I have a question regarding dynamic policy NAT and IPSEC Site2Site connections. Kinda hard to explain, but I will do my best.
The current setup is - two sites, site A (ASA 5520) and site B (ASA5505). Botw with FW 8.2 - Both sites are connected via IPSec S2S tunnel - At site A I have a customer router connected, with a transfer network of 192.168.1.0/29 - Our customer requieres us to SNAT every connection that goes to the customer network 172.16.0.0/20 - The SNAT IP has to be from the transfer network 192.168.1.0/29
At site A it works quite simple. I have a dynamic policy NAT defined that every source IP from site A ( 10.10.0.0/10 ) that has 172.16.0.0/20 as destination will be translated to 192.168.1.1
The problem is site B ( 10.20.0.0/16 ). In this case I have a dyn. policy NAT at the ASA5505 at site B. Every source IP from site B ( 10.20.0.0/10 ) that has 172.16.0.0/20 as destination will be translated to 192.168.1.2. This IP is included in the S2S tunnel to site A and should be normaly forwared. When I try to access the customer network at site A, it works pretty fine. When I try this at site B I don't get any connection. At site B I don't see any errors. ACLs, NAT, the IPSec tunnel, everything seems to be fine. The source IP gets natted, enters the tunnel and is sent to site A. At site A I also don't see any errors at all. All I see is something like this on the ASA site A: 6 Oct 26 2009 12:18:04 302013 192.168.1.1 14304 10.188.45.68 8001 Built inbound TCP connection 182622841 for outside:192.168.1.1/14304 (192.168.2.1/14304) to int_trans_network:172.16.1.1/8001 (172.16.1.1/8001)
Strange thing is that I don't see any packets leaving the interface on the ASA. Is there any FW bug?!
I recently purchased a Cisco AnyConnect license for ASA5510 with the below details: L-AC-PLS-LIC= Cisco AnyConnect Plus Term License, Total Authorized Users 25 When i check the license information on ASA, it shows that it has 2...
We are using the physical Firepower with the FMC as a virtual server. Cisco Firepower 1140 Threat Defense (78) Version 184.108.40.206
We did a Firewall update in past and renewed the Certificate.
Seems like it worked well, and our AnyConnect Clients can connect ...
HiWe are using Cisco AnyConnect with posture check via Cisco ISE. Now we want to run some Windows scripts for AnyConnect users post connecting VPN and completing posture check. Please guide how we can configure ISE to triggers script with COA.&n...
I have an WSA S170 (Async 9), ISE (v2.0), Active Directory, WCCP router, no CDA server With HTTP traffic, I believe it is doable for transparent authentication (WSA > ISE)However for HTTPS traffic, whereby the WSA should have a browser prompt for ...
I have 2 Cisco SMA, Primary and the Secondary , Only the primary cisco SMA connected to the cisco esa Appliance. Every midnight i will do schedule backup from primary Cisco SMA to secondary Cisco SMA.
Why i can't see any message tracking in the secondary ...