I tried access-list on ASA same as above, after clear tunnel goes down...

Please find below my ASA information.

---------------------------------

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(2)

Device Manager Version 6.2(5)

Compiled on Mon 11-Jan-10 14:19 by builders

System image file is "disk0:/asa822-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 20 days 15 hours

Hardware:   ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0  : address is 001a.6de9.32a8, irq 9

1: Ext: GigabitEthernet0/1  : address is 001a.6de9.32a9, irq 9

2: Ext: GigabitEthernet0/2  : address is 001a.6de9.32aa, irq 9

3: Ext: GigabitEthernet0/3  : address is 001a.6de9.32ab, irq 9

4: Ext: Management0/0       : address is 001a.6de9.32ac, irq 11

5: Int: Not used            : irq 11

6: Int: Not used            : irq 5

Licensed features for this platform:

Maximum Physical Interfaces    : Unlimited

Maximum VLANs                  : 150

Inside Hosts                   : Unlimited

Failover                       : Active/Active

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

Security Contexts              : 2

GTP/GPRS                       : Disabled

SSL VPN Peers                  : 2

Total VPN Peers                : 750

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

This platform has an ASA 5520 VPN Plus license.

Below show command before clear tunnel.

ciscoasa# sh crypto isa sa

=====================

ciscoasa# sh crypto isakmp sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 202.x.x.x

    Type    : L2L             Role    : responder

    Rekey   : no              State   : AM_ACTIVE

ciscoasa#

ciscoasa# sh crypto ipsec sa

======================

interface: com

    Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y

      access-list com_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.113.0 255.255.255.0

      local ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)

      current_peer: 202.x.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.x.x.y, remote crypto endpt.: 202.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 429AE17F

      current inbound spi : E9E70AD0

    inbound esp sas:

      spi: 0xE9E70AD0 (3924232912)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 864256, crypto-map: com_map0

         sa timing: remaining key lifetime (sec): 2320

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x429AE17F (1117446527)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 864256, crypto-map: com_map0

         sa timing: remaining key lifetime (sec): 2320

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

It is still referring to incorrect access base on the output above:

Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y

      access-list com_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.113.0 255.255.255.0

      local ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)

      current_peer: 202.x.x.x

The ACL is the other way round.

Can you clear the tunnel with the following command:

clear cry ipsec sa

clear cry isa sa

Then try to establish the tunnel again by accessing between the 2 LANs.

I understand if configure below access-list on ASA,

access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0

then RV042 will be?

Local Secure Group: 192.168.113.0/255.255.255.0

Remote Secure Group: 192/168.10.0/255.255.255.0

Remote Secure Gateway: 202.x.x.y

yes, I did clear cry ipsec sa and clear cry isa sa

I done access-list on ASA,

access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0

on RV042,

Local Secure Group: 192.168.10.0/255.255.255.0

Remote Secure Group: 192/168.113.0/255.255.255.0

Remote Secure Gateway: 202.x.x.y

Now it tunnel get connected.

ciscoasa# sh cry isa sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 202.x.x.x

    Type    : L2L             Role    : responder

    Rekey   : no              State   : AM_ACTIVE

ciscoasa#

ciscoasa# sh cry ipsec sa

interface: mcscom

    Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y

      access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)

      current_peer: 202.x.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.x.x.y, remote crypto endpt.: 202.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 429AE187

      current inbound spi : 95B9E556

    inbound esp sas:

      spi: 0x95B9E556 (2511988054)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 897024, crypto-map: com_map0

         sa timing: remaining key lifetime (sec): 3418

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x429AE187 (1117446535)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 897024, crypto-map: com_map0

         sa timing: remaining key lifetime (sec): 3418

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

But cant ping from rv042 and pc connected to rv042 to 192.168.113.0 network and vice versa same?

If I do traceroute from ASA then it goes to Internet via outside interface of ASA...

Same problem on rv042...

OK, that is a good progress... VPN part is now correct.

On RV042, have you configured NAT exemption so traffic from RV042 LAN does not get NATed when it is destined for the ASA LAN network?

i enabled advanced settings nat-t traversal on rv042.

are you asking this config?

btw, i can see ASA receiving ping packet from RV042, if I ping from RV042 diagnostic menu.

but from ASA ping to RV042 no transmit packet increase.

btw, i uploaded to complete both side config in my forum Documents folder. you can download it.

Can you enable "management-access NET" on your ASA, and see if you can ping 192.168.113.6 from behind RV042?

Also, if you try to ping from the ASA, you would need to originate the ping from the NET interface because the interesting traffic is only between 192.168.113.0/24 and 192.168.10.0/24 subnets.

From ASA, you can issue: ping NET 192.168.10.x

After enable management-access on NET, I can ping from RV042 to ASA's NET interface 192.168.113.6 address only.

Also get worked ASA "ping NET 192.168.10.1", which is RV042 LAN interface address only.

Hosts beyond both interfaces unreachable for ping.

For example:

-PC with 192.168.10.101 address unreachable from ASA

-PC with 192.168.113.247, 192.168.113.251 address unreachable from RV042

From ASA:

========

ciscoasa# ping NET 192.168.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa# ping NET 192.168.10.101

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.101, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

From RV042:

==========

Any suggestion?

A few things to check and to pin point where the issue is:

1) When you are pinging from 192.168.10.x host, where is the packet failing? You can check "sh cry ipsec sa" and see if the encrypts/decrypts packet increase as you perform the ping. This will give you an indication on where it could possibly be failing.

2) When you are pinging from 192.168.113.x host, where is the packet failing? same as above, for each scenario, check the "sh cry ipsec sa" and see which counter increases and which stays the same.

Also, check if "inspect icmp" is enabled on your ASA. If it hasn't, please kindly enable it.

From the latest result that you have, the VPN is now working just fine, so anything that we investigate now have to be other feature that is failing, ie: NAT, firewall rules, etc.

1. 192.168.10.x before ping

=====================

ciscoasa# sh cry ipsec sa

interface: com

    Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y

      access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)

      current_peer: 202.x.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.x.x.y, remote crypto endpt.: 202.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 429AE1D3

      current inbound spi : EB45F2AC

    inbound esp sas:

      spi: 0xEB45F2AC (3947229868)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1171456, crypto-map: com_map0

         sa timing: remaining key lifetime (sec): 3518

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x429AE1D3 (1117446611)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1171456, crypto-map: com_map0

         sa timing: remaining key lifetime (sec): 3518

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

after ping

=======

ciscoasa# sh cry ipsec sa

interface: com

    Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y

      access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)

      current_peer: 202.x.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.x.x.y, remote crypto endpt.: 202.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 429AE1D3

      current inbound spi : EB45F2AC

    inbound esp sas:

      spi: 0xEB45F2AC (3947229868)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1171456, crypto-map: com_map0

         sa timing: remaining key lifetime (sec): 3436

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x000001FF

    outbound esp sas:

      spi: 0x429AE1D3 (1117446611)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1171456, crypto-map: com_map0

         sa timing: remaining key lifetime (sec): 3436

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

2.192.168.113.x before ping

=====================

ciscoasa# sh cry ipsec sa

interface: com

    Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y

      access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)

      current_peer: 202.x.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.x.x.y, remote crypto endpt.: 202.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 429AE1D4

      current inbound spi : 0EF1CBF2

    inbound esp sas:

      spi: 0x0EF1CBF2 (250727410)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1175552, crypto-map: com_map0

         sa timing: remaining key lifetime (sec): 3589

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x429AE1D4 (1117446612)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1175552, crypto-map: com_map0

         sa timing: remaining key lifetime (sec): 3589

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

after ping

========

ciscoasa# sh cry ipsec sa

interface: com

    Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y

      access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)

      current_peer: 202.x.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.x.x.y, remote crypto endpt.: 202.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 429AE1D4

      current inbound spi : 0EF1CBF2

    inbound esp sas:

      spi: 0x0EF1CBF2 (250727410)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1175552, crypto-map: com_map0

         sa timing: remaining key lifetime (sec): 3428

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x429AE1D4 (1117446612)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1175552, crypto-map: com_map0

         sa timing: remaining key lifetime (sec): 3428

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

after ping from ASA

===============

ciscoasa# ping NET 192.168.10.101

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.101, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ciscoasa# sh cry ipsec sa

interface: com

    Crypto map tag: com_map0, seq num: 1, local addr: 202.x.x.y

      access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 192.168.10.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)

      current_peer: 202.x.x.x

      #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.x.x.y, remote crypto endpt.: 202.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 429AE1D4

      current inbound spi : 0EF1CBF2

    inbound esp sas:

      spi: 0x0EF1CBF2 (250727410)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1175552, crypto-map: com_map0

         sa timing: remaining key lifetime (sec): 3300

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x429AE1D4 (1117446612)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1175552, crypto-map: com_map0

         sa timing: remaining key lifetime (sec): 3300

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Seems from ASA it show processing packets, but not from 192.168.113.x hosts.

ASA config:

=========

ciscoasa# sh run

: Saved

:

ASA Version 8.2(2)

!

hostname ciscoasa

domain-name mydomain.mn

enable password removed encrypted

passwd removed encrypted

names

name 192.168.253.0 linfo description linfo

name 172.16.0.8 linfo1 description linfo1

name 172.16.0.24 linfo2 description linfo2

name 122.x.x.0 gix-support description contract service remote access

name 202.x.0.0 branch-access-adsl description ISP network

name 180.x.x.0 gix-support2 description contract service remote access

name 192.168.10.0 VPN

name 10.0.1.0 VPN2

name 202.x.x.192 com-network2 description Public IP address

!

interface GigabitEthernet0/0

description Interface connected to Cisco 2621XM - to COM Internet provider

nameif com

security-level 0

ip address 202.x.x.202 255.255.255.248

!

interface GigabitEthernet0/1

nameif NET

security-level 100

ip address 192.168.113.6 255.255.255.0

!

interface GigabitEthernet0/2

nameif Servers

security-level 0

ip address 192.168.130.1 255.255.255.0

!

interface GigabitEthernet0/3

nameif Servers2

security-level 0

ip address 192.168.131.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

!

banner exec Please make sure what you are doing here...

banner login This ..... Department's network system.

banner login

banner login Please disconnect immediately or all your activities will be logged into system.

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone ULAST 8

dns domain-lookup com

dns domain-lookup NET

dns domain-lookup Servers

dns domain-lookup Servers2

dns domain-lookup management

dns server-group DefaultDNS

name-server 202.x.x.x

name-server 122.x.x.x

name-server 180.x.x.x

domain-name mydomain.mn

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1

network-object host 202.x.x.205

network-object host 202.x.x.206

access-list management_access_in remark network team have all access to security system

access-list management_access_in extended permit ip any any

access-list com_access_in extended permit tcp any host 202.x.x.206 eq ssh

access-list com_access_in extended permit icmp any host 202.x.x.206

access-list com_access_in extended permit tcp any host 202.x.x.206 eq www

access-list com_access_in extended permit tcp any host 202.x.x.205 eq ssh

access-list com_access_in extended permit icmp any host 202.x.x.205

access-list com_access_in extended permit tcp any host 202.x.x.206 eq 8080

access-list com_access_in extended permit tcp any host 202.x.x.206 eq 5432

access-list com_access_in extended permit ip gix-support 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list com_access_in extended permit ip gix-support 255.255.255.0 202.x.x.200 255.255.255.248

access-list NET_nat_outbound extended permit ip 192.168.113.0 255.255.255.0 linfo 255.255.255.248

access-list NET_nat_outbound extended permit ip 192.168.113.0 255.255.255.0 linfo1 255.255.255.248

access-list NET_nat_outbound extended permit ip 192.168.113.0 255.255.255.0 linfo2 255.255.255.248

access-list Servers_access_in extended permit ip any any

access-list NET_nat_outbound_1 extended permit ip 192.168.113.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list Servers2_access_in extended permit ip any any

access-list management_access_in_1 extended permit ip any any

access-list com_cryptomap extended permit ip 192.168.113.0 255.255.255.0 VPN 255.255.255.0

access-list NET_access_in extended permit ip any any

access-list com_nat_outbound extended permit ip 192.168.113.0 255.255.255.0 VPN 255.255.255.0

pager lines 24

logging timestamp

logging asdm informational

mtu com 1500

mtu NET 1500

mtu Servers 1500

mtu Servers2 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any management

asdm image disk0:/asdm-625.bin

asdm history enable

arp timeout 14400

nat-control

global (com) 1 interface

global (NET) 2 interface

global (Servers) 3 interface

nat (com) 1 access-list com_nat_outbound dns

nat (NET) 2 access-list NET_nat_outbound

nat (NET) 3 access-list NET_nat_outbound_1

nat (NET) 1 192.168.113.0 255.255.255.0 dns

static (NET,com) 202.x.x.206 192.168.113.254 netmask 255.255.255.255 dns

static (NET,com) 202.x.x.205 192.168.113.253 netmask 255.255.255.255 dns

access-group com_access_in in interface com

access-group NET_access_in in interface NET

access-group Servers_access_in in interface Servers

access-group Servers2_access_in in interface Servers2

access-group management_access_in in interface management control-plane

access-group management_access_in_1 in interface management

route com 0.0.0.0 0.0.0.0 202.x.x.201 1

route NET linfo1 255.255.255.248 192.168.113.251 1

route NET linfo2 255.255.255.248 192.168.113.251 1

route NET linfo 255.255.255.248 192.168.113.251 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.113.0 255.255.255.0 NET

http gix-support 255.255.255.0 com

snmp-server location ... Department

snmp-server contact Me

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map com_map0 1 match address com_cryptomap

crypto map com_map0 1 set peer 202.x.x.196

crypto map com_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map com_map0 1 set phase1-mode aggressive

crypto map com_map0 1 set reverse-route

crypto map com_map0 interface com

crypto isakmp enable com

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet gix-support2 255.255.255.0 com

telnet gix-support 255.255.255.0 com

telnet 202.x.x.201 255.255.255.255 com

telnet 192.168.113.0 255.255.255.0 NET

telnet 192.168.113.0 255.255.255.0 Servers

telnet 192.168.113.0 255.255.255.0 Servers2

telnet timeout 5

ssh gix-support 255.255.255.0 com

ssh gix-support2 255.255.255.0 com

ssh timeout 5

console timeout 0

management-access NET

dhcpd address 192.168.113.10-192.168.113.200 NET

dhcpd dns 202.x.x.11 122.x.x.5 interface NET

dhcpd domain mydomain.mn interface NET

dhcpd enable NET

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec

tunnel-group DefaultL2LGroup ipsec-attributes

peer-id-validate nocheck

tunnel-group 202.x.x.196 type ipsec-l2l

tunnel-group 202.x.x.196 ipsec-attributes

pre-shared-key *****

peer-id-validate nocheck

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:35b6b4146c7f403149be3d91e0845382

: end

NAT exemption has not been configured on the ASA, hence it doesn't work.

Here is what needs to be configured on the ASA:

access-list nonat-NET permit ip 192.168.113.0 255.255.255.0 VPN 255.255.255.0

nat (NET) 0 access-list nonat-NET

Then "clear xlate" after the changes.

This should resolve the issue.

Thank you very much Jennifer for your time.

What is purpose of this Exempt rule?

Because never I used it.

Is it possible to use exempt between server1,server2 and net interfaces?

The NAT exempt rule is to allow communication between subnet with its real IP Address, ie: no NATing (no translation) is happening when you configure the access-list to match between the 2 subnets.

And yes, you can definitely configure NAT exemption between server1, server2 and net interfaces.

The trick is only to configure the NAT exemption in 1 direction because it works bi-directionally, and to configure it on the higher security level interface.

Example:

If you would like to configure NAT exemption between Server2 subnet and NET subnet, then you configure the NAT on NET interface because NET (sec level: 100) has higher security level than Server2 (sec level: 0).

And since you already have a "nat (NET) 0 access-list" configured, all you need to do is add to the existing access-list:

access-list nonat-NET permit ip 192.168.113.0 255.255.255.0 192.168.131.0 255.255.255.0

Hope this makes sense.