02-16-2011 08:35 AM
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.205.0.11(unresolved)/137 dst outside:10.205.0.255(unresolved)/137 denied due to NAT reverse path failure%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:10.1.0.183/<port> dst outside:10.11.3.8/<port> denied due to NAT reverse path failure
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.205.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.205.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.205.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.205.0.0 255.255.0.0 10.205.0.0 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.
I do have the Following:
object-group network REMOTE_NETWORK
network-object object NETWORK-OLIVET
network-object object NETWORK-SSLVPN-POOL
network-object object NETWORK-SCOTT
object-group network LOCAL_NETWORK
network-object object NETWORK-HEAD
network-object object NETWORK-SALES
network-object object NETWORK-TRAINING
nat (inside,any) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK
where OLIVET is 10.11, SSL is 10.205, HEAD is 10.1
What gives?
02-16-2011 07:17 PM
Yes, "NAT 0 with access-list" is the old way of doing NAT and is only supported on version 8.2 and below.
The new version 8.3 and above supports the NAT object now.
Can I assume that the REMOTE_NETWORK object group is routed out the "outside" interface?
If it is, here is my recommendation, ie: use specific interface name instead of "any" as it can cause issue with asymmetric NAT error:
nat (inside,outside) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK
no nat (inside,any) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK
Then "clear xlate".
Hope that helps.
02-17-2011 08:15 AM
Thank you for your reply!
Okay I did notice that before. Though I think this might add another Wrinke the situation. We have two Public Class C Address spaces. I have them both Terminated to the ASA. Outside-100, Outside-101 Same Security Level. Though I jsut now added the 'same-security-traffic permit inter-interface' command.
I did add in a nat (inside,outside-101) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK
though I did leave in the (inside, any)
I'll see what it looks like with:
same-security-traffic permit inter-interface
no nat (inside, any) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK
nat (inside, outside-100) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK
nat (inside, outside-101) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK
clear xlate
Thanks!
02-17-2011 03:23 PM
You don't really need the command: same-security-traffic permit inter-interface
That command is only required if you would like to communicate between interfaces that have the same security level, ie communicat between your 2 external interfaces.
02-18-2011 07:39 AM
Thank you again for your reply... This has been stressing me out for a while now and My head hurts from all of the banging!
I thought that the same-security command might help out in another situation.
I'm about to give up on our second Public Subnet terminated to the same ASA. So when in the lab and I place a Remote ASA/PIX on Subnet Outside-100, though the VPN terminates on Subnet Outside-101, outside-101 has a hard time talking to the Static IP on Outside-100. I end up having to put a Route in for the the static.
Anyway. Adding the Specific NAT commands for Inside to Outside-100 and Outside-101 didn't seem to fix the issue.
Some other info.
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:
THey are always src inside:
Any Originating Traffic from
So I cannot access the server at Remote Office, though Remote Office can Access Corp Office... So I fear that I dont have the VPN setup 100% either. )-:
I'll see if I can sanatize some configs.
I apprecaite your help!
Scott<-
02-18-2011 08:03 AM
Here are my Configs.
Thank you....
Corp Office Config
ASA Version 8.3(2)
!
hostname Corp-Office
names
name 10.1.0.0 NETWORK-CORP
name 10.10.0.0 NETWORK-HA
name 10.11.0.0 NETWORK-OLIVET
name 10.12.0.0 NETWORK-235HBG
name 10.13.0.0 NETWORK-FITCH
name 10.2.0.0 NETWORK-SALES
name 10.100.0.0 NETWORK-IPSec-POOL description IPSec DHCP Pool
name 10.6.0.0 NETWORK-TRAINING
name 10.205.0.0 NETWORK-SSLVPN-POOL description SSL VPN Client DHCP Pool
dns-guard
!
interface Ethernet0/0
description 100 Network Outside IP
nameif outside-100
security-level 0
ip address 100.123.234.16 255.255.255.0
!
interface Ethernet0/1
description 101 Network Outside IP
nameif outside-101
security-level 0
ip address 101.123.234.3 255.255.255.0
!
interface Ethernet0/2
description inside
nameif inside
security-level 100
ip address 10.1.0.3 255.255.0.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.1.0.6
name-server 10.1.0.8
domain-name ADDCDOMAIN.com
object network NETWORK-235HBG
subnet 10.12.0.0 255.255.0.0
object network NETWORK-FITCH
subnet 10.13.0.0 255.255.0.0
object network NETWORK-HA
subnet 10.10.0.0 255.255.0.0
object network NETWORK-CORP
subnet 10.1.0.0 255.255.0.0
description Healdsburg Network
object network NETWORK-OLIVET
subnet 10.11.0.0 255.255.0.0
object network NETWORK-SALES
subnet 10.2.0.0 255.255.0.0
object network NETWORK-TRAINING
subnet 10.6.0.0 255.255.0.0
object network NETWORK-SSLVPN-POOL
subnet 10.205.0.0 255.255.0.0
description SSL VPN Client DHCP Pool
object network NETWORK-OLIVET2
subnet 10.11.0.0 255.255.0.0
description NETWORK-OLIVET2
object network NETWORK-ADMIN
subnet 10.12.0.0 255.255.255.0
object network NETWORK-HA-SSLVPN-POOL
subnet 10.210.0.0 255.255.0.0
description HA SSL VPN Client DHCP Pool
object network NETWORK-OLIVET-SSLVPN-POOL
subnet 10.211.0.0 255.255.0.0
description Olivet SSL VPN Client DHCP Pool
object network NETWORK-FITCH-SSLVPN-POOL
subnet 10.213.0.0 255.255.0.0
description Fitch SSL VPN Client DHCP Pool
object network 100.123.234-NAT-POOL
range 100.123.234.190 100.123.234.225
object network vsvr-www-eandm_o
host 100.123.234.189
description Intranet Webserver
object network OUR_o
host 100.123.234.12
description CA-Syslog Server
object network OUR_i
host 10.1.0.12
description CA-Syslog Server
object network vsvr-exch2010_o
host 100.123.234.15
description Exchange 2010 Mail Server
object network vsvr-exch2010_i
host 10.1.1.15
object network secure.norcal.wonderware.com_o
host 100.123.234.176
description WWNC Secure Website IP Address
object network secure.norcal.wonderware.com_i
host 10.1.1.161
object network 101.123.234-NAT-POOL
range 101.123.234.50 101.123.234.254
object network DNS_SERVER_o
host 100.123.234.14
description Public DNS Server
object network DNS_SERVER_i
host 10.1.0.14
object network NETWORK-MEINZ
subnet 10.16.0.0 255.255.0.0
object-group network NETWORK-FITCH-ALL
network-object object NETWORK-FITCH
object-group network NETWORK-OLIVET-ALL
network-object object NETWORK-OLIVET
object-group network NETWORK-235ALL
network-object object NETWORK-235HBG
object-group network NETWORK-HA-ALL
network-object object NETWORK-HA
object-group network LOCAL_NETWORK_REMOTE_VPN
network-object object NETWORK-CORP
network-object object NETWORK-SALES
network-object object NETWORK-TRAINING
network-object object NETWORK-OLIVET
network-object object NETWORK-HA
network-object object NETWORK-FITCH
network-object object NETWORK-235HBG
network-object object NETWORK-FITCH-SSLVPN-POOL
network-object object NETWORK-HA-SSLVPN-POOL
network-object object NETWORK-OLIVET-SSLVPN-POOL
network-object object NETWORK-OLIVET2
network-object object NETWORK-MEINZ
object-group network REMOTE_NETWORK
network-object object NETWORK-OLIVET
network-object object NETWORK-SSLVPN-POOL
network-object object NETWORK-OLIVET2
network-object object NETWORK-MEINZ
object-group network LOCAL_NETWORK
network-object object NETWORK-CORP
network-object object NETWORK-SALES
network-object object NETWORK-TRAINING
object-group network NETWORK-MEINZ-ALL
network-object object NETWORK-MEINZ
access-list SSLVPN-SplitTunnel extended permit ip object-group LOCAL_NETWORK_REMOTE_VPN object NETWORK-SSLVPN-POOL
access-list SSLVPN-SplitTunnel extended permit ip object NETWORK-SSLVPN-POOL object-group LOCAL_NETWORK_REMOTE_VPN
access-list outside-100_access_in extended permit icmp 100.123.234.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list outside-100_access_in extended permit udp any object DNS_SERVER_o eq domain
access-list outside-100_access_in extended permit tcp any object DNS_SERVER_o eq domain
access-list outside-100_access_in extended permit tcp any object DNS_SERVER_i eq domain
access-list outside-100_access_in extended permit udp any object DNS_SERVER_i eq domain
access-list Meinz_cryptomap extended permit ip object-group LOCAL_NETWORK object NETWORK-MEINZ log debugging
access-list outside-101_access_in extended permit icmp 101.123.234.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list outside-101_access_in extended permit icmp any any
pager lines 54
logging enable
logging timestamp
logging list xlate-log message 202001
logging list xlate-log message 305009-305012
logging list SMTP-log message 108002
logging list startup-log message 199001-199005
logging list GRE-log message 302017-302018
logging list verifycertdn-log message 320001
logging list IDS-log message 400000-400050
logging list sa-log message 602201
logging list sa-log message 602301-602302
logging list VPNCLIENT-log message 611301-611323
logging list ISAKMP-log message 702201-702212
logging list IPSecConnect-log message 113019
logging list MISC-Log message 713900-713906
logging list NACPolicy level warnings class nacpolicy
logging list All-Notifications level notifications
logging console notifications
logging monitor informational
logging buffered debugging
logging trap informational
logging asdm warnings
logging mail warnings
logging device-id string corp
logging host outside-100 OUR_o
logging host inside 10.1.0.12
logging debug-trace
logging permit-hostdown
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020
logging message 305012 level warnings
logging message 305011 level warnings
logging message 305010 level warnings
logging message 305009 level warnings
logging message 302013 level warnings
mtu outside-100 1500
mtu outside-101 1500
mtu inside 1500
mtu management 1500
ip local pool SSLVPN-IP-POOL NETWORK-SSLVPN-POOL-10.205.0.255 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside-100
icmp permit any inside
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NETWORK-CORP NETWORK-CORP destination static NETWORK-SSLVPN-POOL NETWORK-SSLVPN-POOL
nat (inside,outside-100) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK description Do Not NAT Traffic to-from Remtoe LANs
nat (inside,outside-101) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK description Do Not NAT Traffic to-from Remtoe LANs
nat (inside,outside-100) source dynamic any 100.123.234-NAT-POOL interface
nat (inside,outside-101) source dynamic any 101.123.234-NAT-POOL interface
nat (outside-100,any) source static NETWORK-SSLVPN-POOL NETWORK-SSLVPN-POOL
nat (outside-101,any) source static NETWORK-SSLVPN-POOL NETWORK-SSLVPN-POOL
nat (outside-101,any) source static REMOTE_NETWORK REMOTE_NETWORK
nat (outside-100,any) source static REMOTE_NETWORK REMOTE_NETWORK
!
object network DNS_SERVER_i
nat (inside,outside-100) static DNS_SERVER_o
access-group outside-100_access_in in interface outside-100
access-group outside-101_access_in in interface outside-101
route outside-100 0.0.0.0 0.0.0.0 100.123.234.1 2
route inside NETWORK-SALES 255.255.0.0 10.1.0.11 1
route inside NETWORK-TRAINING 255.255.0.0 10.1.0.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ADDCDOMAIN-R protocol radius
aaa-server ADDCDOMAIN-R (inside) host 10.1.0.6
key key
radius-common-pw
aaa authentication ssh console LOCAL
http server enable
http NETWORK-CORP 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto dynamic-map olivet.ADDCDOMAIN.com 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map meinz.home 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside-100_map 2 ipsec-isakmp dynamic olivet.ADDCDOMAIN.com
crypto map outside-100_map 3 ipsec-isakmp dynamic meinz.home
crypto map outside-100_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-100_map interface outside-100
crypto map outside-101_map 2 ipsec-isakmp dynamic olivet.ADDCDOMAIN.com
crypto map outside-101_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-101_map interface outside-101
crypto ca trustpoint OUR-CA
enrollment url http://10.1.0.222:80//certsrv/mscep/mscep.dll
fqdn corp.ADDCDOMAIN.com
crl configure
crypto ca certificate chain OUR-CA
certificate ca 3a0dc5ed0429b8a942b7ef1bfd21ab59
quit
certificate 27bf22f600000000000a
quit
crypto isakmp identity address
crypto isakmp enable outside-100
crypto isakmp enable outside-101
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet NETWORK-CORP 255.255.255.0 inside
telnet timeout 25
ssh timeout 5
console timeout 0
management-access management
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.1.0.6 source inside
ntp server 10.1.0.8 source inside prefer
ntp server 192.6.38.127 source outside-100 prefer
ssl trust-point OUR-CA outside-101
ssl trust-point OUR-CA outside-100
webvpn
enable outside-100
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2006-k9.pkg 1 regex "Windows NT"
svc image disk0:/anyconnect-macosx-i386-2.5.2011-k9.pkg 2 regex "Intel Mac OS X"
svc profiles SSLVPNProfile disk0:/sslvpnprofile.xml
svc enable
group-policy SSLVPNGrpPolicy internal
group-policy SSLVPNGrpPolicy attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN-SplitTunnel
split-dns value ADDCDOMAIN.com
webvpn
svc profiles value SSLVPNProfile type user
group-policy DfltGrpPolicy attributes
wins-server value 10.1.0.6 10.1.0.8
dns-server value 10.1.0.6 10.1.0.8
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value ADDCDOMAIN.com
webvpn
svc ask none default svc
group-policy RemoteASA5505 internal
group-policy RemoteASA5505 attributes
vpn-tunnel-protocol IPSec
group-policy RemotePIX501 internal
group-policy RemotePIX501 attributes
vpn-tunnel-protocol IPSec
pfs enable
ipsec-udp enable
service-type admin
tunnel-group SSL-VPN type remote-access
tunnel-group SSL-VPN general-attributes
address-pool SSLVPN-IP-POOL
authentication-server-group ADDCDOMAIN-R
default-group-policy SSLVPNGrpPolicy
tunnel-group SSL-VPN webvpn-attributes
group-alias sslvpn enable
group-url https://100.123.234.16/sslvpn enable
group-url https://corp.ADDCDOMAIN.com/sslvpn enable
tunnel-group olivet.ADDCDOMAIN.com type ipsec-l2l
tunnel-group olivet.ADDCDOMAIN.com general-attributes
default-group-policy RemoteASA5505
tunnel-group olivet.ADDCDOMAIN.com ipsec-attributes
pre-shared-key ourkey
tunnel-group meinz.home.ADDCDOMAIN.com type ipsec-l2l
tunnel-group meinz.home.ADDCDOMAIN.com general-attributes
default-group-policy RemoteASA5505
tunnel-group meinz.home.ADDCDOMAIN.com ipsec-attributes
pre-shared-key ourotherkey
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
service call-home
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:b0443758accc28d2695521d4feb41e07
: end
Remote Office Config. (this is pretty close, though since I cannot Grab a copy from Corp at the moment It might be a bit off)
ASA Version 8.3(2)
!
hostname OLIVET
names
name 10.1.0.0 NETWORK-CORP
name 10.10.0.0 NETWORK-HA
name 10.11.0.0 NETWORK-OLIVET
name 10.12.0.0 NETWORK-235HBG
name 10.13.0.0 NETWORK-FITCH
name 10.2.0.0 NETWORK-SALES
name 10.6.0.0 NETWORK-TRAINING
name 10.205.0.0 NETWORK-SSLVPN-POOL description SSL VPN Client DHCP Pool
!
interface Vlan1
nameif inside
security-level 100
ip address 10.11.0.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.11.0.6
name-server 10.1.0.6
domain-name haydon-mill.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK-235HBG
subnet 10.12.0.0 255.255.0.0
object network NETWORK-FITCH
subnet 10.13.0.0 255.255.0.0
object network NETWORK-HA
subnet 10.10.0.0 255.255.0.0
object network NETWORK-CORP
subnet 10.1.0.0 255.255.0.0
object network NETWORK-SALES
subnet 10.2.0.0 255.255.0.0
object network NETWORK-TRAINING
subnet 10.6.0.0 255.255.0.0
object network NETWORK-OLIVET
subnet 10.11.0.0 255.255.0.0
object network NETWORK-OLIVET2
subnet 10.11.0.0 255.255.0.0
object network NETWORK-LOCAL-SSLVPN-POOL
subnet 10.211.0.0 255.255.0.0
description OLIVET SSL VPN Client DHCP Pool
object network NETWORK-HA-SSLVPN-POOL
subnet 10.210.0.0 255.255.0.0
description HA SSL VPN Client DHCP Pool
object network NETWORK-OLIVET-SSLVPN-POOL
subnet 10.211.0.0 255.255.0.0
description OLIVET SSL VPN Client DHCP Pool
object network NETWORK-FITCH-SSLVPN-POOL
subnet 10.213.0.0 255.255.0.0
description Fitch SSL VPN Client DHCP Pool
object network NETWORK-CORP-SSLVPN-POOL
subnet 10.205.0.0 255.255.0.0
description Healdsburg SSL VPN Client DHCP Pool
object network NETWORK-LOCAL-ADMIN
subnet 10.11.0.0 255.255.255.0
object-group network NETWORK_LOCAL
description Local Networks
network-object object NETWORK-OLIVET
network-object object NETWORK-OLIVET2
object-group network NETWORK_REMOTE
description Remote Networks
network-object object NETWORK-HA
network-object object NETWORK-FITCH
network-object object NETWORK-235HBG
network-object object NETWORK-LOCAL-SSLVPN-POOL
network-object object NETWORK-OLIVET-SSLVPN-POOL
network-object object NETWORK-CORP
network-object object NETWORK-SALES
network-object object NETWORK-TRAINING
access-list outside_cryptomap_1 extended permit ip object NETWORK-OLIVET object-group NETWORK_REMOTE
access-list outside_cryptomap_1 extended permit ip object NETWORK-OLIVET2 object-group NETWORK_REMOTE
access-list SSLVPN-SplitTunnel extended permit ip object NETWORK-OLIVET-SSLVPN-POOL object-group NETWORK_LOCAL
pager lines 54
logging enable
logging timestamp
logging list xlate-log message 202001
logging list xlate-log message 305009-305012
logging list SMTP-log message 108002
logging list startup-log message 199001-199005
logging list GRE-log message 302017-302018
logging list verifycertdn-log message 320001
logging list IDS-log message 400000-400050
logging list sa-log message 602201
logging list sa-log message 602301-602302
logging list VPNCLIENT-log message 611301-611323
logging list ISAKMP-log message 702201-702212
logging list IPSecConnect-log message 113019
logging list MISC-Log message 713900-713906
logging console notifications
logging monitor informational
logging buffered debugging
logging trap informational
logging asdm warnings
logging mail warnings
logging device-id hostname
logging debug-trace
logging permit-hostdown
no logging message 305012
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020
logging message 305012 level warnings
logging message 305011 level warnings
logging message 305010 level warnings
logging message 305009 level warnings
logging message 302013 level warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SSLVPN-IP-POOL NETWORK-OLIVET-SSLVPN-POOL-10.211.0.10 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (outside,any) source static NETWORK-LOCAL-SSLVPN-POOL NETWORK-LOCAL-SSLVPN-POOL
nat (inside,any) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK-LOCAL-SSLVPN-POOL NETWORK-LOCAL-SSLVPN-POOL
nat (inside,any) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE description No not NAT traffic to/from Remote Networks
nat (outside,any) source static NETWORK_REMOTE NETWORK_REMOTE
nat (inside,outside) source static NETWORK_LOCAL NETWORK_LOCAL
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ADDCDOMAIN-R protocol radius
aaa-server ADDCDOMAIN-R (inside) host 10.1.0.6
key key
radius-common-pw key
http server enable
http 10.11.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_cryptomap_1
crypto map outside_map1 1 set connection-type originate-only
crypto map outside_map1 1 set peer 101.123.234.3
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 set nat-t-disable
crypto map outside_map1 1 set phase1-mode aggressive
crypto map outside_map1 interface outside
crypto ca trustpoint OUR-CA
enrollment url http://100.123.234.222:80//certsrv/mscep/mscep.dll
ip-address 10.11.0.1
password 3A1471D251A12FFF
crl configure
crypto ca certificate chain OUR-CA
certificate 6fde5f2800000000000b
quit
certificate ca 3a0dc5ed0429b8a942b7ef1bfd21ab59
quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 25
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.6.38.127 source outside prefer
ssl trust-point OUR-CA outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2006-k9.pkg 1 regex "Windows NT"
svc image disk0:/anyconnect-macosx-i386-2.5.2011-k9.pkg 2 regex "Intel Mac OS X"
svc profiles SSLVPNProfile disk0:/sslvpnprofile.xml
svc enable
group-policy SSLVPNGrpPolicy internal
group-policy SSLVPNGrpPolicy attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN-SplitTunnel
webvpn
svc profiles value SSLVPNProfile type user
group-policy DfltGrpPolicy attributes
wins-server value 10.1.0.6 10.1.0.8
dns-server value 10.1.0.6 10.1.0.8
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value vpn.haydon-mill.com
webvpn
svc ask none default svc
group-policy ASA5505GrpPolicy internal
group-policy ASA5505GrpPolicy attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable
vpn-group-policy ASA5505GrpPolicy
vpn-group-policy ASA5505GrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key key
tunnel-group 101.123.234.3 type ipsec-l2l
tunnel-group 101.123.234.3 ipsec-attributes
pre-shared-key key
!
prompt hostname context
: end
02-18-2011 07:01 PM
I am still seeing lots of "any" in your NAT statement.
From the CORP side, the followings are all NOT required (pls be advised that static NAT is bidirectional, so you don't need to configure NAT on the other direction). It should always be from high security level to low security level - just 1 statement, and traffic from the other direction will use the same NAT statement.
You can remove all the followings:
nat (inside,any) source static NETWORK-CORP NETWORK-CORP destination static NETWORK-SSLVPN-POOL NETWORK-SSLVPN-POOL
nat (outside-100,any) source static NETWORK-SSLVPN-POOL NETWORK-SSLVPN-POOL
nat (outside-101,any) source static NETWORK-SSLVPN-POOL NETWORK-SSLVPN-POOL
nat (outside-101,any) source static REMOTE_NETWORK REMOTE_NETWORK
nat (outside-100,any) source static REMOTE_NETWORK REMOTE_NETWORK
Same goes for remote side, the followings need to be changed:
The (outside,any) statements can be removed:
nat (outside,any) source static NETWORK-LOCAL-SSLVPN-POOL NETWORK-LOCAL-SSLVPN-POOL
nat (outside,any) source static NETWORK_REMOTE NETWORK_REMOTE
The (inside,any) statements need to be changed to (inside,outside):
nat (inside,any) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK-LOCAL-SSLVPN-POOL NETWORK-LOCAL-SSLVPN-POOL
nat (inside,any) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE description No not NAT traffic to/from Remote Networks
02-24-2011 06:46 AM
Hey Jennifer,
Sorry its been a bit since I've replied. We had a SQL Server Migration that was Occupying my time. )-:
So late lastnight I was able to make the changes to the remote ASA. Then at some point I lost Connection to the Office. Then one of the web developers called with SQL problems! so I tried to enter back in the NAT commands I did the no nat on and no luck. I reloaded. then was back online. By the time I got the SQL issue fixed I didn't have time to try it again.
Though here is an interesting thing. I'm unable to connect to the remote site from HQ. Remote can get to HQ no issues.
When I ping a server at the remote site I get
Reply from 84.111.111.112: Destination net unreachable.
Where 84.111.111.112 is the IP address of the ISP's Interface off my Connection to them.
So it seems like once the VPN tunnel is connected tha HQ ASA knows how to get the packets back, but does not know to NAT the Packet going to the remote site and is sending it out the Gateway to the internet.
I'm thinking 21 years of this is enough... I'm thinking the Local ACE Hardware store or a Landscape Supply place...
Thanks!
02-24-2011 08:32 PM
Your remote site has ip address of the external interface which is dynamically assigned. That means, only the remote side can establish the VPN tunnel towards the HQ. HQ can't initiate the VPN connection.
If remote site can access HQ, that means the VPN tunnel is up and running. Are you able to access resources behind the remote side ?
and traffic between the 2 LANs should not be NATed, but gets encrypted since you have VPN tunnel between the 2 sites.
I would suggest that you open a TAC case, so the issue can be troubleshot live with access to both sides. It's a little hard troubleshooting this particular issue via forum.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide