Router to Router VPN with Overlapping internal networks

Similar Messages

• ACS Database Replication over VPN with overlapping Network Addresses

  We currently have two co-locations each situated in different provinces. We have two ACS servers which we want to deploy at each co-location. All our network equipments are behind PIX/ASA devices. Getting them to replicate over the VPN should be easy but in our case we have overlapping Network Addresses at both ends of the tunnels.
  As per Cisco data does not transit a NAT device when the two Cisco Secure ACS servers communicate and a successful database replication can occur only if the secondary ACS server perceives no change in the IP header or content of the data it receives. So that means we will not be able to Implement NAT to achiever this.
  Has any one of you faced this problem of replicating ACS Database over the VPN with overlapping Network Addresses and was anyone able to successfully solve this issue using a work around ?
  All provided info and comments are greatly appreciated.

  I can help with the 3005 setup if you decide to go that route.
  You will need to add 2 network list entries under Configuration>Policy Management>Traffic Management>Network Lists.
  You will need to configure a local and remote address. The local will be one of the public ip's for the site.(Provided by your ISP)The remote will be the device you are connecting to on the other end.
  You will also need to add a Nat Lan to Lan rule under Configuration>Policy Management>Traffic Management>Nat>Lan to Lan.
  Use a static Nat type. The rest will look similar to my example.
  Source(Local address)Translated(Public Ip Address used in the network local list)Remote(Ip address of the device on the other end)
  Now just create an Ipsec lan to lan tunnel. You will need to agree with the ISP on des type and auth type. Use you local and remote networks you created earlier.

• Site-to-ste VPN with overlapped subnet.

  Hi Friends
  I have to set up site to site VPN with overlapped network ASA 5540 and checkpoint   what is the best parctice to achive tis goal
  Thanks in advance

  It has to be configured on both sides.
  X and Y are unused networks in this example: Site A has to hide 172.16.1.0/24 behind X when communicating to Y, site B has to hide 172.16.1.0/24 behind Y when communicating to X. The users in site A have to use Y as a destination, users in site B have to use X as destination. To make it usable for the users you should include the destinations in the DNS so that they never need the destination-IP.
  On the ASA you describe the communication 172.16.1.0/24 -> Y with an access-list and add that ACL to your static-command. You find an example here:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Use of MapTool on environment with no internal network

  Is it possible to use MapTool on an environment with no internal network? All nodes are directly linked to the internet 

  If you have access to a FireWire equipped Mac that is capable of running 10.2, then you can do it. The iBook G4 can't run 10.2, though.
  If you do manage to get access to one, here's how to do it:
  1. Start the PowerBook G3 in Target Disk Mode (hold down 't' on boot.)
  2. Connect the PowerBook G3 via FireWire to the 'host' computer. (I'll call it an iBook, just for ease of talking.)
  3. Start the host iBook up off the 10.2 CD.
  4. Install to the 'external FireWire drive' that is really the PowerBook G3.
  5. Reboot the PowerBook G3, it will be running 10.2
  I used a similar method to get Tiger onto a Lombard (USB, no FireWire) G3. I installed to a hard drive that was in a combo FireWire/USB hard drive, then 'Carbon Copy'ed that drive via USB onto the Lombard's internal drive.
  But, since your iBook requires 10.3 or newer, I don't think you can use that method with your setup. The only way you could do it is with an external FireWire CD drive. (Which IS bootable on that model.)
  Unfortunately, I know of no way of convincing the computer that an external hard drive is really a CD drive, and no way of convincing your iBook to install 10.2 onto any drive. (I just tried rebooting my 10.3+ eMac with a 10.2 install CD, no go.) Of course, if you had a legal 10.3 or 10.4 install CD/DVD, you could install one of those onto the PowerBook using the method above, since the iBook is happy to install them.

• WRV200 - Problems with VPN Client and Internal network access

  I have a WRV200 router and want to access the internal (Private Network) connected on the inside. I have successfully conected to the router with the Linksys VPN Client, but it does not appear to allow access to the internal network.
  How do I enable NAT Transversal or Passthru? I have already selected all of the PPTP, L2TP and IPSEC Pass Through.
  Has anyone gotten this to work?

  I have actually gotten this to work. Issues surround this include the ability to get to the VPN if the main DNS is down (it does not fail over to the next DNS in the list).
  If you unselect all of the boxes in the firewall General configuration, you can connect, but if you need to have all of this unchecked, what's the sense of having it?
  Anyway, you can use the DoS Prevention, this is not interfering.
  HTH.

• Cisco ASA 5505 L2TP VPN cannot access internal network

  Hi,
  I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
  Can you jhelp me to find out the issue?
  I have Cisco ASA:
  inside network - 192.168.1.0
  VPN network - 192.168.168.0
  I have router 192.168.1.2 and I cannot ping or get access to this router.
  Here is my config:
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 198.X.X.A 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network net-all
  subnet 0.0.0.0 0.0.0.0
  object network vpn_local
  subnet 192.168.168.0 255.255.255.0
  object network inside_nw
  subnet 192.168.1.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool sales_addresses 192.168.168.1-192.168.168.254
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic net-all interface
  nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
  nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
  object network vpn_local
  nat (outside,outside) dynamic interface
  object network inside_nw
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.5-192.168.1.132 inside
  dhcpd dns 75.75.75.75 76.76.76.76 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy sales_policy internal
  group-policy sales_policy attributes
  dns-server value 75.75.75.75 76.76.76.76
  vpn-tunnel-protocol l2tp-ipsec
  username ----------
  username ----------
  tunnel-group DefaultRAGroup general-attributes
  address-pool sales_addresses
  default-group-policy sales_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
  : end
  Thanks for your help.

  You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
  policy-map global_policy
    class inspection_default
      inspect icmp
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• VPN with overlapping addresses

  Hi
  An ISP need to make VPN tunnels to four Costumers, so they can get data from a common server placed at the ISP.
  Costumer A, B & C is working well, but the new Costumer D are using same private Network as the ISP, an will not accept to change their Network, neither they will accept to put some NAT in their Router.
  They already NAT their private Network range to an official Network.
  ISP are using a Cisco 1841 Router for the project, but are ready to change to a PIX firewall or a VPN 3005 Concentrator if that’s what’s needed.
  Could any kind person please help me with this scenario.
  I have published the scenario in graphics here: http://www.z28.dk/vpn.htm
  The configuration I’m using for now can be found at: http://www.z28.dk/conf.htm
  Best regards
  R.B.P.

  I can help with the 3005 setup if you decide to go that route.
  You will need to add 2 network list entries under Configuration>Policy Management>Traffic Management>Network Lists.
  You will need to configure a local and remote address. The local will be one of the public ip's for the site.(Provided by your ISP)The remote will be the device you are connecting to on the other end.
  You will also need to add a Nat Lan to Lan rule under Configuration>Policy Management>Traffic Management>Nat>Lan to Lan.
  Use a static Nat type. The rest will look similar to my example.
  Source(Local address)Translated(Public Ip Address used in the network local list)Remote(Ip address of the device on the other end)
  Now just create an Ipsec lan to lan tunnel. You will need to agree with the ISP on des type and auth type. Use you local and remote networks you created earlier.

• Sync iPad with an internal network via WIFI and file exchange?

  Hi all,
  Our architects firm is currently trying to cut down on its paper waste. One sollution we are exploring is a system by which Ipad's can be synced with our internal file network (via wifi), we can download onto an Ipad PDF files which can be viewed, annotated and reuploaded via the network. It would be essential that the network is internal and isn't an icloud type of thing. Is such a system possible?
  Thanks

  This will give you access to the documents.  You are own your own about version control.
  Configure WebDave on your server.  The WebDave protocol has replaced FTP in Apple's world.
  This thread has good info.
  https://discussions.apple.com/thread/3708341?tstart=0
  Look in the app store for accessing Windows File servers.
  for example:
  http://itunes.apple.com/us/app/filebrowser-access-files-on/id364738545?mt=8
  I don't know about upload though. 
  Robert

• Router to PC VPN with device authen only via RSA Sig

  Problem establishing a vpn between a cisco router and a PC based Cisco VPN Client
  using version 4.6 (had problems with 4.8 & 5.0). Only trying to accomplish
  device authenication with digital certificates without any interest in user
  authenication/authorization, so I've eliminated the Xauth from IKE and login
  stuff from the client config.
  I've got to take about half a dozen users into production asap...
  I am thinking the access list may be the problem since the pc client is
  expecting to have encrypted communications, but the cisco router is
  still doing all it's checks and balances with IKE/ISAKMP to finish device
  authenication with one certificate on each. Error message seem straight
  forward, but I'm new to the vpn config's and have tested pki for
  about 6 months wo/ going into production. Attached are logs with recommended
  debug turned on for crypto ike/ipsec/pki/etc.

  Thank you for your response!
  After further investigation, I'm more concerned about Cisco's IOS 12.4 "Certificate Server" being able to consistently build certificates. Do I need to depend upon a certain Test release like 12.4T because 12.4 isn't ready ....? It's in the 12.4 documentation as though it's ready and I couldn't find any comments in the caveats...
  I have tried to build a "request for a certificate" with both with the Cisco VPN Client 4.8/5.0, and Mozilla's add-on to firefox called Key Manager, but both failed.
  Just loading base64 instream directly into the IOS crypto cmd to enroll via the terminal fails regularly, besides trying to use SCEP (Cisco's simple certificate enrollment protocol).
  I don't care how it gets done, because I like Cisco's architecture so much, but it's got to be reliable.
  I don't mind getting involved with Cisco's testing and I believe I can replicate the errors.
  Attached is an error of the IOS 12.4 failing...

• Site to Site VPN with Overlapping network and other network Access..

  Hi all,
  i need to setup a site to site Tunnel to a remote site. My remote site got the network which has overlapped with one of our network(192.168.10.0/24) in my site. remote site dont need to access this network(192.168.10.0/24) in my site ,but they have to access other networks (192.168.x.0)
  i have prepared the below configuration ,relevant to nat to achiev the goal. Appreciate help to verify and help to achive this...
  i have attached one rough diagram also..
  Mysite
  access-list acl-httsamorocco extended permit ip 192.168.73.0 255.255.255.0 192.168.74.0 255.255.255.0
  access-list nonat extended permit ip 192.168.x.0 255.255.255.0 192.168.74.0 255.255.255.0
  access-list policy-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.74.0 255.255.255.0
  static (inside,outside) 192.168.73.0  access-list policy-nat
  Remote Site
  access-list policy-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.73.0 255.255.255.0
  static (inside,outside) 192.168.74.0  access-list policy-nat
  Thanks in Advance..
  Shanil

  It has to be configured on both sides.
  X and Y are unused networks in this example: Site A has to hide 172.16.1.0/24 behind X when communicating to Y, site B has to hide 172.16.1.0/24 behind Y when communicating to X. The users in site A have to use Y as a destination, users in site B have to use X as destination. To make it usable for the users you should include the destinations in the DNS so that they never need the destination-IP.
  On the ASA you describe the communication 172.16.1.0/24 -> Y with an access-list and add that ACL to your static-command. You find an example here:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Site to Site VPN with Natting Internal IP address range?

  This is our actual Internal LAN address: 10.40.120.0/26 (Internal Range) and I want to translate to
  Translated address: 10.254.9.64.255.255.255.192(Internal)
  Our remote local address is: 10.254.5.64 255.255.255.192(Remote site Internal Ip add range)
  Based on above parameters I done this configuration
  access-list outside_cryptomap permit ip 10.254.9.64 255.255.255.192 10.254.5.64 255.255.255.192
  access-list policy-nat permit ip 10.40.120.0 255.255.255.192 10.254.5.64 255.255.255.192
  static (inside,outside) 10.254.9.64 access-list policy-nat
  I got all the Phase1 and Phase 2 parameters required and peer public ip add,
  I had set up vpn using ASDM before but this scenario is new for me, all I am wondering is there anything I need to configure to succesfully setup VPN

  Hi mate,
  yeah issue on far site they arent allowing access to the port we are trying to access, and they made it up and we are good to g now,
  One thing I am worried is only one IP add is able to access the resources, I mean i created an add range of 192.168.x.0/26, however only 192.168.x.3 one of our server is able to access the far site, havent got a clue
  config is as folllows:
  access-list pp-vpn extended permit ip 10.254.7.64 255.255.255.192 10.254.6.64 255.255.255.192
  access-list policy-nat---- extended permit ip 192.168.x.0 255.255.255.192 10.254.6.64 255.255.255.192
  static (inside,outside) 10.254.7.64 access-list policy-nat
  crypto ipsec transform-set esp-aes256-sha esp-md5-hmac
  crypto map outside_map 20 match address pp-vpn
  crypto map outside_map 20 set peer 172.162.1.2
  crypto map outside_map 20 set transform-set vpn1
  crypto map outside_map interface outside
  crypto isakmp identity address
  crypto isakmp policy 65 encyptio
  authentication pre-share         
  encryption des
  hash md5
  group 2
  lifetime 86400
  tunnel type ipsec-l2l
  tunnel-group 172.162.1.2 ipsec-attributes
  pre-shared-key *
  Thank you immensly for all your assitance
  ven

• Remote access VPN with Cisco Router - Can not get the Internal Lan .

  Dear Sir ,
  I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
  I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
  Below is the IP address of the device.
  Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
  IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
  IP address:10.10.10.1
  Mask:255.255.255.0 F0/0
  IP Address :20.20.20.1
  Mask :255.255.255.0
  F0/1
  IP address :192.168.1.3
  Mask:255.255.255.0
  F0/0
  IP address :20.20.20.2
  Mask :255.255.255.0
  F0/1
  IP address :192.168.1.1
  Mask:255.255.255.0
  I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
  Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
  Need your help to fix the problem.
  Router R2 Configuration :!
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R2
  boot-start-marker
  boot-end-marker
  no aaa new-model
  memory-size iomem 5
  no ip icmp rate-limit unreachable
  ip cef
  no ip domain lookup
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  ip tcp synwait-time 5
  interface FastEthernet0/0
  ip address 20.20.20.2 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 10.10.10.1 255.255.255.0
  duplex auto
  speed auto
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  control-plane
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line aux 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line vty 0 4
  login
  end
  Router R1 Configuration :
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R1
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa authentication login USERAUTH local
  aaa authorization network NETAUTHORIZE local
  aaa session-id common
  memory-size iomem 5
  no ip icmp rate-limit unreachable
  ip cef
  no ip domain lookup
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  username vpnuser password 0 strongpassword
  ip tcp synwait-time 5
  crypto keyring vpnclientskey
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp client configuration group remotevpn
  key cisco123
  dns 192.168.1.2
  wins 192.168.1.2
  domain mycompany.com
  pool vpnpool
  acl VPN-ACL
  crypto isakmp profile remoteclients
  description remote access vpn clients
  keyring vpnclientskey
  match identity group remotevpn
  client authentication list USERAUTH
  isakmp authorization list NETAUTHORIZE
  client configuration address respond
  crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
  crypto dynamic-map DYNMAP 10
  set transform-set TRSET
  set isakmp-profile remoteclients
  crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
  interface FastEthernet0/0
  ip address 20.20.20.1 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map VPNMAP
  interface FastEthernet0/1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip local pool vpnpool 192.168.50.1 192.168.50.10
  ip forward-protocol nd
  ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
  no ip http server
  no ip http secure-server
  ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
  ip access-list extended NAT-ACL
  deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 any
  ip access-list extended VPN-ACL
  permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
  control-plane
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line aux 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line vty 0 4
  end

  Dear All,
  I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
  Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
  Waiting for your responce .
  --Milon

• Cisco ASA 5505 Routing between internal networks

  Hi,
  I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
  1. Outside
  2. DMZ
  3. ServerNet1
  4. Inside
  ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it.
  Here is the running conf:
  interface Ethernet0/0
  switchport access vlan 20
  interface Ethernet0/1
  switchport access vlan 20
  interface Ethernet0/2
  switchport access vlan 19
  interface Ethernet0/3
  switchport access vlan 10
  switchport trunk allowed vlan 10,19-20
  switchport trunk native vlan 1
  interface Ethernet0/4
  switchport access vlan 10
  interface Ethernet0/5
  switchport access vlan 10
  switchport trunk allowed vlan 10-11,19-20
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/6
  switchport access vlan 10
  switchport trunk allowed vlan 10-11,19-20
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/7
  switchport access vlan 10
  interface Vlan10
  nameif inside
  security-level 90
  ip address 192.168.2.1 255.255.255.0
  interface Vlan11
  nameif ServerNet1
  security-level 100
  ip address 192.168.4.1 255.255.255.0
  interface Vlan19
  nameif DMZ
  security-level 10
  ip address 192.168.3.1 255.255.255.0
  interface Vlan20
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network obj-192.168.2.0
  subnet 192.168.2.0 255.255.255.0
  object network obj-192.168.3.0
  subnet 192.168.3.0 255.255.255.0
  object network DNS
  host 192.168.2.10
  description DNS Liikenne
  object network Srv2
  host 192.168.2.10
  description DC, DNS, DNCP
  object network obj-192.168.4.0
  subnet 192.168.4.0 255.255.255.0
  object network ServerNet1
  subnet 192.168.4.0 255.255.255.0
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group network RFC1918
  object-group network InternalNetworks
  network-object 192.168.2.0 255.255.255.0
  network-object 192.168.3.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq domain
  service-object udp destination eq domain
  service-object udp destination eq nameserver
  service-object udp destination eq ntp
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  port-object eq ftp
  port-object eq ftp-data
  object-group service rdp tcp-udp
  description Microsoft RDP
  port-object eq 3389
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_SERVICE_2
  service-object tcp destination eq domain
  service-object udp destination eq domain
  object-group network DM_INLINE_NETWORK_1
  network-object object obj-192.168.2.0
  network-object object obj-192.168.4.0
  access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
  access-list dmz_access_in extended deny ip any object-group InternalNetworks
  access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
  access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
  access-list DMZ_access_in extended deny ip any object-group InternalNetworks
  access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
  access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
  access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
  access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
  access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
  access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
  access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
  access-list ServerNet1_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu ServerNet1 1500
  mtu inside 1500
  mtu DMZ 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,DMZ) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  nat (DMZ,outside) after-auto source dynamic obj_any interface destination static obj_any obj_any
  nat (ServerNet1,outside) after-auto source dynamic obj-192.168.4.0 interface
  access-group ServerNet1_access_in in interface ServerNet1
  access-group inside_access_in in interface inside
  access-group DMZ_access_in in interface DMZ
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.4.0 255.255.255.0 ServerNet1
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 192.168.4.0 255.255.255.0 ServerNet1
  ssh 192.168.2.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous

  Hi Jouni,
  Yep, Finnish would be good also =)
  In front of ASA is DSL modem, on the trunk ports is Hyper-V host that uses the trunk ports so that every VM has their VLAN ID defined in the VM level. Everything is working good on that end. Also there is WLAN Access Pois on one of the ASA ports, on the WLAN AP there is the management portal address on DMZ that i have been testing agains (192.168.3.4)
  If i configure Dynamic PAT from inside to the DMZ then the traffic starts to work from inside to all hosts on DMZ but thats not the right way to do it so no shortcuts =)
  Here is the conf now, still doesnt work:
  interface Ethernet0/0
  switchport access vlan 20
  interface Ethernet0/1
  switchport access vlan 20
  interface Ethernet0/2
  switchport access vlan 19
  interface Ethernet0/3
  switchport access vlan 10
  switchport trunk allowed vlan 10,19-20
  switchport trunk native vlan 1
  interface Ethernet0/4
  switchport access vlan 10
  interface Ethernet0/5
  switchport access vlan 10
  switchport trunk allowed vlan 10-11,19-20
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/6
  switchport access vlan 10
  switchport trunk allowed vlan 10-11,19-20
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/7
  switchport access vlan 10
  interface Vlan10
  nameif inside
  security-level 90
  ip address 192.168.2.1 255.255.255.0
  interface Vlan11
  nameif ServerNet1
  security-level 100
  ip address 192.168.4.1 255.255.255.0
  interface Vlan19
  nameif DMZ
  security-level 10
  ip address 192.168.3.1 255.255.255.0
  interface Vlan20
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network obj-192.168.2.0
  subnet 192.168.2.0 255.255.255.0
  object network obj-192.168.3.0
  subnet 192.168.3.0 255.255.255.0
  object network DNS
  host 192.168.2.10
  description DNS Liikenne
  object network Srv2
  host 192.168.2.10
  description DC, DNS, DNCP
  object network obj-192.168.4.0
  subnet 192.168.4.0 255.255.255.0
  object network ServerNet1
  subnet 192.168.4.0 255.255.255.0
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group network RFC1918
  object-group network InternalNetworks
  network-object 192.168.2.0 255.255.255.0
  network-object 192.168.3.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq domain
  service-object udp destination eq domain
  service-object udp destination eq nameserver
  service-object udp destination eq ntp
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  port-object eq ftp
  port-object eq ftp-data
  object-group service rdp tcp-udp
  description Microsoft RDP
  port-object eq 3389
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_SERVICE_2
  service-object tcp destination eq domain
  service-object udp destination eq domain
  object-group network DM_INLINE_NETWORK_1
  network-object object obj-192.168.2.0
  network-object object obj-192.168.4.0
  object-group network DEFAULT-PAT-SOURCE
  description Default PAT source networks
  network-object 192.168.2.0 255.255.255.0
  network-object 192.168.3.0 255.255.255.0
  network-object 192.168.4.0 255.255.255.0
  access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
  access-list dmz_access_in extended deny ip any object-group InternalNetworks
  access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
  access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
  access-list DMZ_access_in extended deny ip any object-group InternalNetworks
  access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
  access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
  access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
  access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
  access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
  access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
  access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
  access-list ServerNet1_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu ServerNet1 1500
  mtu inside 1500
  mtu DMZ 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
  access-group ServerNet1_access_in in interface ServerNet1
  access-group inside_access_in in interface inside
  access-group DMZ_access_in in interface DMZ
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.4.0 255.255.255.0 ServerNet1
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 192.168.4.0 255.255.255.0 ServerNet1
  ssh 192.168.2.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous

• Site-to-site vpn with 2 asa and home router

  I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
  Internal Network              Local ASA                   ISP1      ISP2          Remote Router                       Remote ASA                 Remote Network
  192.168.1.0/24         local-gateway/public ip                                 public ip/192.168.0.1/24     192.168.0.10/10.10.10.254         10.10.10.0/24
  10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
  192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
  Below are the configs of the local and remote asa. any help would be greatly appreaciated.
  local-asa
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.6 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Switch
  host 192.168.1.5
  description 2960-24 Switch
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network Mark_Public
  host 76.98.2.63
  description Mark Public
  object network Mark
  subnet 10.10.10.0 255.255.255.0
  description Marks Network
  object network Mark_routed_subnet
  subnet 192.168.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
  access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
  access-list Home standard permit 192.168.1.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any outside
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
  route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
  aaa-server Radius protocol radius
  aaa-server Radius (inside) host 192.168.1.101
  key *****
  user-identity default-domain LOCAL
  aaa authentication ssh console Radius LOCAL
  aaa authentication telnet console Radius LOCAL
  aaa authentication enable console Radius LOCAL
  aaa authentication http console Radius LOCAL
  aaa authentication serial console Radius LOCAL
  aaa accounting enable console Radius
  aaa accounting serial console Radius
  aaa accounting ssh console Radius
  aaa accounting telnet console Radius
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 66.162.9.0 255.255.255.0 outside
  http 76.98.2.63 255.255.255.255 outside
  http 10.10.10.0 255.255.255.0 inside
  snmp-server host inside 192.168.1.101 community *****
  snmp-server location 149 Cinder Cross
  snmp-server contact Ted Stout
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps entity config-change
  snmp-server enable traps memory-threshold
  snmp-server enable traps interface-threshold
  snmp-server enable traps cpu threshold rising
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map0 1 match address outside_cryptomap
  crypto map outside_map0 1 set peer 76.98.2.63
  crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map0 interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=stout-fw
  keypair vpn.stoutte.homeip.net
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpoint Home--Server-CA
  enrollment terminal
  subject-name CN=stout-fw,O=home
  keypair HOME-SERVER-CA
  crl configure
  crypto ca trustpoint HOME-SSL
  enrollment terminal
  fqdn stoutfw.homeip.net
  subject-name CN=stoutfw,O=Home
  keypair HOME-SSL
  no validation-usage
  crl configure
  crypto ca trustpoint SelfSigned
  enrollment self
  fqdn stoutfw.homeip.net
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpoint ASDM_TrustPoint2
  enrollment self
  fqdn 192.168.1.6
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpool policy
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 20
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 192.168.1.5 source inside prefer
  ssl trust-point SelfSigned outside
  ssl trust-point ASDM_TrustPoint2 inside
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
  username stoutte attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect profiles value VPN_client_profile type user
  tunnel-group 76.98.2.63 type ipsec-l2l
  tunnel-group 76.98.2.63 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 76.98.2.63 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  authentication-server-group Radius LOCAL
  default-group-policy GroupPolicy_VPN
  dhcp-server link-selection 192.168.1.101
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  class-map inspection_default
  match default-inspection-traffic
  remote-asa
  : Saved
  ASA Version 9.1(1)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 192.168.0.10 255.255.255.0
  ftp mode passive
  clock timezone EDT -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name netlab.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Ted
  subnet 192.168.1.0 255.255.255.0
  description Teds Network
  object network Ted_Public
  host 24.163.116.187
  object network outside_private
  subnet 192.168.0.0 255.255.255.0
  object network NETWORK_OBJ_10.10.10.0_24
  subnet 10.10.10.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
  access-list outside_access_in extended permit ip object Ted_Public any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  logging debug-trace
  nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
  route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 24.163.116.187 255.255.255.255 outside
  http 192.168.0.0 255.255.255.0 outside
  http 10.10.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto map outside_map2 1 match address outside_cryptomap
  crypto map outside_map2 1 set peer 24.163.116.187
  crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map2 interface outside
  crypto ikev2 enable outside
  crypto ikev2 enable inside
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  ssh 10.10.10.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  dhcpd address 10.10.10.1-10.10.10.20 inside
  dhcpd enable inside
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
  tunnel-group 24.163.116.187 type ipsec-l2l
  tunnel-group 24.163.116.187 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 24.163.116.187 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
  : end
  no asdm history enable

  I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
  Internal Network              Local ASA                   ISP1      ISP2          Remote Router                       Remote ASA                 Remote Network
  192.168.1.0/24         local-gateway/public ip                                 public ip/192.168.0.1/24     192.168.0.10/10.10.10.254         10.10.10.0/24
  10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
  192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
  Below are the configs of the local and remote asa. any help would be greatly appreaciated.
  local-asa
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.6 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Switch
  host 192.168.1.5
  description 2960-24 Switch
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network Mark_Public
  host 76.98.2.63
  description Mark Public
  object network Mark
  subnet 10.10.10.0 255.255.255.0
  description Marks Network
  object network Mark_routed_subnet
  subnet 192.168.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
  access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
  access-list Home standard permit 192.168.1.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any outside
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
  route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
  aaa-server Radius protocol radius
  aaa-server Radius (inside) host 192.168.1.101
  key *****
  user-identity default-domain LOCAL
  aaa authentication ssh console Radius LOCAL
  aaa authentication telnet console Radius LOCAL
  aaa authentication enable console Radius LOCAL
  aaa authentication http console Radius LOCAL
  aaa authentication serial console Radius LOCAL
  aaa accounting enable console Radius
  aaa accounting serial console Radius
  aaa accounting ssh console Radius
  aaa accounting telnet console Radius
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 66.162.9.0 255.255.255.0 outside
  http 76.98.2.63 255.255.255.255 outside
  http 10.10.10.0 255.255.255.0 inside
  snmp-server host inside 192.168.1.101 community *****
  snmp-server location 149 Cinder Cross
  snmp-server contact Ted Stout
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps entity config-change
  snmp-server enable traps memory-threshold
  snmp-server enable traps interface-threshold
  snmp-server enable traps cpu threshold rising
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map0 1 match address outside_cryptomap
  crypto map outside_map0 1 set peer 76.98.2.63
  crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map0 interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=stout-fw
  keypair vpn.stoutte.homeip.net
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpoint Home--Server-CA
  enrollment terminal
  subject-name CN=stout-fw,O=home
  keypair HOME-SERVER-CA
  crl configure
  crypto ca trustpoint HOME-SSL
  enrollment terminal
  fqdn stoutfw.homeip.net
  subject-name CN=stoutfw,O=Home
  keypair HOME-SSL
  no validation-usage
  crl configure
  crypto ca trustpoint SelfSigned
  enrollment self
  fqdn stoutfw.homeip.net
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpoint ASDM_TrustPoint2
  enrollment self
  fqdn 192.168.1.6
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpool policy
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 20
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 192.168.1.5 source inside prefer
  ssl trust-point SelfSigned outside
  ssl trust-point ASDM_TrustPoint2 inside
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
  username stoutte attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect profiles value VPN_client_profile type user
  tunnel-group 76.98.2.63 type ipsec-l2l
  tunnel-group 76.98.2.63 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 76.98.2.63 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  authentication-server-group Radius LOCAL
  default-group-policy GroupPolicy_VPN
  dhcp-server link-selection 192.168.1.101
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  class-map inspection_default
  match default-inspection-traffic
  remote-asa
  : Saved
  ASA Version 9.1(1)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 192.168.0.10 255.255.255.0
  ftp mode passive
  clock timezone EDT -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name netlab.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Ted
  subnet 192.168.1.0 255.255.255.0
  description Teds Network
  object network Ted_Public
  host 24.163.116.187
  object network outside_private
  subnet 192.168.0.0 255.255.255.0
  object network NETWORK_OBJ_10.10.10.0_24
  subnet 10.10.10.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
  access-list outside_access_in extended permit ip object Ted_Public any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  logging debug-trace
  nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
  route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 24.163.116.187 255.255.255.255 outside
  http 192.168.0.0 255.255.255.0 outside
  http 10.10.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto map outside_map2 1 match address outside_cryptomap
  crypto map outside_map2 1 set peer 24.163.116.187
  crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map2 interface outside
  crypto ikev2 enable outside
  crypto ikev2 enable inside
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  ssh 10.10.10.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  dhcpd address 10.10.10.1-10.10.10.20 inside
  dhcpd enable inside
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
  tunnel-group 24.163.116.187 type ipsec-l2l
  tunnel-group 24.163.116.187 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 24.163.116.187 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
  : end
  no asdm history enable

• Setup router to router VPN connecting 2 windows domain networks via 2 RV042 routers

  I am using 2 RV042 routers.  I have created a point to point VPN with Remote Security Group Type= Subnet, using the default IPSec settings. 
  Under advanced settings-  Aggressive Mode, Keep Alive enabled.
  Location A- SBS 2011 standard, Servername=SBSServer, Domainname = Smallbusiness.Local, IP address 10.1.10.50
  DHCP range 10.1.10.100 to 10.1.10.175.  DNS and Print services. No WINS.  
  Location B- Server 2008 R2, Sername=SBSServer, Domain name=Smallbusiness.Local, IP address 192.168.10.50
  DHCP range 192.168.10.100 to 192.168.10.175,  DNS, Print Services and Remote Desktop Services.  No WINS
  I am wondering 2 things.  Can I setup the VPN tunnel to route traffice between the 2 networks without changing the server names.  Leaving the servernames the same.  I have it setup that way but also had netbios broadcast enable.  If I disable netbios broadcast will that be enough for these networks to be independent of each other.  I was hoping not to have to rename the domain and there are advantages to having the same user and domain name when mapping drives between networks.  I have not needed to authenticate those drives or provide credititals for printing either. 
  2) Should I change the domain name so that each network has a unique domain name or, if I change the servername of the 2008 R2 server will that essentially solve my network issues, the primary issue being that location b has clients that occasionally can not find the 2008 R2 domain controller.  After a restart the usually resolve to the correct domain controller.
  Essentially what I am asking is what are the best practices to connect 2 separate Windows domain networks via a VPN and have those networks capable of file sharing to the each others domain server and printing to the network printers at both loations.
  Should I have separate domain names-
  Should I have separate server and computer names-

  "reserved not zero on payload" generally means your pre-shared keys don't match. Try removing the "crypto isakmp key ...." line and retyping it in again on both sides. In particular DON'T cut/paste it from one router config into another, this quite often puts a space character onto the end of the key, which the router interprets as part of the key and they therefore don't match.