ASA VPN QUESTION

Similar Messages

• Dual ISP on ASA VPN question.

  Hi all.
  My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520?
  Lets assume if the primary isp goes down is there any way for  the VPN tunnel come online at the backup isp ?
  Config:
  crypto isakmp enable outside
  crypto isakmp enable backup
  tunnel-group 200.200.2.1 type ipsec-l2l
  tunnel-group 200.200.2.1 ipsec-attributes
  pre-shared-key CISCO
  tunnel-group 200.200.1.1 type ipsec-l2l
  tunnel-group 200.200.1.1 ipsec-attributes
  pre-shared-key CISCO
  crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
  crypto map VPN 10 match address VLAN121_TO_VLAN23
  crypto map VPN 10 set peer 200.200.1.1
  crypto map VPN 10 set transform-set 3DES_MD5
  crypto map VPN 20 match address VLAN121_TO_VLAN23
  crypto map VPN 20 set peer 200.200.2.1
  crypto map VPN 20 set transform-set 3DES_MD5
  ! Apply crypto-map and enable VPN traffic to bypass ACLs
  crypto map VPN interface outside
  crypto map VPN interface backup
  sysopt connection permit-vpn
  Thank you.

  We are not abble to make a loop back on the ASA.
  The routing with SLA is working fine the problem is when local network goes to remote network always try to get at the first tunnel with was setup for  first isp ip adddrs.

• Cisco ASA VPN question: %ASA-4-713903: IKE Receiver: Runt ISAKMP packet

  Dear community,
  quite frequently I am now receiving the following error message in my ASA 5502's log:
  Oct 17 12:52:17 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  Oct 17 12:52:22 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  Oct 17 12:52:27 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  The VPN Clients (in the last case: A linux vpnc) disconnect with message
     vpnc[7736]: connection terminated by dead peer detection
  The ASA reports for that <some_ip> at around the same time:
  Oct 17 12:52:32 <myASA> %ASA-4-113019: Group = blah, Username = johndoe, IP = <some_ip>, Session disconnected. Session Type: IPSecOverNatT, Duration: 2h:40m:35s, Bytes xmt: 2410431, Bytes rcv: 23386708, Reason: User Requested    
  A google search did not reveal any explanation to the "%ASA-4-713903: IKE Receiver: Runt ISAKMP packet..." message -- so my questions would be
     1) What does the message exactly mean -- I know runts as a L2 problem so I d suppose it means the same: The ISAKMP packet is somehow
         crippled (I d suppose this happens during rekeying) ?
     2) Any idea where to look for the cause of this
            WAN related (however I d assume no -- why does this happen in these regular time frames as show above)?
            SW related (vpnc bug)?
  Thanks in advance for any pointer...
  Joachim

  Yes.  You need to eliminate the things I've said to eliminate with the other side.  Ensure your configs are matching exactly.  They probably are, whatever, just make sure of it because it's easy.  You both need to run packet captures on your interfaces both in and out to even begin to have an idea of where to look.
  The more info you can have just one person responsible for the better.  What I mean by that is, it's typically a nice step for the 'bigger end' to have the 'smaller end's' config file to look at.
  If you are seeing packets come in your inside, leave your outside, and never make it to his inside, then take it a step at a time.
  If you're seeing them come in his interface and never come back out, you know where to look.
  Set your caps to a single host to single host if need be, and generate traffic accordingly.
  You need to narrow down where NOT to look so that you know where TO look.  I would say then, and only then, do you get the ISP involved.  Once you're sure the problem exists between his edge device and your edge device.
  I do exactly this for a living on a daily basis...day after day after day.  I'm responsible for over 200 IPSec s2s connections and thousands of SSL VPN sessions.  I always start the exact same way...from the very bottom.

• Yet Another ASA VPN Licensing Question :)

  I have a pretty good understanding of ASA VPN concepts, but not sure about this scenario.  Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
  1.  Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number do I need?  
  2.  Assuming we do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number do I need?   I'm assuming this is correct  >>  ASA5525VPN-PM250K9
  Thanks!

  It's no problem - I sometimes look for an answer to a question myself and find my own 2 year old post explaining the answer. As long as I don't find my 2 week old answer, I'm OK with that. :)
  Anyhow, no there's not a SKU to upgrade Essentials to Premium. All the Premium upgrade SKUs are between Premium licensed user tiers (10-25, 25-50, 50-100 etc.).
  If you're a persuasive customer and make a strong case with your reseller they may be able to get a deal with Cisco outside the normal channels to get some relief as a customer satisfaction issue. That's very much a case by case thing though and not the normal fulfillment method.

• VPN Question (match interesting traffic)

  Dear guys
  A vpn question  see below text diagram
  inside-------ASA-1-----CHINATELECOM------ASA-2---------CHINAUNICOM----------ASA-3------inside
                              ipsec vpn tunnel                          ipsec vpn tunnel
  we have configured interesting traffic on ASA-2 for each other on 2 side.
  we can ping asa-2 inside network from asa-3 and asa-1  but Why ASA-3 inside can not access ASA-1 inside network ?

  Hi Yun,
  Step 1: Create site-to-site vpn tunnel between ASA1 to ASA2 and ASA2 to ASA3, however there is NO direct tunnel between ASA1 and ASA3 you need.
  Step 2: Now include ASA3's inside network segment in the crypto ACL to between the tunnel ASA1 and ASA2 and do NOT include ASA3's and 1's inside network segment for no-nat on inside interface on ASA2
  Step 3: Now include ASA1 inside network segment in the crypto ACL to between the tunnel ASA2 and ASA3, and do NOT include ASA1's and 3's inside network segment for no-nat on inside interface on ASA2.
  Step 4: Create no-nat on ASA2 for outside interface and this no-nat must includes ASA1's inside network segment and ASA3's inside network segment.  See example below.
  only an example, you change it to fit your network segment.
  object-group network ASA1-inside
    network-object 192.168.100.0 255.255.255.0
  object-group network ASA3-inside
    network-object 192.168.200.0 255.255.255.0
  access-list nonat-outside extended permit ip object-group ASA1-inside object-group ASA3-inside
  access-list nonat-outside extended permit ip object-group ASA3-inside object-group ASA1-inside
  nat (outside) 0 access-list nonat-outside
  Please let me know, how this coming along.
  thanks
  Rizwan Rafeek

• Asa vpn ip question

  Hi all,
  I feel like this is a dumb question, but I can't seem to find the documentation fitting my scenario on cisco. I can setup VPN without any problems. My issue though is that, all the configuration examples rely on the outside interface IP as the "PEER IP" in L2L or target IP in RA. Is there any special configuration needed to use a public IP other that my outside interface?
  Example:
  outside interface (ASA) ip 1.1.1.1
  L2L vpn ip 1.1.1.2
  RA vpn ip 1.1.1.3
  Gateway ip 1.1.1.4
  I want to use 1.1.1.2 and 1.1.1.3 in my ASA configuration instead of using the outside interface, but im unsure as to where I define this parameter.....
  Any suggestions using this example?
  Tia,
  Fred

  Fred, you are right in stating all docs pertaining to l2l vpn points to outside interface as it is the most commonly setup scenario. I am not aware you could do what you are trying to do using a different IP as your vpn termination point instead of the actual IP address of the interface, if there is a was Im willing to learn it.
  You could however, not that I have tried it but will see if I could simulate this at some point in future would be to have three outside subinterfaces one sub for L2l 1.1.1.2 end termination point, one sub RA 1.1.1.3 and your outside physical with 1.1.1.1 . This is Just a thought , perhaps we could see some other comments.
  Rgds
  Jorge

• Cisco 5520 ASA Port Forward to Endian Firewall VPN Question

  Hello,
  We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194.  We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server.  So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN.  Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
  Thanks for your comments in advance I am new to cisco technology,
  Joe        

  Wrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.

• Cisco ASA -VPN Ping Question

  Hey guys, I have a Cisco ASA 5505 8.4 I have a Remote Access VPN up and working...for the most part. When I VPN in I would like to be able to access our Mitel phone manager which is just a internal IP you put in the browser. Here is the issue when I am connected I can't ping the address of 10.0.0.250. But I can ping my other servers 10.0.0.2 and 10.0.0.3. Why can I ping some address but not others.
  Thanks
  Nick

  Hi,
  Are you saying that the ASA replaced the previous device that acted as the default gateway for the phone system? And also the IP address was changed and this was not taken into consideration on the phone systems network configurations?
  This would indicate that the problem is with the phone system having the old gateway IP address configured and it doesnt know where to forward the traffic that is coming from a different network (for which it would require the correct default gateway)
  If the internal network that can ping and access the phone system means the hosts that are on the same internal network with the phone system (10.0.0.x) then this is expected as the default gateway is not needed between the hosts in the same network as they communicate directly.
  So would be the problem now simply be with the default gateway IP set on the phone system.
  - Jouni

• ASA 5520 site-to-site VPN question

  Hello,
  We have a Cisco 5520 ASA 8.2(1) connected to a Cisco RVS4000 router via an IPsec Site-to-Site VPN. The RVS4000 is located at a branch office. The tunnel works beautifully. When computers at the remote site are turned on the tunnel is established, and data is transferred back and forth.
  The only issue I'm having is being able to Remote Desktop to the branch office computers, or ping for that matter. I can ping and Remote Desktop from the branch office computers to computers at the main site where the ASA is located.
  After doing some research, I came across the this command;
  sysopt connection permit-vpn
  I haven't tried entering the command yet, but was wondering if this is something that I can try initially to see it it resolves the problem.
  Thanks,
  John

  What are your configs and network diagrams at each location?  What are you doing for DNS?  I can help quicker with that info.  Also, here are some basic site to site VPN examples if it helps.
  hostname cisco
  domain-name cisco.com
  enable password XXXXXXXX encrypted
  passwd XXXXXXXXXXX encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address XXX.XXX.XXX.XXX 255.255.255.248
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.0.0.2 255.255.255.0
  interface Ethernet0/2
  nameif backup
  security-level 0
  no ip address
  interface Ethernet0/3
  nameif outsidetwo
  security-level 0
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  dns server-group DefaultDNS
  domain-name cisco.com
  same-security-traffic permit intra-interface
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list nonat extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list split standard permit 10.0.0.0 255.255.255.0
  access-list split standard permit 10.90.238.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffer-size 1048576
  logging buffered errors
  logging trap notifications
  logging asdm informational
  logging class vpn buffered debugging
  mtu outside 1500
  mtu inside 1500
  mtu backup 1500
  mtu outsidetwo 1500
  mtu management 1500
  ip local pool vpnpool 10.0.10.100-10.0.10.200
  ip audit name Inbound-Attack attack action alarm drop
  ip audit name Inbound-Info info action alarm
  ip audit interface outside Inbound-Info
  ip audit interface outside Inbound-Attack
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inbound in interface outside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dynmap 10 set transform-set myset
  crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
  crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address XXX
  crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 1 set transform-set myset
  crypto map outside_map 1 set security-association lifetime seconds 28800
  crypto map outside_map 1 set security-association lifetime kilobytes 4608000
  crypto map outside_map 2 match address XXX2
  crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 2 set transform-set myset
  crypto map outside_map 2 set security-association lifetime seconds 28800
  crypto map outside_map 2 set security-association lifetime kilobytes 4608000
  crypto map outside_map 3 match address XXX3
  crypto map outside_map 3 set pfs
  crypto map outside_map 3 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 3 set transform-set myset
  crypto map outside_map 3 set security-association lifetime seconds 28800
  crypto map outside_map 3 set security-association lifetime kilobytes 4608000
  crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
  crypto map outside_map interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 60
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy XXXgroup internal
  group-policy XXXgroup attributes
  dns-server value XXX.XXX.XXX.XXX
  vpn-idle-timeout 30
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split
  default-domain value domain.local
  username XXX24 password XXXX encrypted privilege 15
  username admin password XXXX encrypted
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  tunnel-group XXXgroup type remote-access
  tunnel-group XXXgroup general-attributes
  address-pool vpnpool
  default-group-policy rccgroup
  tunnel-group XXXgroup ipsec-attributes
  pre-shared-key XXXXXXXXXX
  isakmp ikev1-user-authentication none
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily

• Question on WCCP and ASA/VPN

  Hello i have this simple scenario.
  -ASA as an EZVPN server.
  -WSA in my local lan (inside interface)
  -remote vpn users connecting to the ASA.
  When a user connects via VPN to my ASA, and i want to do some web filtering to them using the WSA... How would i accomplish it if i dont want to use explicit proxy? 
  Can i use WCCP on the outside interface of the ASA and redirect web traffic to the WSA which is across my inside ASA interface? 
  Need to know if WCCP redirection from one ASA interface to another is supported.
  Thanks in advanced!
  Emilio

  Hi
  Please have a look at the following link:
  http://my.safaribooksonline.com/1587052091/copyrightpg?cid=2008-ciscopress-pp-widget-book&searchtextbox=Cisco+ASA%3a+All-in-One+Firewall%2c+IPS%2c+and+VPN+Adaptive+Security+Appliance+&query=Cisco+ASA%3a+All-in-One+Firewall%2c+IPS%2c+and+VPN+Adaptive+Security+Appliance+&searchmode=simple&searchview=summary&portal=ciscopress#X2ludGVybmFsX0h0bWxWaWV3P3htbGlkPTE1ODcwNTIwOTElMkZjaDE2JnF1ZXJ5PUNpc2NvJTIwQVNBJTNBJTIwQWxsLWluLU9uZSUyMEZpcmV3YWxsJTJDJTIwSVBTJTJDJTIwYW5kJTIwVlBOJTIwQWRhcHRpdmUlMjBTZWN1cml0eSUyMEFwcGxpYW5jZQ==

• ASA 5505 Easy VPN to ASA 5510 Question

  I am working on configuring ASA 5505's for some of our remote offices to connect to our 5510 at HQ.. I have the 5505's configured and running using Easy VPN since they will be getting their IP addresses dynamically.
  From a computer connected to the ASA I can connect to and ping all of my servers at HQ. From HQ I can't ping the computer or RDP to it.
  I haven't done this type of a config in years so I'm unsure of what I need to change. It seems to me that the routes aren't populating at the HQ to get to the 5505's. I was reading up on Reverse Route Injection and that seems like the right answer. I wanted to get some other ideas before I made any changes to the 5510.
  Any thoughts or tips would be appreciated.
  Thanks

  Dan,
  EzVPN might get funky sometimes. Have you looked into something like a "dynamic to static Lan to Lan" ?
  If you are using EzVPN on the branch becuase you have a dynamic IP, you might want to give it a shot.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
  The config example uses a PIX 6.3 as remote, but the configuration on the remote site should be the same as any other L2L config. The one that changes is the one at the HQ where you need to configure a Default L2L group to accept the dynamic connections.
  Have a good one.
  Raga

• ASA and Cisco VPN question

  I am having an issue on a new ASA. I am able to connect to the customer?s network using the Cisco VPN client, but I am not able to PING or access anything on the customers network. What needs to be done to fix this???
  There is a route on the customer?s router pointing back to the firewall for the IP range you get when you VPN in?
  Thanks,
  Chris

  Thanks, please rate.
  No, it is needed for pix as well. ASA 7.2, the command is "crypto isakmp nat-traversal".
  It is necessary if vpn client is connecting behind nat. Allows ipsec to be encapsulated in udp port 4500. The transport tab I mentioned is in the connection entry properties, if you click modify. You will see enable transparent tunneling over udp.

• ASA 5510 Anyconnect VPN question-"Hairpin" vpn connection on same external interface

  I have a Cisco ASA 5510, I want to allow a VPN connection to be established by a client on one of the inside interfaces(10.20.x.x) to be able to go out the single External interface and get authenticated by the ASA to create a VPN tunnel to the other inside interface (10.0.X.X) and access resources on that subnet.
  Basically want clients on a WLAN to be able to VPN back in to the LAN with the ASA in the middle to get to company resources,
  Is this possible?
  Thanks,
  Tommy

  When we connect any VPN on a device then it is always a TO THE DEVICE connection and I am afraid we can connect only to the local / nearest interface where user is connected in a network with respect to ASA.
  I have seen this scenario working though earlier with one of my clients wherein he has configured his DNS server accordingly so that depending upon the source of the DNS request an appropriate IP address was provided for same DNS name. For example if user from IP address range 192.168.0.0 range connects to abc.com then it will get IP address 192.168.1.1 and if a user from range IP address10.0.0.0 connects then it will get 10.1.1.1.
  If we configure the same scenario as well then your requirement will be fulfiled with same name however VPN has to be enabled on wireless interface again. If not, then as you have described configuring a new domain name for VPN connection only for wireless users should do the deal.
  Regards,
  Anuj

• ASA 5510 vpn question

  Hi all,
  I have 1 ISP link terminated on ASA 5510. Can i configure both easy vpn and site to site vpn on that interface ?

  Hi,
  Do you mean that you would use the ASA5510 as a Easy VPN Server (where clients would connect to) and also build L2L VPN connections from the ASA5510 to other sites?
  If that is what you mean then I think that should be possible.
  - Jouni

• ASA vpn nat question

  i have an ASA 5520 ver 8.4 with the following config
  WAN
  207.211.25.34
  Production
  10.11.12.1 255.255.255.0
  Mgmt
  10.11.11.1 255.255.255.0
  i need to create a peer-2-peer VPN to a remote site ASP16 from both Prod and Mgmt
  what would my nat statement look like ?
  currently i have the following but can only ping from Mgmt not Prod  (ASP17 is an network object group that contain the Prod and Mgmt subnets )
  nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup
  nat (Mgmt,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_Prod

  Hello Tejas,
  After reading your configuration I can see that the crypto-maps are applyed to the outside interface, and the Access-list for the interesting traffic has both networks (Managment and production) so you should be able to access the other network from this site.
  Can you do the following packet tracers to see the features the ICMP packet is hitting when the Request is sent.
  I will need the output of the following commands:
  1- Packet-tracer input Mgmt icmp 10.11.34.15 8 0 10.30.6.15
  2-Packet-tracer input Production icmp 10.11.35.15 8 0 10.30.6.15
  Please rate helpful posts,
  Julio!!