cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
467
Views
0
Helpful
1
Replies

Site to Site VPN NAT Issue

kdingwall
Level 1
Level 1

I am trying to configure my firewall for a site to site with other firewall and NAT similar subnets.  I have 192.168.16.0/24 on my side and 192.168.16.0/24 and 192.168.17.0/24 on the other side.  We are trying to NAT my side as 10.0.18.0/24 and the other side as 10.0.16.0/24 and 10.0.17.0/24.  It is only working from the other side to my side.  I can connect to my side from the other side, but I cannot connect to the other side from my side.  Here is my config.

: Saved

:

ASA Version 8.4(4)

!

hostname CompetitorCOLOasa

domain-name competitor.com

enable password ZBNBK6vH4eSMcxIJ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.16.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.237.99.111 255.255.255.0

!

interface Vlan5

nameif dmz

security-level 50

ip address 192.168.20.1 255.255.255.0

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns domain-lookup dmz

dns server-group DefaultDNS

domain-name competitor.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network CPVA10-2-0-0

subnet 10.2.0.0 255.255.0.0

object network CPVA192-168-9-x

subnet 192.168.9.0 255.255.255.0

object network NETWORK_OBJ_192.168.16.0_24

subnet 192.168.16.0 255.255.255.0

object network NETWORK_OBJ_192.168.15.0_24

subnet 192.168.15.0 255.255.255.0

object network 192.168.16.55

host 192.168.16.55

object network 192.168.16.54

host 192.168.16.54

object network 192.168.16.53

host 192.168.16.53

object network 192.168.16.246

host 192.168.16.246

object network 68.15.13.196

host 68.15.13.196

object network 192.168.16.47

host 192.168.16.47

object network 192.168.16.38

host 192.168.16.38

object network 64.237.101.46

host 64.237.101.46

object network 64.237.101.45

host 64.237.101.45

object network 64.237.101.44

host 64.237.101.44

object network 64.237.101.43

host 64.237.101.43

object network 64.237.101.42

host 64.237.101.42

object network NETWORK_OBJ_10.0.16.0_24

subnet 10.0.16.0 255.255.255.0

object network NETWORK_OBJ_10.0.17.0_24

subnet 10.0.17.0 255.255.255.0

object network NETWORK_OBJ_10.0.18.0_24

subnet 10.0.18.0 255.255.255.0

object network NETWORK_OBJ_192.168.17.0_24

subnet 192.168.17.0 255.255.255.0

object-group network CPVAall

network-object object CPVA10-2-0-0

network-object object CPVA192-168-9-x

object-group network NETWORK_GRP_10.0.16_17.0_24

network-object object NETWORK_OBJ_10.0.16.0_24

network-object object NETWORK_OBJ_10.0.17.0_24

object-group network NETWORK_GRP_192.168.16_17.0_24

network-object object NETWORK_OBJ_192.168.16.0_24

network-object object NETWORK_OBJ_192.168.17.0_24

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip 192.168.16.0 255.255.255.0 any

access-list outside_access_in extended permit icmp any object 192.168.16.55

access-list outside_access_in extended permit tcp any object 192.168.16.55 eq www

access-list outside_access_in extended permit tcp any object 192.168.16.55 eq https

access-list outside_access_in extended permit icmp any object 192.168.16.54

access-list outside_access_in extended permit tcp any object 192.168.16.54 eq www

access-list outside_access_in extended permit tcp any object 192.168.16.54 eq https

access-list outside_access_in extended permit icmp any object 192.168.16.53

access-list outside_access_in extended permit tcp any object 192.168.16.53 eq www

access-list outside_access_in extended permit tcp any object 192.168.16.53 eq https

access-list outside_access_in extended permit icmp any object 192.168.16.47

access-list outside_access_in extended permit tcp any object 192.168.16.47 eq https

access-list outside_access_in extended permit tcp any object 192.168.16.47 eq www

access-list outside_access_in extended permit tcp any object 192.168.16.47 eq ftp

access-list outside_access_in extended permit icmp any object 192.168.16.38

access-list outside_access_in extended permit tcp any object 192.168.16.38 range 8000 8010

access-list outside_access_in extended permit tcp any object 192.168.16.38 eq https

access-list outside_access_in extended permit tcp any object 192.168.16.38 eq www

access-list outside_access_in extended permit tcp any object 192.168.16.47 eq ftp-data

access-list outside_access_in extended permit tcp any object 192.168.16.47 range 49152 65535

access-list RemoteAccess_splitTunnelAcl standard permit 192.168.16.0 255.255.255.0

access-list global_access extended permit udp any any eq domain

access-list outside_cryptomap_1 extended permit ip object NETWORK_OBJ_10.0.18.0_24 object-group NETWORK_GRP_10.0.16_17.0_24

access-list peak10-policy-nat extended permit ip 192.168.16.0 255.255.255.0 object-group NETWORK_GRP_10.0.16_17.0_24

access-list outside_cryptomap_2 extended permit ip object NETWORK_OBJ_192.168.16.0_24 object-group NETWORK_GRP_10.0.16_17.0_24

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool RemoteAccessPool 192.168.15.100-192.168.15.200 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static 192.168.16.38 64.237.101.42

nat (inside,outside) source static 192.168.16.47 64.237.101.43

nat (inside,outside) source static 192.168.16.53 64.237.101.44

nat (inside,outside) source static 192.168.16.54 64.237.101.45

nat (inside,outside) source static 192.168.16.246 68.15.13.196

nat (inside,outside) source static NETWORK_OBJ_192.168.16.0_24 NETWORK_OBJ_192.168.16.0_24 destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static 192.168.16.55 64.237.101.43

nat (inside,outside) source static 192.168.16.47 64.237.101.46

nat (inside,outside) source static NETWORK_OBJ_192.168.16.0_24 NETWORK_OBJ_10.0.18.0_24 destination static NETWORK_GRP_10.0.16_17.0_24 any

!

object network obj_any

nat (inside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group global_access global

route outside 0.0.0.0 0.0.0.0 64.237.99.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.16.0 255.255.255.0 inside

http 68.15.13.192 255.255.255.240 outside

http 68.15.29.211 255.255.255.255 outside

http 68.15.29.208 255.255.255.240 outside

http 207.174.113.18 255.255.255.255 outside

http 50.78.235.193 255.255.255.255 outside

http 70.167.0.194 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 2 match address outside_cryptomap_2

crypto map outside_map 2 set peer 216.26.176.104

crypto map outside_map 2 set ikev1 transform-set ESP-3DES-MD5

crypto map outside_map 2 set ikev2 ipsec-proposal 3DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable inside

crypto ikev1 enable outside

crypto ikev1 enable dmz

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.16.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

dhcpd dns 10.2.0.10

dhcpd domain competitor.com

dhcpd auto_config outside

!

dhcpd address 192.168.16.245-192.168.16.250 inside

dhcpd dns 10.2.0.10 interface inside

dhcpd domain competitor.com interface inside

dhcpd update dns interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 95.158.95.123 source outside prefer

webvpn

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol l2tp-ipsec ssl-clientless

group-policy GroupPolicy_216.26.176.104 internal

group-policy GroupPolicy_216.26.176.104 attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy GroupPolicy_50.78.235.193 internal

group-policy GroupPolicy_50.78.235.193 attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy2 internal

group-policy RemoteAccess internal

group-policy RemoteAccess attributes

dns-server value 10.2.0.10

vpn-tunnel-protocol ikev1 ikev2

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteAccess_splitTunnelAcl

default-domain value competitor.com

username aaron.morris password FlBJEikgY41N7Yeh encrypted

username TelData password G/t20NXjIJgzEsrK encrypted

username wendy.poole password Lbn94kULntKjGUqk encrypted

username carlos.chacon password uiJqEFK47CM7asUz encrypted

username Randersen password k06YdFFP1cpue.xK encrypted

username RaceIt password fmbEiFfaujgg9ZD7 encrypted

username Arthur.kingdom password oYBBnNjdlU.Gi.ix encrypted

username admin password kXv7e.y/JTMRnNpt encrypted

username darren.wamboldt password 4/ciK4I5r8vqWFek encrypted

username peter.carlson password 9BL7WsPzTLRTUK1Z encrypted

username dan.weed password f8sWcOhK8c0/78gx encrypted

username josh.larson password p88CP7Ynbb8THitB encrypted

username Econe password Z2wfuvsm7Ldx8xIb encrypted

username stephanie.gausby password qKyhbsZG4VM5AN27 encrypted

username stephanie.condrey password QiMNt42K3hCxMkSO encrypted

username vance.jones password K3SzipvrVB7rw93p encrypted

username Jbailey password aQwmmx9gyQJ2ttb/ encrypted

username meghan.kaminski password tZQhjdmiwJMoBohC encrypted

username lewis.jones password sRoXA4Ie1sfLPynx encrypted

username Jsnow password t/Xlx/knfy/2zxYt encrypted

username tony.falkenstein password dPVg3iptEZwUbwXv encrypted

username charlie.hogue password 8AkzVAFFvt3Ye4vW encrypted

username ronnie.hendricks password rzzMqnBKdHJb74pV encrypted

username heather.dolan password n7nQCphH/N6iQRlo encrypted

username keith.dingwall password 2lEKKs8oq0qAX7Aa encrypted

username claudia.lamora password EA.sJFM.dT9njT8W encrypted

username whitney.kailos password jMT0wiuWvSWemFsQ encrypted

tunnel-group RemoteAccess type remote-access

tunnel-group RemoteAccess general-attributes

address-pool RemoteAccessPool

default-group-policy RemoteAccess

tunnel-group RemoteAccess ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 216.26.176.104 type ipsec-l2l

tunnel-group 216.26.176.104 general-attributes

default-group-policy GroupPolicy_216.26.176.104

tunnel-group 216.26.176.104 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect http

  inspect dns

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:e1f77f4111e4260240fbbf861b254677

: end

no asdm history enable

1 Reply 1

kdingwall
Level 1
Level 1

I added this line to my configuration and had them stop blocking my traffic on the other end.

nat (outside,inside) source static NETWORK_GRP_10.0.16_17.0_24 NETWORK_GRP_192.168.16_17.0_24 destination static NETWORK_OBJ_192.168.16.0_24 NETWORK_OBJ_192.168.16.0_24

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: