01-29-2013 10:17 AM
I am trying to configure my firewall for a site to site with other firewall and NAT similar subnets. I have 192.168.16.0/24 on my side and 192.168.16.0/24 and 192.168.17.0/24 on the other side. We are trying to NAT my side as 10.0.18.0/24 and the other side as 10.0.16.0/24 and 10.0.17.0/24. It is only working from the other side to my side. I can connect to my side from the other side, but I cannot connect to the other side from my side. Here is my config.
: Saved
:
ASA Version 8.4(4)
!
hostname CompetitorCOLOasa
domain-name competitor.com
enable password ZBNBK6vH4eSMcxIJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.16.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.237.99.111 255.255.255.0
!
interface Vlan5
nameif dmz
security-level 50
ip address 192.168.20.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
domain-name competitor.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network CPVA10-2-0-0
subnet 10.2.0.0 255.255.0.0
object network CPVA192-168-9-x
subnet 192.168.9.0 255.255.255.0
object network NETWORK_OBJ_192.168.16.0_24
subnet 192.168.16.0 255.255.255.0
object network NETWORK_OBJ_192.168.15.0_24
subnet 192.168.15.0 255.255.255.0
object network 192.168.16.55
host 192.168.16.55
object network 192.168.16.54
host 192.168.16.54
object network 192.168.16.53
host 192.168.16.53
object network 192.168.16.246
host 192.168.16.246
object network 68.15.13.196
host 68.15.13.196
object network 192.168.16.47
host 192.168.16.47
object network 192.168.16.38
host 192.168.16.38
object network 64.237.101.46
host 64.237.101.46
object network 64.237.101.45
host 64.237.101.45
object network 64.237.101.44
host 64.237.101.44
object network 64.237.101.43
host 64.237.101.43
object network 64.237.101.42
host 64.237.101.42
object network NETWORK_OBJ_10.0.16.0_24
subnet 10.0.16.0 255.255.255.0
object network NETWORK_OBJ_10.0.17.0_24
subnet 10.0.17.0 255.255.255.0
object network NETWORK_OBJ_10.0.18.0_24
subnet 10.0.18.0 255.255.255.0
object network NETWORK_OBJ_192.168.17.0_24
subnet 192.168.17.0 255.255.255.0
object-group network CPVAall
network-object object CPVA10-2-0-0
network-object object CPVA192-168-9-x
object-group network NETWORK_GRP_10.0.16_17.0_24
network-object object NETWORK_OBJ_10.0.16.0_24
network-object object NETWORK_OBJ_10.0.17.0_24
object-group network NETWORK_GRP_192.168.16_17.0_24
network-object object NETWORK_OBJ_192.168.16.0_24
network-object object NETWORK_OBJ_192.168.17.0_24
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip 192.168.16.0 255.255.255.0 any
access-list outside_access_in extended permit icmp any object 192.168.16.55
access-list outside_access_in extended permit tcp any object 192.168.16.55 eq www
access-list outside_access_in extended permit tcp any object 192.168.16.55 eq https
access-list outside_access_in extended permit icmp any object 192.168.16.54
access-list outside_access_in extended permit tcp any object 192.168.16.54 eq www
access-list outside_access_in extended permit tcp any object 192.168.16.54 eq https
access-list outside_access_in extended permit icmp any object 192.168.16.53
access-list outside_access_in extended permit tcp any object 192.168.16.53 eq www
access-list outside_access_in extended permit tcp any object 192.168.16.53 eq https
access-list outside_access_in extended permit icmp any object 192.168.16.47
access-list outside_access_in extended permit tcp any object 192.168.16.47 eq https
access-list outside_access_in extended permit tcp any object 192.168.16.47 eq www
access-list outside_access_in extended permit tcp any object 192.168.16.47 eq ftp
access-list outside_access_in extended permit icmp any object 192.168.16.38
access-list outside_access_in extended permit tcp any object 192.168.16.38 range 8000 8010
access-list outside_access_in extended permit tcp any object 192.168.16.38 eq https
access-list outside_access_in extended permit tcp any object 192.168.16.38 eq www
access-list outside_access_in extended permit tcp any object 192.168.16.47 eq ftp-data
access-list outside_access_in extended permit tcp any object 192.168.16.47 range 49152 65535
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.16.0 255.255.255.0
access-list global_access extended permit udp any any eq domain
access-list outside_cryptomap_1 extended permit ip object NETWORK_OBJ_10.0.18.0_24 object-group NETWORK_GRP_10.0.16_17.0_24
access-list peak10-policy-nat extended permit ip 192.168.16.0 255.255.255.0 object-group NETWORK_GRP_10.0.16_17.0_24
access-list outside_cryptomap_2 extended permit ip object NETWORK_OBJ_192.168.16.0_24 object-group NETWORK_GRP_10.0.16_17.0_24
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool RemoteAccessPool 192.168.15.100-192.168.15.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static 192.168.16.38 64.237.101.42
nat (inside,outside) source static 192.168.16.47 64.237.101.43
nat (inside,outside) source static 192.168.16.53 64.237.101.44
nat (inside,outside) source static 192.168.16.54 64.237.101.45
nat (inside,outside) source static 192.168.16.246 68.15.13.196
nat (inside,outside) source static NETWORK_OBJ_192.168.16.0_24 NETWORK_OBJ_192.168.16.0_24 destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static 192.168.16.55 64.237.101.43
nat (inside,outside) source static 192.168.16.47 64.237.101.46
nat (inside,outside) source static NETWORK_OBJ_192.168.16.0_24 NETWORK_OBJ_10.0.18.0_24 destination static NETWORK_GRP_10.0.16_17.0_24 any
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 64.237.99.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.16.0 255.255.255.0 inside
http 68.15.13.192 255.255.255.240 outside
http 68.15.29.211 255.255.255.255 outside
http 68.15.29.208 255.255.255.240 outside
http 207.174.113.18 255.255.255.255 outside
http 50.78.235.193 255.255.255.255 outside
http 70.167.0.194 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer 216.26.176.104
crypto map outside_map 2 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal 3DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 enable dmz
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.16.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd dns 10.2.0.10
dhcpd domain competitor.com
dhcpd auto_config outside
!
dhcpd address 192.168.16.245-192.168.16.250 inside
dhcpd dns 10.2.0.10 interface inside
dhcpd domain competitor.com interface inside
dhcpd update dns interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 95.158.95.123 source outside prefer
webvpn
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec ssl-clientless
group-policy GroupPolicy_216.26.176.104 internal
group-policy GroupPolicy_216.26.176.104 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_50.78.235.193 internal
group-policy GroupPolicy_50.78.235.193 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy2 internal
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 10.2.0.10
vpn-tunnel-protocol ikev1 ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
default-domain value competitor.com
username aaron.morris password FlBJEikgY41N7Yeh encrypted
username TelData password G/t20NXjIJgzEsrK encrypted
username wendy.poole password Lbn94kULntKjGUqk encrypted
username carlos.chacon password uiJqEFK47CM7asUz encrypted
username Randersen password k06YdFFP1cpue.xK encrypted
username RaceIt password fmbEiFfaujgg9ZD7 encrypted
username Arthur.kingdom password oYBBnNjdlU.Gi.ix encrypted
username admin password kXv7e.y/JTMRnNpt encrypted
username darren.wamboldt password 4/ciK4I5r8vqWFek encrypted
username peter.carlson password 9BL7WsPzTLRTUK1Z encrypted
username dan.weed password f8sWcOhK8c0/78gx encrypted
username josh.larson password p88CP7Ynbb8THitB encrypted
username Econe password Z2wfuvsm7Ldx8xIb encrypted
username stephanie.gausby password qKyhbsZG4VM5AN27 encrypted
username stephanie.condrey password QiMNt42K3hCxMkSO encrypted
username vance.jones password K3SzipvrVB7rw93p encrypted
username Jbailey password aQwmmx9gyQJ2ttb/ encrypted
username meghan.kaminski password tZQhjdmiwJMoBohC encrypted
username lewis.jones password sRoXA4Ie1sfLPynx encrypted
username Jsnow password t/Xlx/knfy/2zxYt encrypted
username tony.falkenstein password dPVg3iptEZwUbwXv encrypted
username charlie.hogue password 8AkzVAFFvt3Ye4vW encrypted
username ronnie.hendricks password rzzMqnBKdHJb74pV encrypted
username heather.dolan password n7nQCphH/N6iQRlo encrypted
username keith.dingwall password 2lEKKs8oq0qAX7Aa encrypted
username claudia.lamora password EA.sJFM.dT9njT8W encrypted
username whitney.kailos password jMT0wiuWvSWemFsQ encrypted
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool RemoteAccessPool
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 216.26.176.104 type ipsec-l2l
tunnel-group 216.26.176.104 general-attributes
default-group-policy GroupPolicy_216.26.176.104
tunnel-group 216.26.176.104 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
inspect dns
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e1f77f4111e4260240fbbf861b254677
: end
no asdm history enable
01-30-2013 09:57 AM
I added this line to my configuration and had them stop blocking my traffic on the other end.
nat (outside,inside) source static NETWORK_GRP_10.0.16_17.0_24 NETWORK_GRP_192.168.16_17.0_24 destination static NETWORK_OBJ_192.168.16.0_24 NETWORK_OBJ_192.168.16.0_24
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: