cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4640
Views
0
Helpful
24
Replies

ASA IPSEC site-to-site with NAT issue

brunellej
Level 1
Level 1

Hi,

I have what I thought was a simple configuration, but I having issues and could use a second set of eyes.   

I have a site-to-site between two locations:

Site A is 192.168.0.0/24

Site B is 192.168.4.0/24

I have been asked to NAT all communications between these sites to 10.57.4.0/24 and for a single host 192.168.0.112 to static NAT to 10.57.4.50.

Tunnel is up and running, and I can ping across the link to to the far end host at 192.168.4.20; no issues.   But I am having an application problem where it will not established communications.  I suspect its the reverse NAT, but I have reviewed the configure several times.   All connections to the NAT'd addres of 10.57.4.50 should forwarded to 192.168.0.112, no restrictions.    All connections to 192.168.4.20, should be NAT'd to 10.57.4.50 to tranverse the tunnel.

The site B system can also ping 10.57.4.50.

Here's the running configuration:

ASA Version 8.3(2)

!

hostname fw1

domain-name <removed>

enable password <removed> encrypted

passwd <removed> encrypted

names

!

interface Vlan1

description Town Internal Network

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

interface Vlan2

description Public Internet

nameif outside

security-level 0

ip address 173.166.117.186 255.255.255.248

!

interface Vlan3

description DMZ (CaTV)

nameif dmz

security-level 50

ip address 192.168.2.1 255.255.255.0

!

interface Vlan5

description PD Network

nameif PDNet

security-level 95

ip address 192.168.0.1 255.255.255.0

!

interface Vlan10

description Infrastructure Network

nameif InfraNet

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan13

description Guest Wireless

nameif Wireless-Guest

security-level 25

ip address 192.168.1.1 255.255.255.0

!

interface Vlan23

nameif StateNet

security-level 75

ip address 10.63.198.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport trunk allowed vlan 1,5,10,13

switchport trunk native vlan 1

switchport mode trunk

speed 100

duplex full

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport trunk allowed vlan 1,10,13

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/5

switchport access vlan 23

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

switchport trunk allowed vlan 1

switchport trunk native vlan 1

switchport mode trunk

shutdown

!

banner exec                     Access Restricted

banner login                     Access Restricted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name <removed>

same-security-traffic permit inter-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object service IMAPoverSSL

service tcp destination eq 993

description IMAP over SSL     

object service POPoverSSL

service tcp destination eq 995

description POP3 over SSL     

object service SMTPwTLS

service tcp destination eq 465

description SMTP with TLS     

object network obj-192.168.9.20

host 192.168.9.20

object network obj-claggett-https

host 192.168.9.20

object network obj-claggett-imap4

host 192.168.9.20

object network obj-claggett-pop3

host 192.168.9.20

object network obj-claggett-smtp

host 192.168.9.20

object network obj-claggett-imapoverssl

host 192.168.9.20

object network obj-claggett-popoverssl

host 192.168.9.20

object network obj-claggett-smtpwTLS

host 192.168.9.20

object network obj-192.168.9.120

host 192.168.9.120

object network obj-192.168.9.119

host 192.168.9.119

object network obj-192.168.9.121

host 192.168.9.121

object network obj-wirelessnet

subnet 192.168.1.0 255.255.255.0

object network WirelessClients

subnet 192.168.1.0 255.255.255.0

object network obj-dmznetwork

subnet 192.168.2.0 255.255.255.0

object network FD_Firewall

host 74.94.142.229

object network FD_Net

subnet 192.168.6.0 255.255.255.0

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network obj-TownHallNet

subnet 192.168.9.0 255.255.255.0

object network obj_InfraNet

subnet 192.168.10.0 255.255.255.0

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network NHDOS_Firewall

host 72.95.124.69

object network NHDOS_SpotsHub

host 192.168.4.20

object network IMCMOBILE

host 192.168.0.112

object network NHDOS_Net

subnet 192.168.4.0 255.255.255.0

object network NHSPOTS_Net

subnet 10.57.4.0 255.255.255.0

object network IMCMobile_NAT_IP

host 10.57.4.50

object-group service EmailServices

description Normal Email/Exchange Services

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq https

service-object tcp destination eq imap4

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_1

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq pop3

service-object tcp destination eq https

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_2

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq https

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group network obj_clerkpc

description Clerk's PCs

network-object object obj-192.168.9.119

network-object object obj-192.168.9.120

network-object object obj-192.168.9.121

object-group network TownHall_Nets

network-object 192.168.10.0 255.255.255.0

network-object object obj-TownHallNet

object-group network DM_INLINE_NETWORK_1

network-object 192.168.10.0 255.255.255.0

network-object 192.168.9.0 255.255.255.0

object-group network DOS_Networks

network-object 10.56.0.0 255.255.0.0

network-object object NHDOS_Net

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20

access-list StateNet_access_in extended permit ip object-group obj_clerkpc any

access-list PDNet_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list PDNet_access_in extended permit ip object IMCMobile_NAT_IP object-group DOS_Networks log debugging

access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks

access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net

access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object-group DOS_Networks

pager lines 24

logging enable

logging list Test1 level debugging class vpn

logging asdm debugging

logging mail errors

logging from-address <removed>

logging recipient-address <removed> level errors

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu Wireless-Guest 1500

mtu StateNet 1500

mtu InfraNet 1500

mtu PDNet 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net

nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net

nat (any,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static DOS_Networks DOS_Networks

!

object network obj_any

nat (inside,outside) static interface

object network obj-claggett-https

nat (inside,outside) static interface service tcp https https

object network obj-claggett-imap4

nat (inside,outside) static interface service tcp imap4 imap4

object network obj-claggett-pop3

nat (inside,outside) static interface service tcp pop3 pop3

object network obj-claggett-smtp

nat (inside,outside) static interface service tcp smtp smtp

object network obj-claggett-imapoverssl

nat (inside,outside) static interface service tcp 993 993

object network obj-claggett-popoverssl

nat (inside,outside) static interface service tcp 995 995

object network obj-claggett-smtpwTLS

nat (inside,outside) static interface service tcp 465 465

object network obj-192.168.9.120

nat (inside,StateNet) static 10.63.198.12

object network obj-192.168.9.119

nat (any,StateNet) static 10.63.198.10

object network obj-192.168.9.121

nat (any,StateNet) static 10.63.198.11

object network obj-wirelessnet

nat (Wireless-Guest,outside) static interface

object network obj-dmznetwork

nat (any,outside) static interface

object network obj_InfraNet

nat (InfraNet,outside) static interface

access-group outside_access_in in interface outside

access-group StateNet_access_in in interface StateNet

access-group PDNet_access_in in interface PDNet

route outside 0.0.0.0 0.0.0.0 173.x.x.x 1

route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable 5443

http 192.x.x.x 255.255.255.0 inside

http 7.x.x.x 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 72.x.x.x

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 173.x.x.x

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 192.168.9.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.9.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd dns 208.67.222.222 208.67.220.220

dhcpd lease 10800

dhcpd auto_config outside

!

dhcpd address 192.168.2.100-192.168.2.254 dmz

dhcpd dns 8.8.8.8 8.8.4.4 interface dmz

dhcpd enable dmz

!

dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest

dhcpd enable Wireless-Guest

!

threat-detection basic-threat

threat-detection statistics host number-of-rate 2

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 63.240.161.99 source outside prefer

ntp server 207.171.30.106 source outside prefer

ntp server 70.86.250.6 source outside prefer

webvpn

group-policy DfltGrpPolicy attributes

group-policy FDIPSECTunnel internal

group-policy FDIPSECTunnel attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec

username support password <removed> encrypted privilege 15

tunnel-group 72.x.x.x type ipsec-l2l

tunnel-group 72.x.x.x ipsec-attributes

pre-shared-key *****

tunnel-group 173.x.x.x type ipsec-l2l

tunnel-group 173.x.x.x general-attributes

default-group-policy FDIPSECTunnel

tunnel-group 173.x.x.x ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 1024

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

smtp-server 192.168.9.20

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76

: end

1 Accepted Solution

Accepted Solutions

If you do not have access to the remote site then you'll need to get their network person involved and compare each others configurations.  You'll need to make sure that they are seeing 192.168.0.112 as 10.57.4.50 and their server is responding back to that and NOT to 192.168.0.112.

View solution in original post

24 Replies 24

ALIAOF_
Level 6
Level 6

Ok so looks like you want Site to NAT Site A 192.168.0.0/24 be NATed as 10.57.4.0/24.  So every one from 192.168.4.0/24 will hit 10.57.4.50 IP to reach 192.168.0.112.  And then you want to NAT all the 192.168.0.0/24 traffic back to 192.168.4.0 as the same IP?

Why not pick out a different IP for the static NAT to make things simple ?

First your ACL's seem to be messed up, for your VPN this is the ACL that is being used, which is right not sure what those other PDNET Access ones are for:

access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object-group DOS_Networks

??? (I don't believe you need these)

access-list PDNet_access_in extended permit ip object IMCMobile_NAT_IP object-group DOS_Networks log debugging

access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks

Now you want to NAT your 192.168.0.112 to 10.57.4.50:

nat (inside,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static NHDOS_Net NHDOS_Net

Now you should really pick out a different IP to NAT rest of your internal traffic like this:

nat (inside,outside) source dynamic NETWORK_OBJ_192.168.0.0_24 obj-10.57.4.xx destination static NHDOS_Net NHDOS_Net

Let me simplify;  what I need to do is to allow traffic between 192.168.0.112 and 192.168.4.20.   192.168.0.112 needs to be NAT'd to 10.57.4.50; nothing else on the 192.168.0.0/24 network is expected to leverage that IPSEC site-to-site.

Any traffic for 10.57.4.50 must be forwarded to 192.168.0.112, unrestricted.

My problem seems to be the return traffic that's trying to connect to 10.57.4.50.    What makes this worse, I have not visiblity into the far end to validate.

Without this rule, I am unable to ping anything on the other end of the tunnel:

access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks

Thoughts?

If you are trying to NAT 192.168.0.112 to 10.57.4.50 then your interesting traffic and the other sides interesting traffic should include 10.57.4.50 not 192.168.0.112.

Interesting traffic on your firewall:

Local: 10.57.4.0/24

Remote: 192.168.4.0/24

Interesting traffic on other firewall:

Local: 192.168.4.0/24

Remote 10.57.4.0/24

Any specific reason you have the ACL on that PDNet interface?  You can controll access via VPN ACL's if you want to.  When you say return traffic trying to connect to 10.57.4.50 do you mean 192.168.4.0/24 network?

Mohammad,

Thanks for all the feedback and redirection; ACL PDNet was added to allow for ICMP between the 192.168.0.112 and 192.168.4.20.  Without it, no ICMP was possible.   Do you have a suggested ACL or cange to VPN ACL?

Thanks

brunellej
Level 1
Level 1

Cleaned up the configure a little, as I have some weird NAT rules:

ASA Version 8.3(2)

!

hostname fw1

domain-name

enable password 3pReiU/BulsTAnEl encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

description Town Internal Network

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

interface Vlan2

description Public Internet

nameif outside

security-level 0

ip address 173.x.x.x 255.255.255.248

!

interface Vlan3

description DMZ (CaTV)

nameif dmz

security-level 50

ip address 192.168.2.1 255.255.255.0

!

interface Vlan5

description PD Network

nameif PDNet

security-level 95

ip address 192.168.0.1 255.255.255.0

!

interface Vlan10

description Infrastructure Network

nameif InfraNet

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan13

description Guest Wireless

nameif Wireless-Guest

security-level 25

ip address 192.168.1.1 255.255.255.0

!

interface Vlan23

nameif StateNet

security-level 75

ip address 10.63.198.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport trunk allowed vlan 1,5,10,13

switchport trunk native vlan 1

switchport mode trunk

speed 100

duplex full

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport trunk allowed vlan 1,10,13

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/5

switchport access vlan 23

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

switchport trunk allowed vlan 1

switchport trunk native vlan 1

switchport mode trunk

shutdown

!

banner exec                     Access Restricted

banner login                     Access Restricted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name

same-security-traffic permit inter-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object service IMAPoverSSL

service tcp destination eq 993

description IMAP over SSL     

object service POPoverSSL

service tcp destination eq 995

description POP3 over SSL     

object service SMTPwTLS

service tcp destination eq 465

description SMTP with TLS     

object network obj-192.168.9.20

host 192.168.9.20

object network obj-claggett-https

host 192.168.9.20

object network obj-claggett-imap4

host 192.168.9.20

object network obj-claggett-pop3

host 192.168.9.20

object network obj-claggett-smtp

host 192.168.9.20

object network obj-claggett-imapoverssl

host 192.168.9.20

object network obj-claggett-popoverssl

host 192.168.9.20

object network obj-claggett-smtpwTLS

host 192.168.9.20

object network obj-192.168.9.120

host 192.168.9.120

object network obj-192.168.9.119

host 192.168.9.119

object network obj-192.168.9.121

host 192.168.9.121

object network obj-wirelessnet

subnet 192.168.1.0 255.255.255.0

object network WirelessClients

subnet 192.168.1.0 255.255.255.0

object network obj-dmznetwork

subnet 192.168.2.0 255.255.255.0

object network FD_Firewall

host 74.x.x.x

object network FD_Net

subnet 192.168.6.0 255.255.255.0

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network obj-TownHallNet

subnet 192.168.9.0 255.255.255.0

object network obj_InfraNet

subnet 192.168.10.0 255.255.255.0

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network NHDOS_Firewall

host 72.x.x.x

object network NHDOS_SpotsHub

host 192.168.4.20

object network IMCMOBILE

host 192.168.0.112

object network NHDOS_Net

subnet 192.168.4.0 255.255.255.0

object network NHSPOTS_Net

subnet 10.57.4.0 255.255.255.0

object network IMCMobile_NAT_IP

host 10.57.4.50

object-group service EmailServices

description Normal Email/Exchange Services

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq https

service-object tcp destination eq imap4

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_1

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq pop3

service-object tcp destination eq https

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_2

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq https

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group network obj_clerkpc

description Clerk's PCs

network-object object obj-192.168.9.119

network-object object obj-192.168.9.120

network-object object obj-192.168.9.121

object-group network TownHall_Nets

network-object 192.168.10.0 255.255.255.0

network-object object obj-TownHallNet

object-group network DM_INLINE_NETWORK_1

network-object 192.168.10.0 255.255.255.0

network-object 192.168.9.0 255.255.255.0

object-group network DOS_Networks

network-object 10.56.0.0 255.255.0.0

network-object object NHDOS_Net

object-group network DM_INLINE_NETWORK_2

network-object object IMCMOBILE

network-object object IMCMobile_NAT_IP

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20

access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_2 log debugging

access-list StateNet_access_in extended permit ip object-group obj_clerkpc any

access-list PDNet_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list PDNet_access_in extended permit ip object NHDOS_Net object IMCMOBILE

access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks

access-list PDNet_access_in extended permit ip any object IMCMobile_NAT_IP

access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net

access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object-group DOS_Networks

pager lines 24

logging enable

logging list Test1 level debugging class vpn

logging asdm debugging

logging mail errors

logging from-address

logging recipient-address level errors

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu Wireless-Guest 1500

mtu StateNet 1500

mtu InfraNet 1500

mtu PDNet 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net

nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net

nat (PDNet,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static NHDOS_Net NHDOS_Net

!

object network obj_any

nat (inside,outside) static interface

object network obj-claggett-https

nat (inside,outside) static interface service tcp https https

object network obj-claggett-imap4

nat (inside,outside) static interface service tcp imap4 imap4

object network obj-claggett-pop3

nat (inside,outside) static interface service tcp pop3 pop3

object network obj-claggett-smtp

nat (inside,outside) static interface service tcp smtp smtp

object network obj-claggett-imapoverssl

nat (inside,outside) static interface service tcp 993 993

object network obj-claggett-popoverssl

nat (inside,outside) static interface service tcp 995 995

object network obj-claggett-smtpwTLS

nat (inside,outside) static interface service tcp 465 465

object network obj-192.168.9.120

nat (inside,StateNet) static 10.63.198.12

object network obj-192.168.9.119

nat (any,StateNet) static 10.63.198.10

object network obj-192.168.9.121

nat (any,StateNet) static 10.63.198.11

object network obj-wirelessnet

nat (Wireless-Guest,outside) static interface

object network obj-dmznetwork

nat (any,outside) static interface

object network obj_InfraNet

nat (InfraNet,outside) static interface

access-group outside_access_in in interface outside

access-group StateNet_access_in in interface StateNet

access-group PDNet_access_in in interface PDNet

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route StateNet 10.128.0.0 255.255.0.0 10.63.198.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable 5443

http 192.168.9.0 255.255.255.0 inside

http 74.x.x.x 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 72.x.x.x

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 173.x.x.x

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 192.168.9.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.9.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd dns 208.67.222.222 208.67.220.220

dhcpd lease 10800

dhcpd auto_config outside

!

dhcpd address 192.168.2.100-192.168.2.254 dmz

dhcpd dns 8.8.8.8 8.8.4.4 interface dmz

dhcpd enable dmz

!

dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest

dhcpd enable Wireless-Guest

!

threat-detection basic-threat

threat-detection statistics host number-of-rate 2

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 63.240.161.99 source outside prefer

ntp server 207.171.30.106 source outside prefer

ntp server 70.86.250.6 source outside prefer

webvpn

group-policy DfltGrpPolicy attributes

group-policy FDIPSECTunnel internal

group-policy FDIPSECTunnel attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec

username support password encrypted privilege 15

tunnel-group 72.x.x.x type ipsec-l2l

tunnel-group 72.x.x.x ipsec-attributes

pre-shared-key *****

tunnel-group 173.x.x.x type ipsec-l2l

tunnel-group 173.x.x.x general-attributes

default-group-policy FDIPSECTunnel

tunnel-group 173.x.x.x ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 1024

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

smtp-server 192.168.9.20

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:9fdced993f21fda0cbf5d55de5096035

: end

Ok I'm going by your last config you posted. 

ACL for the VPN:

access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object-group DOS_Networks

*** Your source is right but the destination DOS_Networks has 10.56.0.0/16 where did that come from?  If you need to go from 192.168.0.112 -- NAT --> 10.57.4.50 --> 192.168.4.0/24 then your destination should include only that network.  And the other end will need to also match your side so something like this:

access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net 192.168.4.0 255.255.255.0

or

access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object NSDOS_Net

NAT for the VPN

nat (PDNet,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static NHDOS_Net NHDOS_Net

*** This looks right

PDNet ACL

ACL PDNet was added to  allow for ICMP between the 192.168.0.112 and 192.168.4.20.  Without it,  no ICMP was possible.   Do you have a suggested ACL or cange to VPN ACL?

*** After the VPN is working and NAT is working then when you ping 192.168.4.20 from 192.168.0.112, 192.168.4.20 will see the IP as 10.57.4.50.  And from 192.168.4.20 you will not be pinging or seeing 192.168.0.112 instead you will be seeing 10.57.4.50.  Try taking that ACL off the PDNet interface.

Please correct me if I am wrong:

- We need to allow only traffic between 192.168.0.112 and 192.168.4.20.
- We need to NAT IP address 192.168.0.112 to 10.57.4.50 so that remote network should see the request coming from as 10.57.4.50.

If my understanding is correct with respect to the scenario then please let me know about following details:

1.) Is VPN terminated on this ASA or any other device?


2.) Access list PDNet_access_in does not seems to have allowed traffic required in it. Mentioned is the detailed explanation:

access-group PDNet_access_in in interface PDNet
access-list PDNet_access_in extended permit ip object NHDOS_Net object IMCMOBILE
Explanation: This is configured to allow traffic from 192.168.4.0/24 which ideally as per your issue's description can never be in inbound direction to this interface.

access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks
Explanation: This is to allow traffic destined to 10.56.0.0/16 which again as per your issue's description is not in our interesting traffic range

access-list PDNet_access_in extended permit ip any object IMCMobile_NAT_IP
Explanation: This rule is irrelevant as it is to allow traffic destined to 10.57.4.50 however this is a NATTED IP address for source situated behind the interface itself.

Thus, we should reconfigure this ACL or add one more entry in to allow traffic from IMCMOBILE to NHDOS_NET..

3.) Regarding allowing traffic for one specific host over VPN, either we can configure interesting traffic for VPN to include host based ACL or we can configure VPN filters to allow specific traffic for VPN only.

4.) As explained by Mohammed earlier, interesting traffic for VPN should be :
Interesting traffic on your firewall:
Local: 10.57.4.0/24
Remote: 192.168.4.0/24


Interesting traffic on other firewall:
Local: 192.168.4.0/24
Remote 10.57.4.0/24

Please make sure that it is same.


If aforementioned configuration is as per the suggested configuration only then please provide me the output of packet tracer for following:

packet-tracer input PDNet icmp 192.168.0.112 8 0 192.168.4.20 detailed


Regards,
Anuj

Anuj,

Correct on your assumptions, we need to allow bi-directional traffic between 192.168.0.112 and 192.168.4.20.  192.168.0.112 needs to be NAT'd to 10.57.4.50, and inbound traffic from 192.168.4.20 will need to be allowed to communicate to 10.57.4.50 and forwarded to 192.168.0.112.

The tunnel is terminated on this ASA.

Here's the output from the packet-tracer:

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group PDNet_access_in in interface PDNet

access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks

object-group network DOS_Networks

network-object 10.56.0.0 255.255.0.0

network-object object NHDOS_Net

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcaaff030, priority=13, domain=permit, deny=false

hits=7309, user_data=0xc7df59a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=192.168.0.112, mask=255.255.255.255, port=0

dst ip/id=192.168.4.0, mask=255.255.255.0, port=0, dscp=0x0

input_ifc=PDNet, output_ifc=any

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcab1ee98, priority=0, domain=inspect-ip-options, deny=true

hits=125366, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=PDNet, output_ifc=any

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcad8bd70, priority=70, domain=inspect-icmp, deny=false

hits=99004, user_data=0xca86cca8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=PDNet, output_ifc=any

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcac44c10, priority=66, domain=inspect-icmp-error, deny=false

hits=103074, user_data=0xca85a458, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=PDNet, output_ifc=any

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (PDNet,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static NHDOS_Net NHDOS_Net

Additional Information:

Static translate 192.168.0.112/0 to 10.57.4.50/0

Forward Flow based lookup yields rule:

in  id=0xcb32f038, priority=6, domain=nat, deny=false

hits=5103, user_data=0xca7dd618, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=192.168.0.112, mask=255.255.255.255, port=0

dst ip/id=192.168.4.0, mask=255.255.255.0, port=0, dscp=0x0

input_ifc=PDNet, output_ifc=outside

Phase: 7

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xc9e44d58, priority=70, domain=encrypt, deny=false

hits=21, user_data=0xddae9c, cs_id=0xcaa18a48, reverse, flags=0x0, protocol=0

src ip/id=10.57.4.0, mask=255.255.255.0, port=0

dst ip/id=192.168.4.0, mask=255.255.255.0, port=0, dscp=0x0

input_ifc=any, output_ifc=outside

Phase: 8

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xcaa87170, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=21, user_data=0xde2154, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=192.168.4.0, mask=255.255.255.0, port=0

dst ip/id=10.57.4.0, mask=255.255.255.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xc9eb7918, priority=0, domain=inspect-ip-options, deny=true

hits=11006554, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 11740002, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_inspect_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: PDNet

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Thanks for the prompt response.

As per packet tracer output, it seems that ping is successfull and is following correct path. Thus, I checked the issue description issue again and found that issue seems to be with some application.

Can you please let me know that what sort of application it is and what all ports does it use. If it uses any specific TCP/UDP ports then can you please run a packet tracer with respect to that specific port..

If application works and dies after some time then we will require spontaneous captures on PDNet interface and simultaneous interface at remote end.

Regards,

Anuj

Anuj,

The applications is a basic TCP type application, communicating on port 6800.   here;s packet-traces for the specifics communications paths.

packet-tracer input PDNet tcp 192.168.0.112 4000 192.168.4.20 6800 detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group PDNet_access_in in interface PDNet

access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks

object-group network DOS_Networks

network-object 10.56.0.0 255.255.0.0

network-object object NHDOS_Net

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcaaff030, priority=13, domain=permit, deny=false

hits=7382, user_data=0xc7df59a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=192.168.0.112, mask=255.255.255.255, port=0

dst ip/id=192.168.4.0, mask=255.255.255.0, port=0, dscp=0x0

input_ifc=PDNet, output_ifc=any

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcab1ee98, priority=0, domain=inspect-ip-options, deny=true

hits=125467, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=PDNet, output_ifc=any

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (PDNet,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static NHDOS_Net NHDOS_Net

Additional Information:

Static translate 192.168.0.112/4000 to 10.57.4.50/4000

Forward Flow based lookup yields rule:

in  id=0xcb32f038, priority=6, domain=nat, deny=false

hits=5176, user_data=0xca7dd618, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=192.168.0.112, mask=255.255.255.255, port=0

dst ip/id=192.168.4.0, mask=255.255.255.0, port=0, dscp=0x0

input_ifc=PDNet, output_ifc=outside

Phase: 5

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xc9e44d58, priority=70, domain=encrypt, deny=false

hits=96, user_data=0xddae9c, cs_id=0xcaa18a48, reverse, flags=0x0, protocol=0

src ip/id=10.57.4.0, mask=255.255.255.0, port=0

dst ip/id=192.168.4.0, mask=255.255.255.0, port=0, dscp=0x0

input_ifc=any, output_ifc=outside

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xcaa87170, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=96, user_data=0xde2154, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=192.168.4.0, mask=255.255.255.0, port=0

dst ip/id=10.57.4.0, mask=255.255.255.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xc9eb7918, priority=0, domain=inspect-ip-options, deny=true

hits=11008859, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 11742571, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: PDNet

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Now, I am expecting that if 192.168.4.20 starts to communicate to 10.57.4.50, it will also be allowed and forwarded to 192.168.0.112.   Here's the packet trace:

packet-tracer input outside tcp 192.168.4.20 4000 10.57.4.50 6800 detailed

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (PDNet,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static NHDOS_Net NHDOS_Net

Additional Information:

NAT divert to egress interface PDNet

Untranslate 10.57.4.50/6800 to 192.168.0.112/6800

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_2 log debugging

object-group network DM_INLINE_NETWORK_2

network-object object IMCMOBILE

network-object object IMCMobile_NAT_IP

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca8d8750, priority=13, domain=permit, deny=false

hits=8, user_data=0xc7df5900, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=192.168.0.112, mask=255.255.255.255, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9eb7918, priority=0, domain=inspect-ip-options, deny=true

hits=11009478, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca51d4f0, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=5, user_data=0xdf23cc, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=192.168.4.0, mask=255.255.255.0, port=0

dst ip/id=10.57.4.0, mask=255.255.255.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (PDNet,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static NHDOS_Net NHDOS_Net

Additional Information:

Forward Flow based lookup yields rule:

out id=0xca526868, priority=6, domain=nat-reverse, deny=false

hits=5, user_data=0xca7dd618, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=192.168.4.0, mask=255.255.255.0, port=0

dst ip/id=192.168.0.112, mask=255.255.255.255, port=0, dscp=0x0

input_ifc=outside, output_ifc=PDNet

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xcab1ee98, priority=0, domain=inspect-ip-options, deny=true

hits=125475, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=PDNet, output_ifc=any

Phase: 7

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xcaa32860, priority=70, domain=encrypt, deny=false

hits=5, user_data=0xdecff4, cs_id=0xcaa18a48, reverse, flags=0x0, protocol=0

src ip/id=10.57.4.0, mask=255.255.255.0, port=0

dst ip/id=192.168.4.0, mask=255.255.255.0, port=0, dscp=0x0

input_ifc=any, output_ifc=outside

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: PDNet

output-status: up

output-line-status: up

Action: drop

Drop-reason: (ipsec-spoof) IPSEC Spoof detected

IPSEC spoof message while trying to simulate the traffic from outside to inside for VPN is normal since that IP address range is not actually available as by the time traffic reaches outside, it enters VPN is seen as ESP packet with a public IP address. Thus, this output is normal.

What I would like to know is that how application fails? Does it fails to launch or it stops working after some time?

Also, is it possible for you to take captures on LAN interface by configuring a captures on firewall? If yes, please provide me the same from firewall when issue occurs.

If you require steps to configure captures on FW then feel free to revert.

Regards,

Anuj

The application claims it can not connect to 192.168.4.20 on TCP/6800. 

I can configure a capture, but I just tried using the wizard and it didn't capture any traffic.   So I must be doing something wrong, so any instructions would be appreciated.

John

In the capture ACL try using the IP address 192.168.0.112 to 192.168.4.20 and vice versa on interface PDNet. Once done then download it in PCAP form..

Regards,

Anuj

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: