.1.1.5
Sending 5, 100-byte ICMP Echos to 128.1.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent

I can ping from 10.201.10.6 to the router in Site B (10.201.10.6 to 128.1.250.0)
I cannot ping from 10.201.10.6 to a host in Site B (10.201.10.6 to 128.1.70.107) see below from the logs...Both ASA's thinks it happens, but the request times out on the host...

Log entry from Site B ASA:
MDV(config)# %ASA-6-302020: Built inbound ICMP connection for faddr 128.1.1.5/51
2 gaddr 128.1.70.107/0 laddr 128.1.70.107/0
%ASA-6-302021: Teardown ICMP connection for faddr 128.1.1.5/512 gaddr 128.1.70.1
07/0 laddr 128.1.70.107/0


Log entry from Site A ASA:
CPF(config)# %ASA-6-302020: Built outbound ICMP connection for faddr 128.1.70.10
7/0 gaddr 128.1.1.5/512 laddr 10.201.10.6/512
%ASA-6-302021: Teardown ICMP connection for faddr 128.1.70.107/0 gaddr 128.1.1.5
/512 laddr 10.201.10.6/512

Then pinging 10.201.10.6 OR 128.1.1.5 from host in site B 128.1.70.107 the ping also times out....
Here is the log entry from Site B asa

MDV(config)# %ASA-6-302020: Built outbound ICMP connection for faddr 10.201.10.6
/0 gaddr 128.1.70.107/768 laddr 128.1.70.107/768
%ASA-6-302021: Teardown ICMP connection for faddr 10.201.10.6/0 gaddr 128.1.70.1
07/768 laddr 128.1.70.107/768


Log entry from Site A ASA for same ping...
CPF(config)# %ASA-3-305005: No translation group found for icmp src outside:128.
1.70.107 dst inside:10.201.10.6 (type 8, code 0)

Do you need to see anymore to see if this works?










Commented:
On host in site B, IP: 128.1.70.107 what is the routing table?  Did you specifically add a route for 128.1.1.5/32 like I mentioned in my previous post?  You will have to do that for it to work because we are NATing into the same network block as the host's interface IP.  If you were to look at the traffic counters on the 'show crypto ipsec' output you would see packets being sent from Site A, received on site B, but nothing coming back.  This is because the traffic never hits the ASA on the site B end as the host will ARP and look for 128.1.1.5 on the local LAN.

I just thought of something though.  If we enable proxy arp on the inside interface, we wouldnt need to add that route.  Try:

no sysopt noproxyarp inside

on the Site B ASA.

Author

Commented:
I wish I could give more points!!!
The static route on the host did the trick!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial