https://community.cisco.com/t5/network-security/asa-firewall-issue/m-p/2318592#M311116 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Some observations,</P><P></P><UL><LI>You say that Site B has a router behind the LAN interface of the ASA</LI><LI>You say that Site B can ping Site A with no problem</LI><LI>You say that Site A cant ping Site B</LI><LI>On Site B there is no Route for the network 192.168.1.0/24</LI><LI>On Site B you have a Management interface which has the address range 192.168.1.0/24 also?</LI></UL><P></P><P>So I am beginning to think that the router behind the Site B ASA is doing Dynamic PAT for the network 192.168.1.0/24 behind it. This would mean that all traffic from the 192.168.1.0/24 would be PATed to some IP address from network 1.1.2.0/24. This again would enable traffic to flow from Site B to Site A normally. Considering the Dynamic PAT done by the Site B LAN router would mean though that no connection initiation would work from Site A to Site B since you cant form connections through Dynamic PAT from the external side.</P><P></P><P>So my guess would be that you would have to</P><UL><LI>Remove the Site B management interface configurations, atleast the IP address. If its in use change the network for the Management interface</LI><LI>Disable any type of NAT on the LAN Router at Site B so Site A can actually see the local network 192.168.1.0/24</LI><LI>Change the VPN and NAT configurations on the ASAs to reflect this change in the Site B network</LI></UL><P></P><P>The above would most likely affect your Site B Static NAT configuration you did just in the other discussion here on the forums.</P><P></P><P>One other alternative is that you configure Static NAT for the hosts you need on the Site B router from 192.168.0.x to 1.1.2.x so they can be connected from Site A</P><P></P><P>Hope I made sense <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 11 Oct 2013 17:13:14 GMT Jouni Forss 2013-10-11T17:13:14Z https://community.cisco.com/t5/network-security/asa-firewall-issue/m-p/2318589#M311103 <P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Hi</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">My setup is like this:</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">ASA-5505-SITE-A (1.1.1.1)</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">ASA-5510-SITE-B (1.1.2.1)</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">On this side the ASA inside interface gooing into a router as WAN.</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">My LAN outside my routeur is 192.168.1.x</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">There is a VPN UP between SITE-A and SITE-B</P><P></P><P>From SITE-B I can ping everything to SITE-A</P><P></P><P>From SITE-A to SITE-B, nothing works.</P><P></P><P></P><P>Please help me.</P> Tue, 12 Mar 2019 02:51:02 GMT https://community.cisco.com/t5/network-security/asa-firewall-issue/m-p/2318589#M311103 pl.mailloux 2019-03-12T02:51:02Z https://community.cisco.com/t5/network-security/asa-firewall-issue/m-p/2318590#M311106 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am not sure I understand the setup from the above.</P><P></P><P>If you could share the configurations of the ASA firewalls (without public IP addresses etc.) then could look through the configurations.</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 11 Oct 2013 16:13:15 GMT https://community.cisco.com/t5/network-security/asa-firewall-issue/m-p/2318590#M311106 Jouni Forss 2013-10-11T16:13:15Z https://community.cisco.com/t5/network-security/asa-firewall-issue/m-p/2318591#M311111 <HTML><HEAD></HEAD><BODY><P>On <STRONG>SITE-A </STRONG>my PC's IP adress come directly from the ASA 1.1.1.x</P><P>On <STRONG>SITE-B </STRONG>we use a router behind the firewall so my PC's adress are : 192.168.1.x</P><P></P><P>I can ping from SITE-B to SITE-A without any problem.</P><P></P><P>I cannot ping from SITE-A to SITE-B.</P><P></P><P>There is my 2 firewalls config.</P><P></P><P>Thanks</P><P></P><P><STRONG>SITE-A</STRONG></P><P>Result of the command: "show run"</P><P></P><P></P><P>: Saved</P><P>:</P><P>ASA Version 9.1(3) </P><P>!</P><P>hostname ciscoasa</P><P>enable password *** encrypted</P><P>xlate per-session deny tcp any4 any4</P><P>xlate per-session deny tcp any4 any6</P><P>xlate per-session deny tcp any6 any4</P><P>xlate per-session deny tcp any6 any6</P><P>xlate per-session deny udp any4 any4 eq domain</P><P>xlate per-session deny udp any4 any6 eq domain</P><P>xlate per-session deny udp any6 any4 eq domain</P><P>xlate per-session deny udp any6 any6 eq domain</P><P>passwd *** encrypted</P><P>names</P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P>!</P><P>interface Ethernet0/2</P><P>!</P><P>interface Ethernet0/3</P><P>!</P><P>interface Ethernet0/4</P><P>!</P><P>interface Ethernet0/5</P><P>!</P><P>interface Ethernet0/6</P><P>!</P><P>interface Ethernet0/7</P><P>!</P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 1.1.1.1 255.255.255.0 </P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> ip address SITE-A-PUBLIC-IP 255.255.255.240 </P><P>!</P><P>boot system disk0:/asa913-k8.bin</P><P>ftp mode passive</P><P>object network obj_any</P><P> subnet 0.0.0.0 0.0.0.0</P><P>object network LAN-SITE-B</P><P> subnet 1.1.2.0 255.255.255.0</P><P>object network LAN-SITE-A</P><P> subnet 1.1.1.0 255.255.255.0</P><P>object network Firewall-SITE-B</P><P> host SITE-B-PUBLIC-IP</P><P>object network SERVER01</P><P> host 1.1.1.2</P><P>object-group service ALL-IP tcp-udp</P><P> description ALL-IP</P><P> port-object range 1 65535</P><P>object-group protocol TCPUDP</P><P> protocol-object udp</P><P> protocol-object tcp</P><P>access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B </P><P>access-list OUTSIDE-IN extended permit ip any object SERVER01 </P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>no arp permit-nonconnected</P><P>nat (inside,outside) source static LAN-SITE-A LAN-SITE-A destination static LAN-SITE-B LAN-SITE-B no-proxy-arp route-lookup</P><P>!</P><P>object network obj_any</P><P> nat (inside,outside) dynamic interface</P><P>object network SERVER01</P><P> nat (inside,outside) static SERVER01-PUBLIC-IP</P><P>access-group OUTSIDE-IN in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 SITE-A-PUBLIC-GATEWAY 1</P><P>timeout xlate 3:00:00</P><P>timeout pat-xlate 0:00:30</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>no user-identity enable</P><P>user-identity default-domain LOCAL</P><P>aaa authentication ssh console LOCAL </P><P>http server enable</P><P>http 1.1.1.0 255.255.255.0 inside</P><P>http 0.0.0.0 0.0.0.0 outside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac </P><P>crypto ipsec ikev2 ipsec-proposal AES256</P><P> protocol esp encryption aes-256</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal AES192</P><P> protocol esp encryption aes-192</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal AES</P><P> protocol esp encryption aes</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal 3DES</P><P> protocol esp encryption 3des</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal DES</P><P> protocol esp encryption des</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec security-association pmtu-aging infinite</P><P>crypto map outside_map 1 match address outside_cryptomap</P><P>crypto map outside_map 1 set pfs </P><P>crypto map outside_map 1 set peer SITE-B-PUBLIC-IP </P><P>crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES</P><P>crypto map outside_map interface outside</P><P>crypto ca trustpool policy</P><P>crypto ikev2 policy 1</P><P> encryption aes-256</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 10</P><P> encryption aes-192</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 20</P><P> encryption aes</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 30</P><P> encryption 3des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 40</P><P> encryption des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 enable outside</P><P>crypto ikev1 enable outside</P><P>crypto ikev1 policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>telnet timeout 5</P><P>ssh 0.0.0.0 0.0.0.0 inside</P><P>ssh timeout 5</P><P>ssh key-exchange group dh-group1-sha1</P><P>console timeout 0</P><P></P><P></P><P>dhcpd auto_config outside</P><P>!</P><P>dhcpd address 1.1.1.100-1.1.1.125 inside</P><P>dhcpd dns 24.200.241.37 24.201.245.77 interface inside</P><P>dhcpd enable inside</P><P>!</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>group-policy GroupPolicy_SITE-B-PUBLIC-IP internal</P><P>group-policy GroupPolicy_SITE-B-PUBLIC-IP attributes</P><P> vpn-tunnel-protocol ikev1 ikev2 </P><P>username *** password *** encrypted privilege 15</P><P>tunnel-group SITE-B-PUBLIC-IP type ipsec-l2l</P><P>tunnel-group SITE-B-PUBLIC-IP general-attributes</P><P> default-group-policy GroupPolicy_SITE-B-PUBLIC-IP</P><P>tunnel-group SITE-B-PUBLIC-IP ipsec-attributes</P><P> ikev1 pre-shared-key *****</P><P> ikev2 remote-authentication pre-shared-key *****</P><P> ikev2 local-authentication pre-shared-key *****</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect ip-options </P><P>&nbsp; inspect sip&nbsp; </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>no call-home reporting anonymous</P><P>call-home</P><P> profile CiscoTAC-1</P><P>&nbsp; no active</P><P><SPAN>&nbsp; destination address http </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/its/service/oddce/services/DDCEService">https://tools.cisco.com/its/service/oddce/services/DDCEService</A></P><P><SPAN>&nbsp; destination address email </SPAN><A class="jive-link-email-small" href="mailto:callhome@cisco.com">callhome@cisco.com</A></P><P>&nbsp; destination transport-method http</P><P>&nbsp; subscribe-to-alert-group diagnostic</P><P>&nbsp; subscribe-to-alert-group environment</P><P>&nbsp; subscribe-to-alert-group inventory periodic monthly</P><P>&nbsp; subscribe-to-alert-group configuration periodic monthly</P><P>&nbsp; subscribe-to-alert-group telemetry periodic daily</P><P>Cryptochecksum:8306344f5f134526aa6df7293730742f</P><P>: end</P><P><STRONG><BR /></STRONG></P><P></P><P></P><P><STRONG>SITE-B</STRONG></P><P><SPAN style="font-size: 10pt;">Result of the command: "show run"</SPAN></P><P></P><P></P><P>: Saved</P><P>:</P><P>ASA Version 9.1(3) </P><P>!</P><P>hostname ciscoasa</P><P>enable password *** encrypted</P><P>passwd *** encrypted</P><P>names</P><P>!</P><P>interface Ethernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address dhcp setroute </P><P>!</P><P>interface Ethernet0/1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 1.1.2.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/2</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Ethernet0/3</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Management0/0</P><P> management-only</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0 </P><P>!</P><P>ftp mode passive</P><P>object network obj_any</P><P> subnet 0.0.0.0 0.0.0.0</P><P>object network FireWall-SITE-A</P><P> host 1.1.1.1</P><P>object network LAN-SITE-B</P><P> subnet 1.1.2.0 255.255.255.0</P><P>object network LAN-SITE-A</P><P> subnet 1.1.1.0 255.255.255.0</P><P>access-list outside_cryptomap extended permit ip object LAN-SITE-B object LAN-SITE-A </P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu management 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>no arp permit-nonconnected</P><P>nat (inside,outside) source static LAN-SITE-B LAN-SITE-B destination static LAN-SITE-A LAN-SITE-A no-proxy-arp route-lookup</P><P>!</P><P>object network obj_any</P><P> nat (inside,outside) dynamic interface</P><P>timeout xlate 3:00:00</P><P>timeout pat-xlate 0:00:30</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>no user-identity enable</P><P>user-identity default-domain LOCAL</P><P>http server enable</P><P>http 192.168.1.0 255.255.255.0 management</P><P>http 0.0.0.0 0.0.0.0 inside</P><P>http 0.0.0.0 0.0.0.0 outside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac </P><P>crypto ipsec ikev2 ipsec-proposal DES</P><P> protocol esp encryption des</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal 3DES</P><P> protocol esp encryption 3des</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal AES</P><P> protocol esp encryption aes</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal AES192</P><P> protocol esp encryption aes-192</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal AES256</P><P> protocol esp encryption aes-256</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec security-association pmtu-aging infinite</P><P>crypto map outside_map 1 match address outside_cryptomap</P><P>crypto map outside_map 1 set pfs </P><P>crypto map outside_map 1 set peer SITE-A-PUBLIC-IP </P><P>crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256</P><P>crypto map outside_map interface outside</P><P>crypto ca trustpool policy</P><P>crypto ikev2 policy 1</P><P> encryption aes-256</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 10</P><P> encryption aes-192</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 20</P><P> encryption aes</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 30</P><P> encryption 3des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 40</P><P> encryption des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 enable outside</P><P>crypto ikev1 enable outside</P><P>crypto ikev1 policy 10</P><P> authentication crack</P><P> encryption aes-256</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 20</P><P> authentication rsa-sig</P><P> encryption aes-256</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 30</P><P> authentication pre-share</P><P> encryption aes-256</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 40</P><P> authentication crack</P><P> encryption aes-192</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 50</P><P> authentication rsa-sig</P><P> encryption aes-192</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 60</P><P> authentication pre-share</P><P> encryption aes-192</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 70</P><P> authentication crack</P><P> encryption aes</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 80</P><P> authentication rsa-sig</P><P> encryption aes</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 90</P><P> authentication pre-share</P><P> encryption aes</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 100</P><P> authentication crack</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 110</P><P> authentication rsa-sig</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 120</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 130</P><P> authentication crack</P><P> encryption des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 140</P><P> authentication rsa-sig</P><P> encryption des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 150</P><P> authentication pre-share</P><P> encryption des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>ssh key-exchange group dh-group1-sha1</P><P>console timeout 0</P><P>dhcp-client client-id interface outside</P><P>dhcpd address 1.1.2.100-1.1.2.125 inside</P><P>dhcpd dns 142.169.1.16 199.84.242.22 interface inside</P><P>dhcpd enable inside</P><P>!</P><P>dhcpd address 192.168.1.2-192.168.1.254 management</P><P>dhcpd enable management</P><P>!</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>group-policy GroupPolicy_SITE-A-PUBLIC-IP internal</P><P>group-policy GroupPolicy_SITE-A-PUBLIC-IP attributes</P><P> vpn-tunnel-protocol ikev1 ikev2 </P><P>username *** password *** encrypted</P><P>tunnel-group SITE-A-PUBLIC-IP type ipsec-l2l</P><P>tunnel-group SITE-A-PUBLIC-IP general-attributes</P><P> default-group-policy GroupPolicy_SITE-A-PUBLIC-IP</P><P>tunnel-group SITE-A-PUBLIC-IP ipsec-attributes</P><P> ikev1 pre-shared-key *****</P><P> ikev2 remote-authentication pre-shared-key *****</P><P> ikev2 local-authentication pre-shared-key *****</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect ip-options </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>Cryptochecksum:db8f53008f268da84e76bae3bb414bc3</P><P>: end</P></BODY></HTML> Fri, 11 Oct 2013 16:39:29 GMT https://community.cisco.com/t5/network-security/asa-firewall-issue/m-p/2318591#M311111 pl.mailloux 2013-10-11T16:39:29Z https://community.cisco.com/t5/network-security/asa-firewall-issue/m-p/2318592#M311116 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Some observations,</P><P></P><UL><LI>You say that Site B has a router behind the LAN interface of the ASA</LI><LI>You say that Site B can ping Site A with no problem</LI><LI>You say that Site A cant ping Site B</LI><LI>On Site B there is no Route for the network 192.168.1.0/24</LI><LI>On Site B you have a Management interface which has the address range 192.168.1.0/24 also?</LI></UL><P></P><P>So I am beginning to think that the router behind the Site B ASA is doing Dynamic PAT for the network 192.168.1.0/24 behind it. This would mean that all traffic from the 192.168.1.0/24 would be PATed to some IP address from network 1.1.2.0/24. This again would enable traffic to flow from Site B to Site A normally. Considering the Dynamic PAT done by the Site B LAN router would mean though that no connection initiation would work from Site A to Site B since you cant form connections through Dynamic PAT from the external side.</P><P></P><P>So my guess would be that you would have to</P><UL><LI>Remove the Site B management interface configurations, atleast the IP address. If its in use change the network for the Management interface</LI><LI>Disable any type of NAT on the LAN Router at Site B so Site A can actually see the local network 192.168.1.0/24</LI><LI>Change the VPN and NAT configurations on the ASAs to reflect this change in the Site B network</LI></UL><P></P><P>The above would most likely affect your Site B Static NAT configuration you did just in the other discussion here on the forums.</P><P></P><P>One other alternative is that you configure Static NAT for the hosts you need on the Site B router from 192.168.0.x to 1.1.2.x so they can be connected from Site A</P><P></P><P>Hope I made sense <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 11 Oct 2013 17:13:14 GMT https://community.cisco.com/t5/network-security/asa-firewall-issue/m-p/2318592#M311116 Jouni Forss 2013-10-11T17:13:14Z