Having issues on ASA 5510 pass traffic between interfaces

Similar Messages

• Unable to pass traffic between sites

  I've read through dozens of posts and so far have had no luck getting any of the suggestions to work - combined with many of these posts being multiple years old...so I'm going to try posting something current and see if I get anywhere.
  Scenario:
  Site A - Cisco ASA 5510 running 8.4(4)1 with two interface connections to a Cisco ME 6500 (which I do not manage), one for internet and one for a MPLS connection.
  Site B – connecting to an unknown switch which is connected to the MPLS network.
  Site C – Cisco ASA 5505 running 7.2(3) with one connection to an unknown switch (which I do not manage) for internet access.
  Site A to Site B traffic flows between the two without issue.
  Site A to Site C is a site-to-site VPN connection. Traffic flows between the two without issue.
  The main issue I’m having is that Site B cannot talk to Site C and vice versa. Also my client VPN connections to Site A cannot get to Site B or Site C.
  My first question is; is this even possible? (I sure expected it to be). And if so, what the heck am I doing wrong???
  I’ve included a config from Site A which is where I’m guessing the problem is. Any insight is appreciated.

  "I'm not following what you mean by that."
  Your Site "A" and "B" connected through MPLS cloud and they are not connected through vpn-connection, right?  I assume that your site "B" cannot communicate to site "C", therefore you must permit site-B's subnet traffic transit between site "A" and site "C" i.e. Site-B should have access to "C", right ?
  "I may be misunderstanding, but isn't that what this is: "route MPLS 10.17.0.0 255.255.0.0 10.17.250.2 1"."
  Great 10.17.0.0/16 route meant for site "B", that is fine, you wouldn't need an additional one.
  "You completely lost me there :)"
  I presume that your Site "B" and "C" does not have direct MPLS connection, therefore Site "A" becomes a transit path for site "B" and "C".   You allow site-B's transit through the vpn-tunnel between site "A" and "C".  Your site "C" assumes that subnet belong to site "B" is directly connected at site "A" but in reality it connects via a MPLS cloud and one last thing is that a route needed at site-B to push site-C's traffic to Site "A", a static route would do that.
  As you would permit site-B's traffic to pass through vpn-tunnel site "A" and "C", in other words your "A" become a hub for traffic flowing between site "B" and "C".
  "Should the route be applied to the inside or the outside interface?"
  Outside.  Your tunnel terminated on the outside interface, right? If so then it must point to outside's default-gateway address.
  object network SiteB-network
   subnet 10.17.2.0 255.255.255.0
  this would allow you to access site-c subnet when you are remote-in to Site-A.
  nat (outside,outside) source static VPN-pool VPN-pool destination static SiteC-network SiteC-network
  this is to allow Site-B to access site-C subnet via the tunnel between site A and C.
  nat (MPLS,outside) source static SiteB-network SiteB-network destination static SiteC-network SiteC-network
  object network inside-network
   subnet 192.168.1.0 255.255.255.0
  nat (inside,outside) source static inside-network inside-network destination static SiteC-network SiteC-network
  access-list outside_cryptomap extended permit ip object inside-network object SiteC-network
  this is allow Site-B to access site-C subnet via the tunnel between site A and C.
  access-list outside_cryptomap extended permit ip object SiteB-network object SiteC-network 
  Thanks
  Rizwan Rafeek

• Vlan passing traffic between switches

  I have a client that has two WAP321s, two Catalyst 2960s, one SG500X-48, and a Watchguard Router/Firewall (Model is not important).
  I am trying to get the guest wireless network setup to pass traffic on VLAN2 to the router across the network. All regular traffic is on VLAN1. (yes I know it really should be on a different VLAN)
  Background:  I had originally had everything working till one of the unmanaged switches died. I move one of the Catalyst 2960s to replace the dead switch and then replaced the Catalyst 2960 with a SG500X-48.
  Network layout: One WAP321 is connected to one of the Catalyst 2960s, which is connected to the Firewall/Router. (All traffic is passed as expected on both VLANS)
  The second WAP321 is connected to the second Catalyst 2960, which connects to the SG500X-48, which connects to the first Catalyst 2960, and then to the Firewall/Router. The Default VLAN 1 works fine. VLAN2 does not.
  What I have tried to do is set the ports on the second Catalyst 2960 which is connected to the WAP321 and the SG500X-48 to Trunk. I also set the port on the first Cataylst 2960 that connects to the SG500X-48 to trunk. (Although it was not set and passing traffic before moving switches around.) When I do this all traffic between the first Catalyst 2960 and the SG500X-48 stops. The Catalyst 2960 reports a port error and then shuts down the port. Only way to recover is to clear the port setting and then reboot the switch.
  Does anyone have any ideas as to what is happening and what I am doing wrong?  

  Aniketalashe
  I was able to get the port on the Catalyst 2960 set to trunk finally, not sure what did the trick, although that does not seem to be my problem.
  Back to your question of the error report. I am unable to figure out how to get the log out of the 2960. I saw the error in the webGUI, when I moused over the port in question when the problem was happening.
  I am starting to think that maybe the switch is starting to go.

• Cisco ASA 5520 traffic between interfaces

  Hello,
  I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
  ciscoasa# ping esx_management 192.168.10.100
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  ciscoasa# ping home_network 192.168.10.100
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  Thank you in advance.

  Hi,
  Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
  I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
  packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
  I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
  I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
  Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
  Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
  Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
  Static Identity NAT
  static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  OR
  NAT0
  access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
  nat (home_network) 0 access-list HOMENETWORK-NAT0
  Hope this helps
  - Jouni

• ASA5505 Can't pass traffic between inside (private) & outside (private)

  10.15.50.0/24 <---> 10.15.50.254 (inside / ASA5505 \ outside) 10.60.15.253 <---> 10.60.15.254 <--- (cloud) ---> (eventual destination 10.15.60.0/24)
  Goal:
  10.15.50.0/24 traffic will communicate with 10.15.60.0/24 while block all other.  Current config is any/any for troubleshooting.
  Example:
  10.15.50.249 pings 10.60.15.253 (inside of ASA) and fails.  Running it thru ASDM Packet Tracer shows the Outside ASA interface blocking but I have any/any on that interface.
  Question:
  What am I doing wrong?
  : Saved
  ASA Version 8.2(5)
  hostname SJ-HostB-ASA
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.15.50.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 10.60.15.253 255.255.255.252
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list outside_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 10.60.15.254 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authorization command LOCAL
  aaa authorization exec LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  no sysopt connection permit-vpn
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp policy 1
  authentication pre-share
  encryption aes-256
  hash sha
  group 1
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 30
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 30
  console timeout 30
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 10.15.50.243 source inside
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http
    destination address email
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  : end
  asdm image disk0:/asdm-645.bin
  no asdm history enable

  Hi,
  You can only PING / ICMP an ASA interface from behind that same interface.
  So users behind "inside" can PING / ICMP the "inside" interface IP address and users behind "outside" can PING / ICMP the "outside" interface IP address. Users can't PING / ICMP the remote interface from their perspective. The only exception is when users are coming through VPN connection and you use the "management-access " command. But this doesnt apply to your situation.
  You seem to be simulating an ICMP send from behind "inside" to the "outside" interface IP address if what you say is true.
  So attempt the Packet Tracer using some remote network IP address in the 10.15.60.0/24 network.
  You dont seem to have "nat-control" enabled so all traffic should be able to pass through the ASA without translation. So NAT shouldnt be a problem.
  You can also add the following configurations
  policy-map global_policy
  class inspection_default
    inspect icmp
    inspect icmp error
  - Jouni

• Multiple Public IP's on single ASA 5510 - "Segment Traffic"

  Hello,
  I was told this is not possible on Cisco ASA, just wondering if its true.
  Description:   We are setting up 2 new exchange servers, they need to go out the same ASA on different interfaces to seperate Public IP's. We also have a 3rd Public IP for our Staff.
  Basically we want our Staff to use the 10x5 slow internet connection (Public 3). We want Server 1 to use Public IP 1 and Server 2 Public IP 2.
  Server 1  -----> Public IP 1
  Server 2  -----> Public IP 2
  Staff       ------> Public IP 3
  I was told PBR (Policy Based Routing) is not supported on Cisco ASA, which I understand. But is there a work around with the ASA, or will I HAVE to implement a layer 3 device infront of the ASA?
  We also have a DMZ in the mix, I dont know if that changes anything.
  I hope this makes sense, if not I can try and explain more, but any advice would be greatly appreciated! I dont want to expense another layer 3 device if possible!

  Hi,
  Here is a link to another discussion where a user wanted to direct a certain DMZ network traffic through another ISP
  https://supportforums.cisco.com/thread/2209874
  Naturally the NAT setup doesnt exactly match with your need but essentially in your case it would just slightly modifying the NAT configurations.
  Naturally this is not something that is really suggestable for a production environment but it should work. Then again as Cisco doesnt officially support it there is no knowing what future updates might do to this or what would happen if you ran into problem with NAT related operation of the firewall.
  Because of this way of NAT configuration the configurations would naturally come more complex and the ordering of NAT rules might need more close look when modifying them.
  - Jouni

• NAT issue in ASA 5510

  HI experts,
  i am using 
  Cisco Adaptive Security Appliance Software Version 8.0(4)
  Device Manager Version 6.4(9)
  i configure Nat but when i use packet tracer in firewall to see packet flow i found my inside packet is not able to reach to outside interface.what is the problem i don't understand. should i create access rule for the or anything else.
  please healpe..
  regards
  Suhas

  Hi,
    Pease find the whole configuration & packet tracer screen shot..
  ASA Version 8.0(4)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 172.16.30.0 outside
  interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Ethernet0/1
  nameif outside
  security-level 0
  ip address 172.16.30.2 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 0
  ip address 10.10.10.1 255.255.255.0
  boot system disk0:/
  boot system disk0:/asa825-33-k8.bin
  ftp mode passive
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-649-103.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 1 192.168.1.0 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 172.16.30.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.10 255.255.255.255 inside
  http 10.10.10.2 255.255.255.255 management
  no snmp-server location
  no snmp-server contact
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet 192.168.1.10 255.255.255.255 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  username cisco password 3USUcOPFUiMCO4Jk encrypted
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
    message-length maximum client auto
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:0fbad53e0533429878e448f1f87415fc
  : end
  ciscoasa(config)#
                                               This image for INSIDE HOST TO INSIDE INTERFACE
     This image for INSIDE HOST TO OUTSIDE INTERFACE
  This image for INSIDE HOST TO OUTSIDE NEXT HOP INTERFACE

• Issue with Verizon Aircards passing traffic past VPN 3005

  We have a Cisco VPN 3005 as our endpoint. Clients connection using the Cisco 4.7 client. Currently here is the basic config on the device:
  Pub Interface 65.xxx.xxx.xxx
  Private Interface 172.22.0.3/16
  VPN Addy Pool 172.31.1.0/28
  Static routing is used to route traffic as necessary.
  Clients can connect via wireless broadband or broadband and ping past the VPN Private interface and open up Outlook using an online exhcange profile. But clients connecting over an EVDO or 3G cellular modem cannot open Outlook. They can ping by IP but not DNS.
  I have tried using different transports ie , IPSEC/UDP , IPSEC/TCP , and straight IPSEC. No joy. All the clients have allow local LAN access checked and the VPN Group is set to tunnel traffic in that network only. Any clues??

  Issue has been resolved. Clearing DNS with an ipconfig /flushdns , ipconfig /registerdns while on aircards on VPN resolved it.

• WCCP on ASA & traffic between physical interfaces on ASA

  Hello,
  I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:
  Eth 0/0 : Outside (to internet)
  Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)
  Eth 0/1.211 : Vlan211 (20.21.10.0/24)
  Eth 0/1.212 : Vlan212 (20.21.20.0/24)
  Eth 0/1.220 : Vlan220 (20.22.0.0/16)
  Eth 0/2 : WAAS (20.21.30.0/24)
  I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.
  I get this error message:
  3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)
  How can I fix this?
  My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:
  wccp 61 redirect-list WCCP_To_LAN
  wccp 62 redirect-list WCCP_To_WAN
  wccp interface outside 62 redirect in
  wccp interface LAN 61 redirect in
  access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0
  access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any
  I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?
  Thanks
  Ankit

  common guys
  Am I doing something wrong here?
  No one replies to my posts. I had the same experience with the previous one.
  Is this not the right forum for this query???
  Ankit

• Site to Site VPN with an Asa 5510 & 5505

  Hey all,
  Im hoping anyone can help me because i cant seem to figure it out. I managed to create an site to site vpn between location a an b.
  I will be using fictional wan adresses.
  SiteA 20.20.20.20
  SiteB 21.21.21.21
  Site B is a very simple netwerk. We have a Asa 5505 and directly plugged into this ASA is my computer. I get an DHCP adress from the asa etc. I use the range 192.168.1.0 /24 for this.
  Site A is a little bit more complex. I have ASA 5510 with 2 configured interfaces. Outside (Called WAN) and Inside (called DMZ)
  The DMZ uses the range 192.168.200.0 /24
  Inside the DMZ i have another firewall (UTM appliance) configured at(this is a fictional ip adress) 192.168.200.1
  This firewall serves as gateway for the lan and also has 2 interfaces. One on the LAN side and one on the DMZ side. (DMZ 192.168.200.1 - LAN 10.1.1.254) The ASA has a static route configured towards the LAN.
  How can i create a site to site from Site A's LAN to SiteBs. I have managed to create a Site to Site to A's DMZ. This works. I can RDP and PING adresses in the DMZ but whenever i try to reach the lan i get no reply. My first suspicion was that the UTM would block it but i cant find anything in its log files.
  Would love some input. (i created the site to site using the GUI)

  Hi,
  I think you should be able to do it. You just need to allow the required ports for LAN to LAN VPN like UDP 500 , ESP , 4500 etc.
  Use NAT exempt on the UTM and add the Subnet to the Crypto ACL on the ASA device on both the Sides.
  This should be able to do it.
  Thanks and Regards,
  Vibhor Amrodia

• ASA5505 - Blocking internal traffic between 2 servers

  Hi guys/ladies
  I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
  10.50.15.4 > fileserver
  10.50.15.5 > domain controller (exchange)
  10.50.15.6 > terminal server
  10.50.15.7 > terminal server
  Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
  2
  Oct 27 2012
  14:51:05
  106007
  10.50.15.6
  55978
  DNS
  Deny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query
  What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
  Any idea why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
  Any help you can give would be great as this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.

  Result of the command: "show cap asp | include 10.50.15.6"
    15: 10:09:21.796849 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389:  udp 163
    16: 10:09:22.189153 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389:  udp 163 Drop-reason: (acl-drop) Flow is denied by configured rule
    17: 10:09:22.596252 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    18: 10:09:23.625913 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    19: 10:09:24.625227 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    20: 10:09:26.635236 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86
    25: 10:09:30.653500 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86
    27: 10:09:34.655025 802.1Q vlan#1 P0 10.50.15.6.137 > 10.50.15.255.137:  udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
    28: 10:09:34.655071 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.255.138:  udp 237
    29: 10:09:34.655193 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.5.138:  udp 237 Drop-reason: (acl-drop) Flow is denied by configured rule
    30: 10:09:34.764700 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
    31: 10:09:34.899337 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    32: 10:09:35.901946 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    33: 10:09:36.915937 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    34: 10:09:37.773916 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
    35: 10:09:38.942715 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    37: 10:09:42.937695 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    38: 10:09:43.788579 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
    41: 10:09:55.803608 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    42: 10:09:56.814166 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    43: 10:09:57.820804 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule

• Traffic Between 2 Ports on Different VLANs on the Same Switch

  Hi,
  This question probably results from a flaw in my understanding of network layer 2 versus layer 3 and VLANs so any additional context in that regard would be very welcome
  If I've got 2 systems on difference VLANs that are connected to ports on the same switch (e.g. 2950), with that switch being connected via an uplink to a router or layer 3 switch and i want to pass traffic between the 2 systems (e.g. copy a file from a folder shared on one system to another), will the traffic pass directly from one port on the 2950 to the other? Or will it need to go through the uplink? I guess it will need to go through the uplink initially as layer 3 needs to be involved for inter-VLAN routing but wondering if layer 2 MAC address will ultimately be learned, allowing traffic to pass directly between the systems, not over the uplink.
  Thanks in advance,
  cisco_reader.

  If the hosts are on different Layer 2 Vlans and you want to pass data between them, that data needs to be 'Routed'.
  In order to Route data from one Layer 2 Vlan to another, you need a device capable of Layer 3 Routing. That device can be a traditional Router or can be something called a Layer 3 switch.
  A 2950 switch is Layer 2 only so has the ability to create many Layer 2 Vlans which is what you have done. In order to route traffic between those Vlans, you can either use a router or a L3 switch.
  If you decided to use a router, look up something called 'Router on a Stick' which involves creating a Trunk link from the 2950 to the Router and then setting up Subinterfaces on the Routers port to act as the 'Default Gateway' for each of your Vlans.

• Pass data between InfoPath forms in SharePoint

  Hello!
  Maybe someone has ideas about the next issue: how to make pass data between InfoPath forms in SharePoint, like it is shown in a video: https://www.youtube.com/watch?v=-nGl-Se2cOQ
  I've read similar topics, but still can't find solution.
  Thank you.

  When you go to modify the submit connection, you can specify whether or not to overwrite, as well as a default title value. If you use the now() function in the title, it should never have the same name.
  Andy Wessendorf SharePoint Developer II | Rackspace [email protected]

• ASA 5510 Not able to route traffic between 2 LAN interfaces

  Hi everybody,
  I need help to enable traffic between two physical ports on my Cisco ASA 5510. I created access rules and NAT but traffic doe not go from accounting interface to Inside. I am able to access internet from both interfaces. Can someone pin point me in the right direction since I am not an expert in Cisco but has to finish this by the end of the week.
  Thank you,
  Sigor
  Here is my configuration:
  ASA Version 8.2(2)
  hostname Cisco
  domain-name xxx.com
  names
  interface Ethernet0/0
   description Outside
   nameif Outside
   security-level 0
   ip address 101.101.101.101 255.255.240.0
  interface Ethernet0/1
   description Inside Network
   nameif Inside
   security-level 90
   ip address 192.168.10.1 255.255.255.0
  interface Ethernet0/2
   description Accounting
   nameif Accounting
   security-level 100
   ip address 20.0.1.1 255.255.255.0
  interface Ethernet0/3
   shutdown
   no nameif
   no security-level
   no ip address
  interface Management0/0
   nameif management
   security-level 100
   ip address 192.168.1.1 255.255.255.0
   management-only
  ftp mode passive
  clock timezone EST -5
  dns domain-lookup Outside
  dns server-group DefaultDNS
   name-server 8.8.8.8
   domain-name xxx.com
  same-security-traffic permit inter-interface
  object-group service Port-10000 tcp
   port-object eq 10000
  object-group service Port-8080 tcp
   port-object eq 8080
  object-group service Port-8011 tcp
   port-object eq 8011
  object-group service DM_INLINE_TCP_1 tcp
   group-object Port-8080
   port-object eq www
   group-object Port-8011
  object-group service DM_INLINE_TCP_2 tcp
   group-object Port-10000
   port-object eq https
   port-object eq www
  object-group service rdp tcp
   port-object eq 3389
  object-group service DM_INLINE_TCP_3 tcp
   group-object rdp
   port-object eq ftp
  object-group service DM_INLINE_TCP_4 tcp
   group-object Port-10000
   port-object eq www
   port-object eq https
   port-object eq ssh
  object-group service DM_INLINE_TCP_5 tcp
   group-object Port-8011
   group-object Port-8080
   port-object eq www
  object-group service DM_INLINE_TCP_6 tcp
   group-object Port-10000
   port-object eq www
   port-object eq https
  object-group service DM_INLINE_TCP_7 tcp
   group-object rdp
   port-object eq ftp
  access-list Outside_access_in extended permit tcp any host 101.101.101.104 object-group DM_INLINE_TCP_5
  access-list Outside_access_in extended permit tcp any host 101.101.101.102 object-group DM_INLINE_TCP_6
  access-list Outside_access_in extended permit tcp any host 101.101.101.103 object-group DM_INLINE_TCP_7
  access-list Outside_access_in extended permit tcp any host 101.101.101.106 eq smtp                                                              
  access-list Outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.0
  access-list CiscoIPsec_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0                                                                
  access-list Accounting extended permit ip 20.0.1.0 255.255.255.0 192.168.10.0 255.255.255.0
  access-list Accounting extended permit ip 20.0.1.0 255.255.255.0 any
  pager lines 24
  logging asdm informational
  mtu Outside 1500
  mtu Inside 1500
  mtu Accounting 1500
  mtu management 1500
  ip local pool IPSecDHCP 192.168.80.100-192.168.80.200 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (Outside) 1 interface
  nat (Inside) 0 access-list Inside_nat0_outbound
  nat (Inside) 1 0.0.0.0 0.0.0.0
  nat (Accounting) 1 0.0.0.0 0.0.0.0
  static (Inside,Outside) tcp 101.101.101.104 www 192.168.10.14 www netmask 255.255.255.255
  static (Inside,Outside) tcp 101.101.101.104 8011 192.168.10.14 8011 netmask 255.255.255.255
  static (Inside,Outside) tcp 101.101.101.104 8080 192.168.10.14 8080 netmask 255.255.255.255
  static (Inside,Outside) tcp 101.101.101.102 10000 192.168.10.3 10000 netmask 255.255.255.255
  static (Inside,Outside) tcp 101.101.101.102 https 192.168.10.3 https netmask 255.255.255.255
  static (Inside,Outside) tcp 101.101.101.102 www 192.168.10.3 www netmask 255.255.255.255
  static (Inside,Outside) tcp 101.101.101.103 ftp 192.168.10.17 ftp netmask 255.255.255.255
  static (Inside,Outside) tcp 101.101.101.103 3389 192.168.10.32 3389 netmask 255.255.255.255
  static (Inside,Outside) tcp 101.101.101.106 smtp 192.168.10.23 smtp netmask 255.255.255.255
  static (Inside,Accounting) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
  access-group Outside_access_in in interface Outside
  access-group Accounting in interface Accounting
  route Outside 0.0.0.0 0.0.0.0 101.101.101.101 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 192.168.10.0 255.255.255.0 Inside
  http 20.0.1.0 255.255.255.0 Accounting
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 32608000
  crypto ipsec security-association replay disable
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256
  -SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
  crypto map Outside_map 1 match address Outside_1_cryptomap
  crypto map Outside_map 1 set pfs group1
  crypto map Outside_map 1 set peer 89.216.17.35
  crypto map Outside_map 1 set transform-set ESP-3DES-SHA
  crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map Outside_map interface Outside
  crypto isakmp enable Outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh 192.168.10.0 255.255.255.0 Inside
  ssh timeout 5
  console timeout 0
  dhcpd address 20.0.1.100-20.0.1.200 Accounting
  dhcpd dns 192.168.10.19 8.8.8.8 interface Accounting
  dhcpd lease 306800 interface Accounting
  dhcpd domain abtscs.com interface Accounting
  dhcpd enable Accounting
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy CiscoIPsec internal
  group-policy CiscoIPsec attributes
   dns-server value 192.168.10.30 192.168.10.19
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value CiscoIPsec_splitTunnelAcl
   default-domain value xxx.com
   vpn-group-policy CiscoIPsec
  tunnel-group 198.226.20.35 type ipsec-l2l
  tunnel-group 198.226.20.35 ipsec-attributes
   pre-shared-key *****
  tunnel-group CiscoIPsec type remote-access
  tunnel-group CiscoIPsec general-attributes
   address-pool IPSecDHCP
   default-group-policy CiscoIPsec
  tunnel-group CiscoIPsec ipsec-attributes
   pre-shared-key *****
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:2a7c97a7a22397908ef83ca6f0065919
  : end

  Without diving too deep into your config, I noticed a couple of things:
  interface Ethernet0/1
   description Inside Network
   nameif Inside
   security-level 90
   ip address 192.168.10.1 255.255.255.0
  interface Ethernet0/2
   description Accounting
   nameif Accounting
   security-level 100
   ip address 20.0.1.1 255.255.255.0
  On an ASA, higher security level interfaces are always allowed, by default, to lower security levels, but not the other way around. So, if you want to keep this config, you would need an acl on the Inside interface to allow traffic to go from level 90 to 100:
  access-list Inside permit ip any any
  access-group Inside in interface Inside
  The acl will permit the traffic into either interface (outside or Accounting). As long as you have your other rules set up correctly, this should resolve your issue...
  HTH,
  John

• Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

  hello,
  i am setting up a site to site vpn between two asa 5505's.  the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point.  i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated.  i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
  FYI the asa's are different versions, one is 9.2 the other is 8.2
  Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
  Site A running config:
  Result of the command: "sh run"
  : Saved
  ASA Version 8.2(2)
  hostname csol-asa
  enable password WI19w3dXj6ANP8c6 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.1.0 san_antonio_inside
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.2.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 1.1.1.1 255.255.255.248
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns domain-lookup inside
  dns server-group DefaultDNS
   name-server 24.93.41.125
   name-server 24.93.41.126
  object-group network NETWORK_OBJ_192.168.2.0_24
  access-list inside_access_out extended permit ip any any
  access-list outside_access_out extended permit ip any any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in_1 extended permit icmp any interface outside
  access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
  access-list outside_access_in_1 extended permit tcp any interface outside eq www
  access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
  access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
  access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (inside) 2 interface
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
  static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
  static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
  static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  access-group inside_access_out out interface inside
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 2.2.2.2 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map1 1 match address outside_1_cryptomap_1
  crypto map outside_map1 1 set peer 2.2.2.2
  crypto map outside_map1 1 set transform-set ESP-3DES-SHA
  crypto map outside_map1 interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.30-192.168.2.155 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain corporatesolutionsfw.local interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
  tunnel-group 2.2.2.2 type ipsec-l2l
  tunnel-group 2.2.2.2 ipsec-attributes
   pre-shared-key *****
  prompt hostname context
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:021cf43a4211a99232849372c380dda2
  : end
  Site A sh crypto isakmp sa:
  Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 2.2.2.2
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Site A sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
        access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
        current_peer: 2.2.2.2
        #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
        #pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: C1074C40
        current inbound spi : B21273A9
      inbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914989/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914999/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  Site B running config:
  Result of the command: "sh run"
  : Saved
  : Serial Number: JMX184640WY
  : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  ASA Version 9.2(2)4
  hostname CSOLSAASA
  enable password WI19w3dXj6ANP8c6 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.1.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 2.2.2.2 255.255.255.248
  ftp mode passive
  object network NETWORK_OBJ_192.168.1.0_24
   subnet 192.168.1.0 255.255.255.0
  object network mcallen_network
   subnet 192.168.2.0 255.255.255.0
  access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
  access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-731-101.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map3 1 match address outside_cryptomap
  crypto map outside_map3 1 set peer 1.1.1.1
  crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map3 interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-192
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 20
   encryption aes
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh stricthostkeycheck
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 192.168.1.200-192.168.1.250 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain CSOLSA.LOCAL interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
   vpn-tunnel-protocol ikev1
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
   ikev1 pre-shared-key *****
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
  : end
  Site B sh crypto isakmp sa:
  Result of the command: "sh crypto isakmp sa"
  IKEv1 SAs:
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 1.1.1.1
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  There are no IKEv2 SAs
  Site B sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
        access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        current_peer: 1.1.1.1
        #pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
        #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #TFC rcvd: 0, #TFC sent: 0
        #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
        path mtu 1500, ipsec overhead 58(36), media mtu 1500
        PMTU time remaining (sec): 0, DF policy: copy-df
        ICMP error validation: disabled, TFC packets: disabled
        current outbound spi: B21273A9
        current inbound spi : C1074C40
      inbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373999/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000003
      outbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373987/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

  Hi Keegan,
  Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
  I would suggest to do a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
  HTH
  "Please rate useful posts"