12-10-2012 12:45 PM - edited 02-21-2020 06:32 PM
Hi,
I have what I thought was a simple configuration, but I having issues and could use a second set of eyes.
I have a site-to-site between two locations:
Site A is 192.168.0.0/24
Site B is 192.168.4.0/24
I have been asked to NAT all communications between these sites to 10.57.4.0/24 and for a single host 192.168.0.112 to static NAT to 10.57.4.50.
Tunnel is up and running, and I can ping across the link to to the far end host at 192.168.4.20; no issues. But I am having an application problem where it will not established communications. I suspect its the reverse NAT, but I have reviewed the configure several times. All connections to the NAT'd addres of 10.57.4.50 should forwarded to 192.168.0.112, no restrictions. All connections to 192.168.4.20, should be NAT'd to 10.57.4.50 to tranverse the tunnel.
The site B system can also ping 10.57.4.50.
Here's the running configuration:
ASA Version 8.3(2)
!
hostname fw1
domain-name <removed>
enable password <removed> encrypted
passwd <removed> encrypted
names
!
interface Vlan1
description Town Internal Network
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
!
interface Vlan2
description Public Internet
nameif outside
security-level 0
ip address 173.166.117.186 255.255.255.248
!
interface Vlan3
description DMZ (CaTV)
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Vlan5
description PD Network
nameif PDNet
security-level 95
ip address 192.168.0.1 255.255.255.0
!
interface Vlan10
description Infrastructure Network
nameif InfraNet
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan13
description Guest Wireless
nameif Wireless-Guest
security-level 25
ip address 192.168.1.1 255.255.255.0
!
interface Vlan23
nameif StateNet
security-level 75
ip address 10.63.198.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 23
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk native vlan 1
switchport mode trunk
shutdown
!
banner exec Access Restricted
banner login Access Restricted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name <removed>
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service IMAPoverSSL
service tcp destination eq 993
description IMAP over SSL
object service POPoverSSL
service tcp destination eq 995
description POP3 over SSL
object service SMTPwTLS
service tcp destination eq 465
description SMTP with TLS
object network obj-192.168.9.20
host 192.168.9.20
object network obj-claggett-https
host 192.168.9.20
object network obj-claggett-imap4
host 192.168.9.20
object network obj-claggett-pop3
host 192.168.9.20
object network obj-claggett-smtp
host 192.168.9.20
object network obj-claggett-imapoverssl
host 192.168.9.20
object network obj-claggett-popoverssl
host 192.168.9.20
object network obj-claggett-smtpwTLS
host 192.168.9.20
object network obj-192.168.9.120
host 192.168.9.120
object network obj-192.168.9.119
host 192.168.9.119
object network obj-192.168.9.121
host 192.168.9.121
object network obj-wirelessnet
subnet 192.168.1.0 255.255.255.0
object network WirelessClients
subnet 192.168.1.0 255.255.255.0
object network obj-dmznetwork
subnet 192.168.2.0 255.255.255.0
object network FD_Firewall
host 74.94.142.229
object network FD_Net
subnet 192.168.6.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network obj-TownHallNet
subnet 192.168.9.0 255.255.255.0
object network obj_InfraNet
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network NHDOS_Firewall
host 72.95.124.69
object network NHDOS_SpotsHub
host 192.168.4.20
object network IMCMOBILE
host 192.168.0.112
object network NHDOS_Net
subnet 192.168.4.0 255.255.255.0
object network NHSPOTS_Net
subnet 10.57.4.0 255.255.255.0
object network IMCMobile_NAT_IP
host 10.57.4.50
object-group service EmailServices
description Normal Email/Exchange Services
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_1
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq pop3
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_2
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group network obj_clerkpc
description Clerk's PCs
network-object object obj-192.168.9.119
network-object object obj-192.168.9.120
network-object object obj-192.168.9.121
object-group network TownHall_Nets
network-object 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
object-group network DOS_Networks
network-object 10.56.0.0 255.255.0.0
network-object object NHDOS_Net
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
access-list PDNet_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list PDNet_access_in extended permit ip object IMCMobile_NAT_IP object-group DOS_Networks log debugging
access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object-group DOS_Networks
pager lines 24
logging enable
logging list Test1 level debugging class vpn
logging asdm debugging
logging mail errors
logging from-address <removed>
logging recipient-address <removed> level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu Wireless-Guest 1500
mtu StateNet 1500
mtu InfraNet 1500
mtu PDNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
nat (any,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static DOS_Networks DOS_Networks
!
object network obj_any
nat (inside,outside) static interface
object network obj-claggett-https
nat (inside,outside) static interface service tcp https https
object network obj-claggett-imap4
nat (inside,outside) static interface service tcp imap4 imap4
object network obj-claggett-pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network obj-claggett-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network obj-claggett-imapoverssl
nat (inside,outside) static interface service tcp 993 993
object network obj-claggett-popoverssl
nat (inside,outside) static interface service tcp 995 995
object network obj-claggett-smtpwTLS
nat (inside,outside) static interface service tcp 465 465
object network obj-192.168.9.120
nat (inside,StateNet) static 10.63.198.12
object network obj-192.168.9.119
nat (any,StateNet) static 10.63.198.10
object network obj-192.168.9.121
nat (any,StateNet) static 10.63.198.11
object network obj-wirelessnet
nat (Wireless-Guest,outside) static interface
object network obj-dmznetwork
nat (any,outside) static interface
object network obj_InfraNet
nat (InfraNet,outside) static interface
access-group outside_access_in in interface outside
access-group StateNet_access_in in interface StateNet
access-group PDNet_access_in in interface PDNet
route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 5443
http 192.x.x.x 255.255.255.0 inside
http 7.x.x.x 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 72.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 173.x.x.x
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd auto_config outside
!
dhcpd address 192.168.2.100-192.168.2.254 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd enable dmz
!
dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
dhcpd enable Wireless-Guest
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 63.240.161.99 source outside prefer
ntp server 207.171.30.106 source outside prefer
ntp server 70.86.250.6 source outside prefer
webvpn
group-policy DfltGrpPolicy attributes
group-policy FDIPSECTunnel internal
group-policy FDIPSECTunnel attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
username support password <removed> encrypted privilege 15
tunnel-group 72.x.x.x type ipsec-l2l
tunnel-group 72.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group 173.x.x.x type ipsec-l2l
tunnel-group 173.x.x.x general-attributes
default-group-policy FDIPSECTunnel
tunnel-group 173.x.x.x ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
smtp-server 192.168.9.20
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76
: end
Solved! Go to Solution.
12-13-2012 06:58 AM
If you do not have access to the remote site then you'll need to get their network person involved and compare each others configurations. You'll need to make sure that they are seeing 192.168.0.112 as 10.57.4.50 and their server is responding back to that and NOT to 192.168.0.112.
12-10-2012 01:31 PM
Ok so looks like you want Site to NAT Site A 192.168.0.0/24 be NATed as 10.57.4.0/24. So every one from 192.168.4.0/24 will hit 10.57.4.50 IP to reach 192.168.0.112. And then you want to NAT all the 192.168.0.0/24 traffic back to 192.168.4.0 as the same IP?
Why not pick out a different IP for the static NAT to make things simple ?
First your ACL's seem to be messed up, for your VPN this is the ACL that is being used, which is right not sure what those other PDNET Access ones are for:
access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object-group DOS_Networks
??? (I don't believe you need these)
access-list PDNet_access_in extended permit ip object IMCMobile_NAT_IP object-group DOS_Networks log debugging
access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks
Now you want to NAT your 192.168.0.112 to 10.57.4.50:
nat (inside,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static NHDOS_Net NHDOS_Net
Now you should really pick out a different IP to NAT rest of your internal traffic like this:
nat (inside,outside) source dynamic NETWORK_OBJ_192.168.0.0_24 obj-10.57.4.xx destination static NHDOS_Net NHDOS_Net
12-11-2012 02:08 AM
Let me simplify; what I need to do is to allow traffic between 192.168.0.112 and 192.168.4.20. 192.168.0.112 needs to be NAT'd to 10.57.4.50; nothing else on the 192.168.0.0/24 network is expected to leverage that IPSEC site-to-site.
Any traffic for 10.57.4.50 must be forwarded to 192.168.0.112, unrestricted.
My problem seems to be the return traffic that's trying to connect to 10.57.4.50. What makes this worse, I have not visiblity into the far end to validate.
Without this rule, I am unable to ping anything on the other end of the tunnel:
access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks
Thoughts?
12-11-2012 08:18 AM
If you are trying to NAT 192.168.0.112 to 10.57.4.50 then your interesting traffic and the other sides interesting traffic should include 10.57.4.50 not 192.168.0.112.
Interesting traffic on your firewall:
Local: 10.57.4.0/24
Remote: 192.168.4.0/24
Interesting traffic on other firewall:
Local: 192.168.4.0/24
Remote 10.57.4.0/24
Any specific reason you have the ACL on that PDNet interface? You can controll access via VPN ACL's if you want to. When you say return traffic trying to connect to 10.57.4.50 do you mean 192.168.4.0/24 network?
12-11-2012 09:20 AM
Mohammad,
Thanks for all the feedback and redirection; ACL PDNet was added to allow for ICMP between the 192.168.0.112 and 192.168.4.20. Without it, no ICMP was possible. Do you have a suggested ACL or cange to VPN ACL?
Thanks
12-11-2012 02:57 AM
Cleaned up the configure a little, as I have some weird NAT rules:
ASA Version 8.3(2)
!
hostname fw1
domain-name
enable password 3pReiU/BulsTAnEl encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
description Town Internal Network
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
!
interface Vlan2
description Public Internet
nameif outside
security-level 0
ip address 173.x.x.x 255.255.255.248
!
interface Vlan3
description DMZ (CaTV)
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Vlan5
description PD Network
nameif PDNet
security-level 95
ip address 192.168.0.1 255.255.255.0
!
interface Vlan10
description Infrastructure Network
nameif InfraNet
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan13
description Guest Wireless
nameif Wireless-Guest
security-level 25
ip address 192.168.1.1 255.255.255.0
!
interface Vlan23
nameif StateNet
security-level 75
ip address 10.63.198.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 23
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk native vlan 1
switchport mode trunk
shutdown
!
banner exec Access Restricted
banner login Access Restricted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service IMAPoverSSL
service tcp destination eq 993
description IMAP over SSL
object service POPoverSSL
service tcp destination eq 995
description POP3 over SSL
object service SMTPwTLS
service tcp destination eq 465
description SMTP with TLS
object network obj-192.168.9.20
host 192.168.9.20
object network obj-claggett-https
host 192.168.9.20
object network obj-claggett-imap4
host 192.168.9.20
object network obj-claggett-pop3
host 192.168.9.20
object network obj-claggett-smtp
host 192.168.9.20
object network obj-claggett-imapoverssl
host 192.168.9.20
object network obj-claggett-popoverssl
host 192.168.9.20
object network obj-claggett-smtpwTLS
host 192.168.9.20
object network obj-192.168.9.120
host 192.168.9.120
object network obj-192.168.9.119
host 192.168.9.119
object network obj-192.168.9.121
host 192.168.9.121
object network obj-wirelessnet
subnet 192.168.1.0 255.255.255.0
object network WirelessClients
subnet 192.168.1.0 255.255.255.0
object network obj-dmznetwork
subnet 192.168.2.0 255.255.255.0
object network FD_Firewall
host 74.x.x.x
object network FD_Net
subnet 192.168.6.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network obj-TownHallNet
subnet 192.168.9.0 255.255.255.0
object network obj_InfraNet
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network NHDOS_Firewall
host 72.x.x.x
object network NHDOS_SpotsHub
host 192.168.4.20
object network IMCMOBILE
host 192.168.0.112
object network NHDOS_Net
subnet 192.168.4.0 255.255.255.0
object network NHSPOTS_Net
subnet 10.57.4.0 255.255.255.0
object network IMCMobile_NAT_IP
host 10.57.4.50
object-group service EmailServices
description Normal Email/Exchange Services
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_1
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq pop3
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_2
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group network obj_clerkpc
description Clerk's PCs
network-object object obj-192.168.9.119
network-object object obj-192.168.9.120
network-object object obj-192.168.9.121
object-group network TownHall_Nets
network-object 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
object-group network DOS_Networks
network-object 10.56.0.0 255.255.0.0
network-object object NHDOS_Net
object-group network DM_INLINE_NETWORK_2
network-object object IMCMOBILE
network-object object IMCMobile_NAT_IP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_2 log debugging
access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
access-list PDNet_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list PDNet_access_in extended permit ip object NHDOS_Net object IMCMOBILE
access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks
access-list PDNet_access_in extended permit ip any object IMCMobile_NAT_IP
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object-group DOS_Networks
pager lines 24
logging enable
logging list Test1 level debugging class vpn
logging asdm debugging
logging mail errors
logging from-address
logging recipient-address
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu Wireless-Guest 1500
mtu StateNet 1500
mtu InfraNet 1500
mtu PDNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
nat (PDNet,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static NHDOS_Net NHDOS_Net
!
object network obj_any
nat (inside,outside) static interface
object network obj-claggett-https
nat (inside,outside) static interface service tcp https https
object network obj-claggett-imap4
nat (inside,outside) static interface service tcp imap4 imap4
object network obj-claggett-pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network obj-claggett-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network obj-claggett-imapoverssl
nat (inside,outside) static interface service tcp 993 993
object network obj-claggett-popoverssl
nat (inside,outside) static interface service tcp 995 995
object network obj-claggett-smtpwTLS
nat (inside,outside) static interface service tcp 465 465
object network obj-192.168.9.120
nat (inside,StateNet) static 10.63.198.12
object network obj-192.168.9.119
nat (any,StateNet) static 10.63.198.10
object network obj-192.168.9.121
nat (any,StateNet) static 10.63.198.11
object network obj-wirelessnet
nat (Wireless-Guest,outside) static interface
object network obj-dmznetwork
nat (any,outside) static interface
object network obj_InfraNet
nat (InfraNet,outside) static interface
access-group outside_access_in in interface outside
access-group StateNet_access_in in interface StateNet
access-group PDNet_access_in in interface PDNet
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route StateNet 10.128.0.0 255.255.0.0 10.63.198.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 5443
http 192.168.9.0 255.255.255.0 inside
http 74.x.x.x 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 72.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 173.x.x.x
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd auto_config outside
!
dhcpd address 192.168.2.100-192.168.2.254 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd enable dmz
!
dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
dhcpd enable Wireless-Guest
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 63.240.161.99 source outside prefer
ntp server 207.171.30.106 source outside prefer
ntp server 70.86.250.6 source outside prefer
webvpn
group-policy DfltGrpPolicy attributes
group-policy FDIPSECTunnel internal
group-policy FDIPSECTunnel attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
username support password
tunnel-group 72.x.x.x type ipsec-l2l
tunnel-group 72.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group 173.x.x.x type ipsec-l2l
tunnel-group 173.x.x.x general-attributes
default-group-policy FDIPSECTunnel
tunnel-group 173.x.x.x ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
smtp-server 192.168.9.20
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9fdced993f21fda0cbf5d55de5096035
: end
12-11-2012 10:02 AM
Ok I'm going by your last config you posted.
ACL for the VPN:
access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object-group DOS_Networks
*** Your source is right but the destination DOS_Networks has 10.56.0.0/16 where did that come from? If you need to go from 192.168.0.112 -- NAT --> 10.57.4.50 --> 192.168.4.0/24 then your destination should include only that network. And the other end will need to also match your side so something like this:
access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net 192.168.4.0 255.255.255.0
or
access-list outside_1_cryptomap extended permit ip object NHSPOTS_Net object NSDOS_Net
NAT for the VPN
nat (PDNet,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static NHDOS_Net NHDOS_Net
*** This looks right
PDNet ACL
ACL PDNet was added to allow for ICMP between the 192.168.0.112 and 192.168.4.20. Without it, no ICMP was possible. Do you have a suggested ACL or cange to VPN ACL?
*** After the VPN is working and NAT is working then when you ping 192.168.4.20 from 192.168.0.112, 192.168.4.20 will see the IP as 10.57.4.50. And from 192.168.4.20 you will not be pinging or seeing 192.168.0.112 instead you will be seeing 10.57.4.50. Try taking that ACL off the PDNet interface.
12-11-2012 10:16 AM
Please correct me if I am wrong:
- We need to allow only traffic between 192.168.0.112 and 192.168.4.20.
- We need to NAT IP address 192.168.0.112 to 10.57.4.50 so that remote network should see the request coming from as 10.57.4.50.
If my understanding is correct with respect to the scenario then please let me know about following details:
1.) Is VPN terminated on this ASA or any other device?
2.) Access list PDNet_access_in does not seems to have allowed traffic required in it. Mentioned is the detailed explanation:
access-group PDNet_access_in in interface PDNet
access-list PDNet_access_in extended permit ip object NHDOS_Net object IMCMOBILE
Explanation: This is configured to allow traffic from 192.168.4.0/24 which ideally as per your issue's description can never be in inbound direction to this interface.
access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks
Explanation: This is to allow traffic destined to 10.56.0.0/16 which again as per your issue's description is not in our interesting traffic range
access-list PDNet_access_in extended permit ip any object IMCMobile_NAT_IP
Explanation: This rule is irrelevant as it is to allow traffic destined to 10.57.4.50 however this is a NATTED IP address for source situated behind the interface itself.
Thus, we should reconfigure this ACL or add one more entry in to allow traffic from IMCMOBILE to NHDOS_NET..
3.) Regarding allowing traffic for one specific host over VPN, either we can configure interesting traffic for VPN to include host based ACL or we can configure VPN filters to allow specific traffic for VPN only.
4.) As explained by Mohammed earlier, interesting traffic for VPN should be :
Interesting traffic on your firewall:
Local: 10.57.4.0/24
Remote: 192.168.4.0/24
Interesting traffic on other firewall:
Local: 192.168.4.0/24
Remote 10.57.4.0/24
Please make sure that it is same.
If aforementioned configuration is as per the suggested configuration only then please provide me the output of packet tracer for following:
packet-tracer input PDNet icmp 192.168.0.112 8 0 192.168.4.20 detailed
Regards,
Anuj
12-11-2012 10:35 AM
Anuj,
Correct on your assumptions, we need to allow bi-directional traffic between 192.168.0.112 and 192.168.4.20. 192.168.0.112 needs to be NAT'd to 10.57.4.50, and inbound traffic from 192.168.4.20 will need to be allowed to communicate to 10.57.4.50 and forwarded to 192.168.0.112.
The tunnel is terminated on this ASA.
Here's the output from the packet-tracer:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group PDNet_access_in in interface PDNet
access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks
object-group network DOS_Networks
network-object 10.56.0.0 255.255.0.0
network-object object NHDOS_Net
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcaaff030, priority=13, domain=permit, deny=false
hits=7309, user_data=0xc7df59a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.0.112, mask=255.255.255.255, port=0
dst ip/id=192.168.4.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=PDNet, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcab1ee98, priority=0, domain=inspect-ip-options, deny=true
hits=125366, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=PDNet, output_ifc=any
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcad8bd70, priority=70, domain=inspect-icmp, deny=false
hits=99004, user_data=0xca86cca8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=PDNet, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcac44c10, priority=66, domain=inspect-icmp-error, deny=false
hits=103074, user_data=0xca85a458, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=PDNet, output_ifc=any
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (PDNet,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static NHDOS_Net NHDOS_Net
Additional Information:
Static translate 192.168.0.112/0 to 10.57.4.50/0
Forward Flow based lookup yields rule:
in id=0xcb32f038, priority=6, domain=nat, deny=false
hits=5103, user_data=0xca7dd618, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.0.112, mask=255.255.255.255, port=0
dst ip/id=192.168.4.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=PDNet, output_ifc=outside
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc9e44d58, priority=70, domain=encrypt, deny=false
hits=21, user_data=0xddae9c, cs_id=0xcaa18a48, reverse, flags=0x0, protocol=0
src ip/id=10.57.4.0, mask=255.255.255.0, port=0
dst ip/id=192.168.4.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcaa87170, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=21, user_data=0xde2154, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.4.0, mask=255.255.255.0, port=0
dst ip/id=10.57.4.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc9eb7918, priority=0, domain=inspect-ip-options, deny=true
hits=11006554, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 11740002, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: PDNet
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
12-11-2012 11:03 AM
Thanks for the prompt response.
As per packet tracer output, it seems that ping is successfull and is following correct path. Thus, I checked the issue description issue again and found that issue seems to be with some application.
Can you please let me know that what sort of application it is and what all ports does it use. If it uses any specific TCP/UDP ports then can you please run a packet tracer with respect to that specific port..
If application works and dies after some time then we will require spontaneous captures on PDNet interface and simultaneous interface at remote end.
Regards,
Anuj
12-11-2012 11:22 AM
Anuj,
The applications is a basic TCP type application, communicating on port 6800. here;s packet-traces for the specifics communications paths.
packet-tracer input PDNet tcp 192.168.0.112 4000 192.168.4.20 6800 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group PDNet_access_in in interface PDNet
access-list PDNet_access_in extended permit ip object IMCMOBILE object-group DOS_Networks
object-group network DOS_Networks
network-object 10.56.0.0 255.255.0.0
network-object object NHDOS_Net
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcaaff030, priority=13, domain=permit, deny=false
hits=7382, user_data=0xc7df59a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.0.112, mask=255.255.255.255, port=0
dst ip/id=192.168.4.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=PDNet, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcab1ee98, priority=0, domain=inspect-ip-options, deny=true
hits=125467, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=PDNet, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (PDNet,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static NHDOS_Net NHDOS_Net
Additional Information:
Static translate 192.168.0.112/4000 to 10.57.4.50/4000
Forward Flow based lookup yields rule:
in id=0xcb32f038, priority=6, domain=nat, deny=false
hits=5176, user_data=0xca7dd618, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.0.112, mask=255.255.255.255, port=0
dst ip/id=192.168.4.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=PDNet, output_ifc=outside
Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc9e44d58, priority=70, domain=encrypt, deny=false
hits=96, user_data=0xddae9c, cs_id=0xcaa18a48, reverse, flags=0x0, protocol=0
src ip/id=10.57.4.0, mask=255.255.255.0, port=0
dst ip/id=192.168.4.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcaa87170, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=96, user_data=0xde2154, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.4.0, mask=255.255.255.0, port=0
dst ip/id=10.57.4.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc9eb7918, priority=0, domain=inspect-ip-options, deny=true
hits=11008859, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 11742571, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: PDNet
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Now, I am expecting that if 192.168.4.20 starts to communicate to 10.57.4.50, it will also be allowed and forwarded to 192.168.0.112. Here's the packet trace:
packet-tracer input outside tcp 192.168.4.20 4000 10.57.4.50 6800 detailed
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (PDNet,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static NHDOS_Net NHDOS_Net
Additional Information:
NAT divert to egress interface PDNet
Untranslate 10.57.4.50/6800 to 192.168.0.112/6800
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_2 log debugging
object-group network DM_INLINE_NETWORK_2
network-object object IMCMOBILE
network-object object IMCMobile_NAT_IP
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca8d8750, priority=13, domain=permit, deny=false
hits=8, user_data=0xc7df5900, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.0.112, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9eb7918, priority=0, domain=inspect-ip-options, deny=true
hits=11009478, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca51d4f0, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=5, user_data=0xdf23cc, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.4.0, mask=255.255.255.0, port=0
dst ip/id=10.57.4.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (PDNet,outside) source static IMCMOBILE IMCMobile_NAT_IP destination static NHDOS_Net NHDOS_Net
Additional Information:
Forward Flow based lookup yields rule:
out id=0xca526868, priority=6, domain=nat-reverse, deny=false
hits=5, user_data=0xca7dd618, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.4.0, mask=255.255.255.0, port=0
dst ip/id=192.168.0.112, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=outside, output_ifc=PDNet
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcab1ee98, priority=0, domain=inspect-ip-options, deny=true
hits=125475, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=PDNet, output_ifc=any
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xcaa32860, priority=70, domain=encrypt, deny=false
hits=5, user_data=0xdecff4, cs_id=0xcaa18a48, reverse, flags=0x0, protocol=0
src ip/id=10.57.4.0, mask=255.255.255.0, port=0
dst ip/id=192.168.4.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: PDNet
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected
12-11-2012 11:33 AM
IPSEC spoof message while trying to simulate the traffic from outside to inside for VPN is normal since that IP address range is not actually available as by the time traffic reaches outside, it enters VPN is seen as ESP packet with a public IP address. Thus, this output is normal.
What I would like to know is that how application fails? Does it fails to launch or it stops working after some time?
Also, is it possible for you to take captures on LAN interface by configuring a captures on firewall? If yes, please provide me the same from firewall when issue occurs.
If you require steps to configure captures on FW then feel free to revert.
Regards,
Anuj
12-11-2012 11:42 AM
The application claims it can not connect to 192.168.4.20 on TCP/6800.
I can configure a capture, but I just tried using the wizard and it didn't capture any traffic. So I must be doing something wrong, so any instructions would be appreciated.
John
12-11-2012 11:54 AM
In the capture ACL try using the IP address 192.168.0.112 to 192.168.4.20 and vice versa on interface PDNet. Once done then download it in PCAP form..
Regards,
Anuj
12-11-2012 12:09 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide