there is no one to help me?

We have to configure our firewall cisco Asa 505 (ASA Version 8.3(1)) in order to establish a ipsec vpn between our office

site and another external site.

Vpn has been established successfully between our ip site 172.16.69.24 and other vpn ip site 172.16.23.23.

Our server (192.168.100.25) behind firewall cisco (sk lan 192.168.100.254) manages to ping server 172.16.23.23 on other

site through a static route add on windows so server (route add 172.16.23.0 MAK 255.255.255.0 192.168.100.254).

On the other site, server with ip 172.16.23.23 doesn't ping our vpn ip site (172.16.69.24) which has to be natted to our

server 192.168.100.25.

How can you do this, I would be grateful to anyone who can suggest a solution.

thanks a lot.

ASA Version 8.3(1)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxx encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.100.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 62.149.x.x 255.255.224.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa831-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

object network obj-172.16.23.23

host 172.16.23.23

object network obj_any

subnet 0.0.0.0 0.0.0.0

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq ftp

port-object eq ftp-data

object-group network CLIENT-VPN

description client per server

network-object host 192.168.100.25

object-group network SERVER-PS

network-object host 172.16.23.23

object-group network IP-NAT-PER-VPN

description IP di presentazione  verso server qs

network-object host 172.16.69.24

access-list outside_1_cryptomap extended permit ip host 172.16.69.24 172.16.23.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 172.16.69.24 172.16.23.0 255.255.255.0

access-list VPN extended permit ip host 192.168.100.25 host 172.16.23.23

access-list per-nat-vpn extended permit ip host 172.16.69.24 172.16.23.0 255.255.255.0

access-list acl-outside remark Migration: End of expansion

access-list capture extended permit ip host 192.168.100.25 host 172.16.23.23

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat (inside,any) source static CLIENT-VPN CLIENT-VPN destination static obj-172.16.23.23 obj-172.16.23.23

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 62.149.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set T-T esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address VPN

crypto map outside_map 1 set peer 195.120.182.61

crypto map outside_map 1 set transform-set T-T

crypto map outside_map 1 set security-association lifetime seconds 3600

crypto map outside_map 1 set security-association lifetime kilobytes 100000

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

no crypto isakmp nat-traversal

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

csd image disk0:/csd_3.5.841-k9.pkg

username admin password xxxxxxxxxxx encrypted

username mbuonfiglio password xxxxxxxxxxxxxxx encrypted

tunnel-group 195.120.x.x type ipsec-l2l

tunnel-group 195.120.x.x ipsec-attributes

pre-shared-key ***********

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:3767bae16e27d3d50f1b21e2c6c82e49

: end