NAT between two interfaces

Good day,
I would ask if it is possible to do NAT between two Interfaces on the same device?
The problem is that I need access from my inside lan to the management interface on the ASA. We will not manage the ASA over the inside interface.
This is my current NAT statement:
nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectional
This is my PacketTracer output:
Phase: 1Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   192.168.3.0     255.255.255.0  mgmt
Phase: 2Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group inside in interface insideaccess-list inside extended permit ip 172.20.200.0 255.255.255.0 anyAdditional Information:Phase: 3Type: IP-OPTIONSSubtype:Result: ALLOWConfig:Additional Information:Phase: 4Type: NATSubtype:Result: ALLOWConfig:nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectionalAdditional Information:Static translate 172.20.200.1/0 to 192.168.3.222/0Phase: 5Type: USER-STATISTICSSubtype: user-statisticsResult: ALLOWConfig:Additional Information:Phase: 6Type: FLOW-CREATIONSubtype:Result: ALLOWConfig:Additional Information:New flow created with id 244039047, packet dispatched to next moduleResult:input-interface: insideinput-status: upinput-line-status: upoutput-interface: mgmtoutput-status: upoutput-line-status: upAction: allow
So NAT seems to be working correct. I can reach other devices behind the mgmt network this is no problem. But I cant access the ASA on the mgmt interface 192.168.3.2.
Clould it be a problem with the traffic flow? Because in the PacketTracer output I see on Phase1 a Route-Lookup and later on Phase4 the NAT statement.
Is there a way to get this working?
Many thanks for your feedback.
Brgds,
Markus

Hi,
To my understanding its not possible to connect to an ASA interface through interface other than the interface where the IP address is located.
In other words you are not able to connect from behind "inside" to the IP address of "mgmt" interface
I will try to find you a link to some Cisco documentation stating this. (I have never really had to find it though)
- Jouni

Similar Messages

  • ASA5510 - Verifying NAT is fully disabled between two interfaces

    Hello,
    I am trying to configure two inside interfaces without NAT. I am not using nat-control and I have added exemptions for the two networks. I can communicate between the two networks and to the Internet just fine.
    I would like to verify that NAT is disabled between the two interfaces. I also need to make sure that the Interface IP (specifically for the traffic from inside-test to  the inside network) is not added to packets between the two networks. I would like to be able to verify this as well. In other words I need to have the Source IP address from the originating connection on the inside-test network passed along through to the Inside network device without being replaced by the Interface's IP address. This is a test config for a production environment that will be using a load balancer. The config I have may be working in this regard and the load balancer may be replacing this IP address (that is what I am trying to test), but I am not certain.
    So far I have the following NAT related running-config command (in regards to these two interfaces):
    access-list NAT_Exempt extended permit ip 192.168.12.0 255.255.255.0 interface inside
    access-list NAT_Exempt extended permit ip 192.168.3.0 255.255.255.0 interface Inside-test
    access-list NAT_Exempt extended permit ip 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list NAT_Exempt_2 extended permit ip 192.168.12.0 255.255.255.0 interface inside
    access-list NAT_Exempt_2 extended permit ip 192.168.3.0 255.255.255.0 interface Inside-test
    access-list NAT_Exempt_2 extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
    nat (inside) 0 access-list NAT_Exempt_2
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (Inside-test) 0 access-list NAT_Exempt
    nat (Inside-test) 1 0.0.0.0 0.0.0.0
    global (outside) 1 interface
    global (Inside-test) 1 interface
    Let me know if more information is needed for you to assist me futher.
    Thank you.

    Thank you Jennifer for your responses.
    Do I need to include access-list commands for both directions for each interface as listed in my full config above, or do I just need one for one direction on one and one direction on the other interface (plus the exempt for the 69.x.x.x network)?
    Would this config suffice?
    access-list NAT_Exempt_2 permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
    access-list NAT_Exempt_2 permit ip 192.168.3.0 255.255.255.0 69.87.157.192 255.255.255.224
    access-list NAT_Exempt permit ip 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list NAT_Exempt permit ip 192.168.12.0 255.255.255.0 69.87.157.192 255.255.255.224
    nat (inside) 0 access-list NAT_Exempt_2
    nat (inside-test) 0 access-list NAT_Exempt
    Will I need to clear xlate to see the results of this or will this take affect immediately? I can't really do that during business hours, but should be able to after hours if I need to.
    Can you clarify what the global commands do? I keep thinking that it adds the IP of the Interface to packets as they go through the interface and that I should use a different config for the Inside-test network.
    I will try the xlate detail to verify and let you know what I find.
    Thank you.

  • Load balancing between two interfaces on 2811

    Hi,
    We have a 2811 router with VPN and NAT configured. We have two internet connection from different ISPs. The speed of our original connection is 2MB up and down. The speed of our new connection is 1MB up and down. We want to configure load balancing between the two connections. Our new ISP has provided us with a CISCO 837 router. We want to connect that router into our 2811 on one of the free WIC card and then configure load balancing between the two interfaces on our 2811. The third interface has a local address configured. Please suggest where to start. I tried searching on net for any configuration example but I was unable to find any particular example with commands. I am new on CISCO platform. Any help will be hugely appreciated. Thanks in advance.

    Raju,
    you have two choices as far as I can see. If you want to use static routing over the WAN to your branch, you could duplicate your static routes to the branch and point them to the secondary router. You will have two identical sets of static routes in the primary router, one set pointing to the WAN interface and the other one pointing to the secondary router.
    ip route x.x.x.x "WAN-interface"
    ip route x.x.x.x "secondary router"
    ip route y.y.y.y "WAN-interface"
    ip route y.y.y.y "secondary router"
    etc.
    As a result the primary router will have two routes to the branch and will load-balance. If one next-hop fails (either the WAN interface or the secondary router), only the other will be used. If the next-hop comes back up, load-balancing will resume.
    The other choice would be to use EIGRP over the WAN, and make sure the two routers become EIGRP neighbors. Then you can use the "variance" command to achieve unequal cost load-balancing between the two routers. Let me know if you need more information about this, but i think static routes will be sufficient in your situation.
    HTH, Thomas

  • View Mapping Result between two Interface Mappings in ccBPM

    Hello,
    I've got a ccBPM which does two interface mappings. The second one fails. When I redo the steps manually in the Interface Mapping test mode everything works fine. Anyway, I want to get the message from the failed BPM that got out of the first interface mapping, which worked fine in the BPM as well, before entering the second.
    Where can I get that message? In Monitoring I can only find messages that got sent.
    Thanks for you help!
    Regards,
    Dirk

    Hi,
    Please check in Runtime Workbench.
    Go to Adapter Engine --> Component Monitoring
    Now select your Adapter.
    Use Filter and below you will find message ids.
    select one and you can see the audit log..where your appln fails.
    You can also use SXMB_MONI.
    Select the message giving error and in that goto outbound tab..click on link...select view details image button...select the component with error and go to container tab of it....there you will find trace entry....where log of your error will be stored..
    Hope it helps.
    Best Of Luck
    Akhil
    Edited by: Akhil Rastogi on Mar 18, 2008 11:08 AM

  • VSM with NAT Between two ASR routers

    We are new to the ASR platform and IOS XR.  We have two new ASR 9006's with the VSM module.  These two routers are not yet in production so we can play around with them.  We will be moving the NAT functionality from our firewalls to these two routers.  Is it possible for these two routers to share NAT translations?  It is entirely possible that outbound traffic could be NAT'ed out one of these ASR's and the return traffic come through the other ASR.  In this scenario how is the NAT translation handled?  I've not had much luck finding documentation on this specific topic.
    Thanks,
    Marc

    Hi,
    To my understanding its not possible to connect to an ASA interface through interface other than the interface where the IP address is located.
    In other words you are not able to connect from behind "inside" to the IP address of "mgmt" interface
    I will try to find you a link to some Cisco documentation stating this. (I have never really had to find it though)
    - Jouni

  • CISCO ASR901 BRIDGE BETWEEN 2 INTERFACES

    Hi All!
      I'm looking for some way to make a transparent bridge between two interfaces of a Cisco router ASR901 , is there any possibility? I ask this because I have a scenario where I would use the ASR901 to the following question :
    POP01 (                       ) ASR901  g0 / 6 -------- > ISG_7206
    POP02 ( MPLS CLOUD )               g0 / 7 -------- > ISG_7206
    POP03 (                       )
    The ASR901 will focus EoMPLS with other points in the network and pass on to ISG routers , ie , VLANs would have to be two ports with XConnect to a remote router , the configuration would be something like this :
    interface GigabitEthernet0/6
    Core description : MPLS CONC PPPOE02
    no ip address
    negotiation auto
    hold- queue 1024 in
    hold- queue 1024 in October
    service instance 4095 ethernet
      encapsulation dot1q 4094
      rewrite ingress tag pop 1 symmetric
    interface GigabitEthernet0/7
    Core description : 7206_PPPOE_01
    no ip address
    negotiation auto
    service instance 4095 ethernet
      encapsulation dot1q 4094
      rewrite ingress tag pop 1 symmetric
    end
    L2VPN XConnect context TEST
    ethernet interworking
    member 201.55.127.202 1212 encapsulation mpls group TEST
    member GigabitEthernet0 / 7 service -instance TEST 4095 group priority 1
    member GigabitEthernet0 / 6 service -instance 4095
    redundancy group delay 1 3 TEST
    But without an interface that was redundant of other , what I need is the 2 interfaces in " bridge " making a XConnect to a remote router , and these 2 interfaces connected ISGs in 2 to make a balance .

    Hi,
    This discussion is for IOS-XR related questions. You should post your question under Service Provider > MPLS.
    thanks,
    rivalino

  • CISCO ASR901 BRIDGE BETWEEN 2 INTERFACES WITH XCONNECT

    Hi All!
      I'm looking for some way to make a transparent bridge between two interfaces of a Cisco router ASR901 , is there any possibility? I ask this because I have a scenario where I would use the ASR901 to the following question :
    POP01 (                            )  ASR901  g0 / 6 -------- > ISG_7206
    POP02 ( MPLS CLOUD )                   g0 / 7 -------- > ISG_7206
    POP03 (                            )
    The ASR901 will focus EoMPLS with other points in the network and pass on to ISG routers , ie , VLANs would have to be two ports with XConnect to a remote router , the configuration would be something like this :
    interface GigabitEthernet0/6
    Core description : MPLS CONC PPPOE02
    no ip address
    negotiation auto
    hold- queue 1024 in
    hold- queue 1024 in October
    service instance 4095 ethernet
      encapsulation dot1q 4094
      rewrite ingress tag pop 1 symmetric
    interface GigabitEthernet0/7
    Core description : 7206_PPPOE_01
    no ip address
    negotiation auto
    service instance 4095 ethernet
      encapsulation dot1q 4094
      rewrite ingress tag pop 1 symmetric
    end
    L2VPN XConnect context TEST
    ethernet interworking
    member 201.55.127.202 1212 encapsulation mpls group TEST
    member GigabitEthernet0 / 7 service -instance TEST 4095 group priority 1
    member GigabitEthernet0 / 6 service -instance 4095
    redundancy group delay 1 3 TEST
    But without an interface that was redundant of other , what I need is the 2 interfaces in " bridge " making a XConnect to a remote router , and these 2 interfaces connected ISGs in 2 to make a balance .

    Hello,
    I do not believe that the ASR901 will do this without help from an upstream device. If I understand correctly, you want to build a bridge-domain with 3 EFPs: 2 physical ports, and one pseudowire. As of the last IOS revision that I have configured on this platform, the 901 doesn't support the pseudowire on a bridge-domain, only a service instance.
    It seems to me that you would need an upstream box involved to support this.
    Either:
    Build 2 pseudowires to an upstream box that supports this configuration (like an ME 3600x, ME3800x, or 9k).
    or
    Associate both service instances to a common bridge domain that is extended to an upstream box that is initiating the pseudowire. More platforms would support this, since it does not require supporting the pseudowire on a bridge domain.
    ...Unless you are looking to build an LACP channel-group on the interfaces connected to the ISGs to load-balance. The 901 supports LACP, and it also supports building an EFP (service instance) on the channel-group interface. This technically makes the 2 physical interfaces one EFP. The part of this that I have not tried is building a pseudowire on an EFP on a channel-group.
    Hope this helps.
    Jason

  • Problems getting static NAT to work between two internal lans

    Hi, I'm trying the old problem of routing between two internal LANs. This on cli 8.6(1)2. I have three interfaces/LANs; outside is to the internet, inside is the rack in the datacentre and office is a dedicated ethernet link to our office. What I want to do is allow all (for now) traffic betrween office and inside. There's a million hits on this on the 'net but I can't get it to work. Packet trace shows packets accepted from office to inside but blocked from inside to office. Both static nats are set up identically. Here's the output of show nat after packet traces in both directions. It clearly shows that inside to office isn't hitting the nat policy. I enclose what I think are the relevant bits of my config. Full config less passwords + crypto attached.
    Manual NAT Policies (Section 1)
    1 (office) to (inside) source static inside-office inside-office   destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
        translate_hits = 0, untranslate_hits = 3
    2 (inside) to (office) source static inside-ld5 inside-ld5   destination static inside-office inside-office no-proxy-arp route-lookup
        translate_hits = 0, untranslate_hits = 0
    interface GigabitEthernet0/0
    nameif inside-ld5
    security-level 100
    ip address 10.20.15.2 255.255.255.0
    interface GigabitEthernet0/6
    nameif office
    security-level 100
    ip address 10.20.11.9 255.255.255.0
    object network inside-ld5
    subnet 10.20.15.0 255.255.255.0
    object network inside-office
    subnet 10.20.11.0 255.255.255.0
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    nat (office,inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
    nat (inside,office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookup

    Hi Kevin,
    because your interfaces inside and office are in same security level and you have enabled same-security-traffic permit inter-interface, traffic should simply flow between this interfaces. So i think you don't need NAT between this two subnets if there is not other reason to do so.
    Then you just configure ACL which will permit traffic you want between this LANs. In this case both netwroks are directly conneted so routing should work(instead of NAT).
    Best Regards,
    Jan

  • Static NAT and same IP address for two interfaces

    We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
    static (inside,Outside) 10.10.10.10  access-list inside_nat_static_1
    static (production,Outside) 10.10.10.10  access-list production_nat_static_1
    Thanks for any help.
    Jeff

    Hi Jeff,
    Unfortunately this cannot be done, on the ASA packet classification is done on the basis of mac-address, destination nat and route, and here you are confusing the firewall, to which interface does the ip belong to. I haven't ever tried to do it, but it should cause you issues.
    Thanks,
    Varun Rao
    Security Team,
    Cisco TAC

  • Static NAT with two outside interfaces

    I have a router, which performs NAT on two outside interfaces with load balancing and had a task to allow inbound connection to be forwarded to the specific host inside on a well known port.
    here is example
    interface Fas0/0
    ip nat outside
    interface Fas0/1
    ip nat outside
    interface Vlan1
    ip nat inside
    ip nat inside source route-map rm_isp1 pool pool_isp1
    ip nat inside source route-map rm_isp2 pool pool_isp2
    all worked fine
    then i tried to add static nat
    ip nat inside source static tcp 10.0.0.1 25 interface Fas0/0 25
    ip nat inside source static tcp 10.0.0.1 25 interface Fas0/1 25
    and in result only last static NAT line appeared in config.
    the solution was to use interface's IPs instead of names. that helped but isn't that a bug?

    In this scenario, we are trying to access a mail server located at
    10.0.0.1 from outside and we have two outside IP, let's say, 71.1.1.1 and
    69.1.1.1.
    With CEF Enabled
    Packet comes in to Fa0/0 interface with Source IP 66.x.x.x and
    Destination IP 71.1.1.1. Our NAT rule translates this to 10.0.0.1.
    Packet goes to 10.0.0.1. The return packet goes to the LAN interface
    first and the routing rule is determined *before* the packet is
    translated.
    Packet source IP at this point is 10.0.0.1 and destination is
    66.x.x.x. Now, based on CEF, it will go out via Fa0/0 or Fa0/1,
    irrespective of the way it came in. Because of this, with CEF enabled
    this will not work. CEF is per-destination.
    So, let's say somebody on outside tried to access this server using 71.1.1.1, then he would
    expect a reply from 71.1.1.1 which may or may not be true as the traffic could be Nat'd to 69.1.1.1 or 71.1.1.1.
    If it gets reply packet from 71.1.1.1, it should work.
    If it gets it from 69.1.1.1, it will simply drop it as it never sent a
    packet to 69.1.1.1.
    With CEF and Fast Switching Disabled
    Same steps as above, only that the packet is sent to the process level
    to be routed. At this point, the packets will be sent out in a round
    robin fashion. One packet will go out via the Fa0/0 and the other via the
    Fa0/0. This will have a constant 50% packet loss and is also not a
    viable solution.
    So, what are you trying to achieve is not possible on Cisco router.
    HTH,
    Amit Aneja

  • How to route traffic between two different interfaces

    Hi,
    I need to setup a routing between two different interfaces on a host.
    Inferface ce1 : 192.168.120.12
    Inteface ce2 : 192.168.110.50
    Is it possible to add a route which enables the ce2 interface to catch packets from the ce1 interface ?
    Regards,
    Armin

    The problem is a application which is only able to listen on one interface.
    To fix this, I have to make all packages visible on one interface.

  • NAT, DMZ single interface two firewalls... Create Edge topology

    Hello,
    I have a two firewall DMZ so I'm strugging  to understand why the toplogy builder is asking me for the "Internal" IP of the edge server...  the edge server is not internal (by design) it's in the perimeter network (DMZ) it does not
    have an internal interface nor am I interested in giving it one (that's why I have firewalls).... Its NAT'd..
    Is this explained somewhere ? How do I setup the topology wizard to understand my  firewall configuration.. I see the NAT'd external IP.. obviously that's on the public side...
    Thanks for help,
    Steve Lithgow

    Anthony's two posts win the PRIZE !  Ben get's runner-up !
    It still baffles me why it is necessary to have an additional network in my DMZ. You are not increasing your level of security by increasing the complexity (security by obfuscation).   The internal network can have persistent routes to the
    DMZ IP of the Edge Server as well as firewall rules governing traffic by source IP to the internal network from the DMZ.  A host with two interfaces that becomes compromised is no more secure than one with a single interface.  Our firewall rules 
    are not based on "networks" to from DMZ.. they are based on source/destination IP's.
    So basically..  my point is MS should not ASSume a particular firewall configuration and force this via the Topology builder... just my .02  
    Can anyone tell me if MS is doing some memory level protection in the Edge server to that masks the external facing process from internal ones or something really special?  My guess is that the edge server is NOT ISA/TMG so......
    To someone else's point..   that stated "You don't want the edge server to be your firewall"  my response is you dang right ! But... in essence that is what you are doing by placing an internal interface on the edge server , firewall rules/routes
    or not.  That is what you are doing is  creating a firewall leg on the edge server. 
    Thanks for all then FAST help !  Though I 'm still shaking my head a bit....
    Steve Lithgow

  • 'Only' NAT'd Traffic Allowed Between ASA Interfaces

    I've just setup (2) ASAs. In doing so, I've run into the same problem on each one (i.e., I must configure NAT on each interface for the traffic to flow between them)
    Accordingly to my literature and videos I've been through, I should not have to perform NAT for the traffic to move between the different interfaces.
    Questions:
    What have I done wrong?
    What do I need to do to have this run as I expected it would (*without NAT)? While it appears harmless to have it setup this way, it just doesn't look 'clean' to me.
    Notes about my configurations:
    Same security level traffic is permitted
    All interfaces have their security levels set to 100
    I've reset the ACLs to allow all traffic as well (*this is a lab)
    All tcp-udp traffic is inspected by default on ASAs
    Many thanks.
    Fred

    NAT-Control: NA, deprecated.
    Without Nat-Control: As I mentioned previously, I must use NAT, or the traffic will not flow between interfaces. This is my problem. It doesn't make sense that I should need to use NAT for traffic to flow between the different interfaces.
    Notes about my configurations:
    Same security level traffic is permitted
    All interfaces have their security levels set to 100
    I've reset the ACLs to allow all traffic as well (*this is a lab)
    All tcp-udp traffic is inspected by default on ASAs
    Questions:
    What have I done wrong?
    What do I need to do to have this run as I expected it would (*without NAT)? While it appears harmless to have it setup this way, it just doesn't look 'clean' to me.

  • Shareable Interface between two RMI based applets

    Hello! I am developing a project in simulation environment (cref) in Java Card and I have one problem.
    First of all I have create two RMI based applets and I want to make one of these applets to implement a shareable interface.
    As we know a classical RMI based applet has three parts: one interface that extends Remote interface (lets call it ApplicationRemoteInt),
    one class that implements the previous interface (ApplicationImpl) and one class that extends javacard.framework.Applet which manipulates
    ApplicationImpl (ApplicationApplet).
    My problem is that I don't know which of these three programs (make it two, I don't think i could be
    ApplicationRemoteInt) have to implement an another Interface, which extends Shareable Interface (ApplicationShareable), and in which way.
    Also I think that the ApplicationShareable must be implemented by an Applet class.
    As you see I am confused, can anyone help me, please?
    Thank you in advance, Bill.

    Thank you very much for your response. I had knowledge about Shareable Interfaces between two traditional applets,
    BUT not between two RMI based applications.
    Finally I found that RMI based application does not support shareable interface:
    http://forum.java.sun.com/thread.jspa?threadID=728540&messageID=4194658
    Thank you for your reply anyway, Bill.

  • Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

    hello,
    i am setting up a site to site vpn between two asa 5505's.  the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point.  i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated.  i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
    FYI the asa's are different versions, one is 9.2 the other is 8.2
    Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
    Site A running config:
    Result of the command: "sh run"
    : Saved
    ASA Version 8.2(2)
    hostname csol-asa
    enable password WI19w3dXj6ANP8c6 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 192.168.1.0 san_antonio_inside
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.2.1 255.255.255.0
    interface Vlan2
     nameif outside
     security-level 0
     ip address 1.1.1.1 255.255.255.248
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns domain-lookup inside
    dns server-group DefaultDNS
     name-server 24.93.41.125
     name-server 24.93.41.126
    object-group network NETWORK_OBJ_192.168.2.0_24
    access-list inside_access_out extended permit ip any any
    access-list outside_access_out extended permit ip any any
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in_1 extended permit icmp any interface outside
    access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
    access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
    access-list outside_access_in_1 extended permit udp any interface outside eq 8100
    access-list outside_access_in_1 extended permit udp any interface outside eq 1025
    access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
    access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
    access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
    access-list outside_access_in_1 extended permit tcp any interface outside eq www
    access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
    access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
    access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat-control
    global (inside) 2 interface
    global (outside) 101 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 101 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
    static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
    static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
    static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
    static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
    static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
    static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
    static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
    access-group inside_access_out out interface inside
    access-group outside_access_in_1 in interface outside
    route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 2.2.2.2 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map1 1 match address outside_1_cryptomap_1
    crypto map outside_map1 1 set peer 2.2.2.2
    crypto map outside_map1 1 set transform-set ESP-3DES-SHA
    crypto map outside_map1 interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.30-192.168.2.155 inside
    dhcpd dns 24.93.41.125 24.93.41.126 interface inside
    dhcpd domain corporatesolutionsfw.local interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
     anyconnect-essentials
    group-policy DfltGrpPolicy attributes
    tunnel-group 2.2.2.2 type ipsec-l2l
    tunnel-group 2.2.2.2 ipsec-attributes
     pre-shared-key *****
    prompt hostname context
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:021cf43a4211a99232849372c380dda2
    : end
    Site A sh crypto isakmp sa:
    Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 2.2.2.2
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
    Site A sh ipsec sa:
    Result of the command: "sh ipsec sa"
    interface: outside
        Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
          access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
          local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
          current_peer: 2.2.2.2
          #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
          #pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
          path mtu 1500, ipsec overhead 58, media mtu 1500
          current outbound spi: C1074C40
          current inbound spi : B21273A9
        inbound esp sas:
          spi: 0xB21273A9 (2987553705)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 1691648, crypto-map: outside_map1
             sa timing: remaining key lifetime (kB/sec): (3914989/27694)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0xC1074C40 (3238480960)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 1691648, crypto-map: outside_map1
             sa timing: remaining key lifetime (kB/sec): (3914999/27694)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    Site B running config:
    Result of the command: "sh run"
    : Saved
    : Serial Number: JMX184640WY
    : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
    ASA Version 9.2(2)4
    hostname CSOLSAASA
    enable password WI19w3dXj6ANP8c6 encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    names
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0
    interface Vlan2
     nameif outside
     security-level 0
     ip address 2.2.2.2 255.255.255.248
    ftp mode passive
    object network NETWORK_OBJ_192.168.1.0_24
     subnet 192.168.1.0 255.255.255.0
    object network mcallen_network
     subnet 192.168.2.0 255.255.255.0
    access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
    access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-731-101.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
    nat (inside,outside) after-auto source dynamic any interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal DES
     protocol esp encryption des
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
     protocol esp encryption 3des
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
     protocol esp encryption aes
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
     protocol esp encryption aes-192
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
     protocol esp encryption aes-256
     protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map3 1 match address outside_cryptomap
    crypto map outside_map3 1 set peer 1.1.1.1
    crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map3 interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
     encryption aes-256
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 10
     encryption aes-192
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 20
     encryption aes
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 30
     encryption 3des
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 40
     encryption des
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 120
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh stricthostkeycheck
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd address 192.168.1.200-192.168.1.250 inside
    dhcpd dns 24.93.41.125 24.93.41.126 interface inside
    dhcpd domain CSOLSA.LOCAL interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
     anyconnect-essentials
    group-policy DfltGrpPolicy attributes
     vpn-tunnel-protocol ikev1
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
     ikev1 pre-shared-key *****
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    prompt hostname context
    no call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
    : end
    Site B sh crypto isakmp sa:
    Result of the command: "sh crypto isakmp sa"
    IKEv1 SAs:
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 1.1.1.1
        Type    : L2L             Role    : initiator
        Rekey   : no              State   : MM_ACTIVE
    There are no IKEv2 SAs
    Site B sh ipsec sa:
    Result of the command: "sh ipsec sa"
    interface: outside
        Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
          access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
          local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
          current_peer: 1.1.1.1
          #pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
          #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #TFC rcvd: 0, #TFC sent: 0
          #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
          path mtu 1500, ipsec overhead 58(36), media mtu 1500
          PMTU time remaining (sec): 0, DF policy: copy-df
          ICMP error validation: disabled, TFC packets: disabled
          current outbound spi: B21273A9
          current inbound spi : C1074C40
        inbound esp sas:
          spi: 0xC1074C40 (3238480960)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, IKEv1, }
             slot: 0, conn_id: 28672, crypto-map: outside_map3
             sa timing: remaining key lifetime (kB/sec): (4373999/27456)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000003
        outbound esp sas:
          spi: 0xB21273A9 (2987553705)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, IKEv1, }
             slot: 0, conn_id: 28672, crypto-map: outside_map3
             sa timing: remaining key lifetime (kB/sec): (4373987/27456)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001

    Hi Keegan,
    Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
    I would suggest to do a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
    HTH
    "Please rate useful posts"

Maybe you are looking for

  • Inserting manually in a form

    Lets say I have to insert a new record into a TESTTABLE manually when user presses a button. I put the code in when-button-press trigger /code insert into table..values... set_record_property(1,block, status_changed); -- mark the block as changed /co

  • I deleted the sign-in tab in Ctrl-Tab 0.21.1. How do I get it back?

    I installed Ctrl-tab 0.21.1. Initially there were several tabs prefilled, one of which, was for sign-in. I made a mistake and deleted it and now I want to recover it. How do I do this? Thank you. Marsh

  • My ipod touch will not sync on new pc.

    My ipod touch will not sync.  All connections are ok when I run diagnostics. I have created a new apple id and account after installing itunes on the new pc. Please help.

  • Sound for games doesn't work on iPad 2

    Sound works on iPad 2 for everything except games. Is there some special way to get sound for games to work?

  • New WD Passort drive loses connection

    I'm a new iMac user. I've had my iMac for just under 3 months. About a month ago, I purchased a Western Digital My Passport Studio external drive from my local Apple store. It's connected via the FireWire 800 cable. For no apparent reason, the connec