Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
715
Views
0
Helpful
9
Replies

Translate inside IP so when it goes out through the vpn tunnel it uses the external address

support
Level 1
Level 1

‎02-06-2014 07:18 PM

I am using the ASA5505 with the ASDM 7.1

I currently have Internal IP address 192.168.1.100-105 and want to make it so the when it goes out it is masked as the external ip address of 192.168.40.1.       

Thanks     

Lionel    

Labels:
0 Helpful
9 Replies 9

Jouni Forss
VIP Alumni
VIP Alumni

‎02-06-2014 11:51 PM

Hi,

Is this related to the previous discussion here on the forums? You didnt follow up on that discussion.

I would imagine that in your situation the internal hosts are already being Dynamic PATed to the external public IP address (unless you have several) therefore the only real configurations are needed in the L2L VPN so it includes your public IP address as source since that translation is probably already configured.

- Jouni

0 Helpful

support
Level 1
Level 1
In response to Jouni Forss

‎02-07-2014 12:44 AM

Hi Jouni

Yes it is related to the previous discussion.  Sorry about not folloing up on that discussion.

That's what I think also.  But somehow I don't even see any connection log file between that site.

I am able to see the connection and the log files to my other site.

This is what the network admin said from that site.

>>have looked at your configuration and it seems to be OK. The

>> only thing I do different is listing the host information in the

>> Oject-group instead of calling out a globally defined host. Example

>> below. Do you still have the ASA connected? If so could you try to

>> generate so traffic by trying to pint one the host ( like

>> 198.17.86.19). Thanks

>>

>> Your Way:

>> object-group network SiteA

>> network-object host 1

>> network-object host 2

>> network-object host 3

>> network-object host 4

>>

>> My Way:

>> object-group network Sutter

>> network-object 198.17.93.17 255.255.255.255 network-object

>> 198.17.93.18 255.255.255.255 network-object 198.17.93.19

>> 255.255.255.255 network-object 198.17.86.19 255.255.255.255

>>>       I believe the issue is with your access-list inside_nat0_outbound access list as you have the 192.168.1.0 network defined and not the 60.17.18.1. You will also need to create a PAT for all your internal traffic (192.168.1.0) to be sourced from the 60.17.18.1 as we do not support private IP over the s2s VPN tunnel.

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group Site A

Thanks

Lionel

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to support

‎02-07-2014 12:57 AM

Hi,

Well to get any sense of the situation we would have to do the following things.

  • What are the IP addresses/networks on the remote site that you have to connect to?
  • What is the IP address that your users connection should be visible to the remote site with? Is the public IP address the same IP address that you have configured on your ASAs external interface at the moment?

If the remote end wants your connections through the L2L VPN to come from a public IP address then you should have no NAT0 configurations on your firewall unless you have Client VPN configured for your own use. If not then you dont need NAT0 configurations for anything.

Next thing (as mentioned in the above list) to determine is whether you are going to use a new public IP address as the source for this connection OR if you are using the public IP address configured on your ASA external interface. If you use the the interface IP address then you dont need any additional NAT configuration (since you already have the Dynamic PAT) and you just need to add that public IP address to the Crypto ACL (and remove the NAT0 configuration). If you are going to use a different public IP address then you might want to configure a Dynamic Policy PAT.

We would really need the base information that you have decided as the parameters of the L2L VPN connection and the current firewall configurations to tell you what needs to be changed.

- Jouni

0 Helpful

support
Level 1
Level 1
In response to Jouni Forss

‎02-07-2014 01:06 AM

Hi  Jouni

Thanks for the quick respond.

Let me reprint the log file and post it again by tomorow.

Thanks a lot .

Lionel

0 Helpful

support
Level 1
Level 1
In response to Jouni Forss

‎02-09-2014 10:07 PM

Hi Jouni

Below is the config file

Our site

IP :60.1.6.1

Gateway: 60.1.6.6

Internal IP: 192.168.1.0 /24

The other site

Peer IP: 19.27.72.35

19.27.8.16  (The One to one NAT IP)

19.27.9.11  (The One to one NAT IP)

19.27.9.12   (The One to one NAT IP)

19.27.9.13     (The One to one NAT IP)

ASA Version 8.4(7)
!
hostname ciscoasa
enable password 8Uy2DjIyt7YYXM24 encrypted
passwd 2KKHfbMIdI.8KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 60.1.6.1 255.255.255.248
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group network SiteA
network-object host 19.27.8.16
network-object host 19.27.9.11
network-object host 19.27.9.12
network-object host 19.27.9.13
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group Sutter
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Sutter Sutter no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 60.1.6.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 19.27.72.35
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_19.27.72.35 internal
group-policy GroupPolicy_19.27.72.35 attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 19.27.72.35 type ipsec-l2l
tunnel-group 19.27.72.35 general-attributes
default-group-policy GroupPolicy_19.27.72.35
tunnel-group 19.27.72.35 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:93d4881a50f17983e675d66ee540a211
: end

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to support

‎02-10-2014 01:45 AM

Hi,

So if the remote end of the L2L VPN wants for all your connections from your LAN to their site to be visible from the public IP address that is configured on your ASAs external interface then you could simply do these changes and it should be fine.

access-list outside_cryptomap extended permit ip host 60.1.6.1 object-group Sutter

no access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group Sutter

no nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24  NETWORK_OBJ_192.168.1.0_24 destination static Sutter Sutter no-proxy-arp  route-lookup

The above configuration would first add a line to the Crypto ACL to tell the ASA that traffic between your ASAs public IP address and the remote hosts configured under "object-group network Sutter" should use the L2L VPN. Next we would remove the old line that defined your LAN network as the source. Finally we remove the NAT0 configuration so that your LAN hosts will start to translate to the public IP address with which they should be visible to the L2L VPN connection and the remote hosts.

The configuration above doesnt completely match. Seems like there is something missing. For example I see "object-group" called "Sutter" referenced in the ACL but I see no actual configuration for it. Only the "object-group network SiteA"

Also make sure that the public IP address in the above ACL configuration I suggested is the actual public IP address of your ASA.

- Jouni

0 Helpful

support
Level 1
Level 1
In response to Jouni Forss

‎02-10-2014 08:28 AM

Hi Jouni

I will give it a try tonight.

Thanks for the quick respond.

Sorry for the confusion.  I accidentally change the name by mistake,  It shows Sutter instead of SiteA in the config. file.

Thanks

Lionel

0 Helpful

support
Level 1
Level 1
In response to support

‎02-11-2014 07:34 PM

Hi Jouni,

Here is the updated config.

: Saved

:

ASA Version 8.4(7)

!

hostname ciscoasa

enable password 8Uy2DjIyt7YYXM24 encrypted

passwd 2KKHfbMIdI.8KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 60.1.6.1 255.255.255.248

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object-group network Sutter

network-object host 19.27.8.16

network-object host 19.27.9.11

network-object host 19.27.9.12

network-object host 19.27.9.13

access-list outside_cryptomap extended permit ip host 60.1.6.1 object-group Sutter

access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object-group Sutter

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Sutter Sutter no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 60.1.6.6 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto map outside_map 1 match address outside_cryptomap_1

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 19.27.72.35

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 1 set nat-t-disable

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy_19.27.72.35 internal

group-policy GroupPolicy_19.27.72.35 attributes

vpn-tunnel-protocol ikev1 ikev2

tunnel-group 19.27.72.35 type ipsec-l2l

tunnel-group 19.27.72.35 general-attributes

default-group-policy GroupPolicy_19.27.72.35

tunnel-group 19.27.72.35 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:472e0a8bc2b6ddd32850f1ffe0b07999

: end

ciscoasa(config)# show crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

ciscoasa(config)# show crypto ipsec sa

There are no ipsec sas

ciscoasa(config)#

The strange thing is that I don't see any activity of it trying to connect to the peer IP address.  I'm also looking at the debugging log and nothing from the peer address shows up.

Thanks

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to support

‎02-12-2014 01:48 AM

Hi,

I can't see that you would have done the changes I mentioned

Have look at these configurations

access-list outside_cryptomap extended permit ip host 60.1.6.1 object-group Sutter

access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object-group Sutter

My original suggestion was to add the ACL rule using your public IP address as the source to the existing ACL and then remove the old line. Now there is 2 different ACLs

crypto map outside_map 1 match address outside_cryptomap_1

It also seems according to the above configuration that you are still using the ACL that uses the wrong source IP address (the local network rather than the public IP address of the ASA). You would have to change the ACL used in the above command. (to ACL outside_cryptomap)

nat  (inside,outside) source static NETWORK_OBJ_192.168.1.0_24  NETWORK_OBJ_192.168.1.0_24 destination static Sutter Sutter no-proxy-arp  route-lookup

You also have the above NAT0 configuration that would still prevent the traffic being forwarded to the L2L VPN connection as this configuration would prevent the traffic from being NATed to the public IP address. So this configuration would need to be removed.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents