Site to Site ASA to Sonic Wall

Similar Messages

• Sonic Wall NetExtender stuck on "processing"

  Sonic Wall NetExtender 7.0.203 is not getting past "processing" when connecting. Works fine in Windows 8.1. Have tried re-installing to no avail.

  I'm having the same problem with Sonic Wall NetExtender on Windows 10 stops on processing and then the problem just becomes non responsive.

• Sonic Wall VPN thru AEBS

  Hi,
  I cant connect to work via Sonic Wall VPN using AEBS as router. Right now my AEBS is only used for connecting AirDisks and Internet is via my old Linksys router. Using Linksys for VPN is no problem. Tried Apple support but it's like hitting a brick wall. They do not support VPN they say...??
  Arghh..I'm not looking for VPN support but a solution to a faulty Router device.
  Does anyone have an idea of what to do?

  Hi,
  Setup AD authentication in a Sonicwall Firewall
  1. Create a security group in Active Directory or select a pre-defined group
  2. Add the appropriate members to the security group for content filtering.
  3. Import Group
  4. Assign CFS Policy
  5. Edit CFS Policy
  6. Force authentication
  Original post
  Setup authentication in Sonicwall.
  Hope this helps.

• Multiple sites ASA's connected to Cable modems with same DHCP address

  I have several locations with an ASA 5505 installed behind a cable modem. The cable modem is issuing DHCP for the same network address range in these locations. I have the outside interface obtaining DHCP from the cable moden network and the asa's are receiving the same outside address. I have the remotes set to use EZVPN to create the VPN tunnel back to the head end ASA 5540. I am seeing constant rekeying for phase 2 for those remote sites. is there any thing I can do short of assigning each asa a unique outside address?

  Dave
  The Linksys doing NAT is the reason why the ASA sees all the traffic as having source address as 192.168.2.1. The only way for the ASA to see the original 192.168.1.x address is to change the Linksys to not do NAT.
  One thing that I notice is that there is not a route statement in what you posted for the 192.168.1.0 network. It is not clear whether the route does exist and you did not post it or whether the route does not exist. But if it does not exist it would certainly be a reason why you lose Internet connectivity when you change the Linksys to not perform NAT. (the ASA would have no knowledge of how to forward to the network and would drop all the traffic). Try adding the route to the ASA and changing the Linksys to not perform NAT and let us know if it works.
  HTH
  Rick

• Site-to-site ASA and Router IOS

  Hi everyone! I am trying to connect a site-to-site between an ASA and a router 3900 series. My question is what should I have to configure in the router site to protect my LAN from any external attack?
  Thanks

  Check the below posting...
  https://supportforums.cisco.com/thread/70943
  Also, make sure to allow site-to-site tunnel related ports from ASA IP only.
  hth
  MS

• Where did Sonic Wall come from, & how do i get rid of it?

  I've just installed Firefox 5, & now i'm being blocked from some sites by '''SonicWall Content Filtering Service''. I dont know where this program came from, & i want it off my 'puta ASAP. It's not affecting Internet Explorer. Can anyone help me?

  http://www.sonicguard.com/ContentFilteringService.asp
  That isn't related to the installation of Firefox. Are you using a school or business network?
  http://answers.yahoo.com/question/index?qid=20080225084757AAxUMXC

• VOIP over VPN need clarification

  Hi,
  Recently I have implemented Site-to-Site VPN between ASA and sonic wall firewall.
  Problem: I can able to make call from ASA side(inside) Ip phone to sonic wall (inside) side Ip phone and vice versa and it’s ringing, But not able to hear voice. So I created VOIP over VPN configuration and applied appropriate service policy towards outside interface. But still I was not able to hear voice.
  Tried below mentioned t’shot steps:
  From ASA side we had two subnets (10.20.1.x/24 – Data and 10.20.2.x/24 – Voice ) and one subnet (192.168.x.x/24 ) from sonic wall side as interesting traffic ( lan to lan). When I configured site-to-site configuration on both ends my phase-1 and phase-2 came UP and can able to communicate between each other. (In interesting traffic I created two objects and bind those objects as one object-group for source i.e. ASA side lan subnet and one object for remote-Lan as destination)
  My call manager is rest behind ASA and Ip phones needs to communicate from sonic wall side to inside ASA.
  I can able to make call from ASA side(inside) Ip phone to sonic wall (inside) side Ip phone and vice versa and it’s ringing, But not able to hear voice. So I created VOIP over VPN configuration and applied appropriate service policy towards outside interface. But still I was not able to hear voice.
  So, I  done supernetting the data subnet and voice subnet into single network i.e. 10.20.x.x/16 at ASA side and applied the configuration changes (changed ACL, nonat rule, Voice QOS ACL accordingly), and I’m able to hear voice both end and I can communicate properly from ASA inside Ip phone to Sonic wall inside Ip phone and vice versa.
  My question: I’m not understanding the logic how this supernetting resolved dead voice issue.
  Pls clarify my question I’m bit confused on this.

  It's not recommended. Although VPNs guarantee a secure pipe end-to-end, they don't guarantee latency and variations in latency (Jitter).

• ASA 5505 Site to Site and Web VPN

  Hello all, I need to add a site to site tunnel from a an ASA 5505 (ver 8.05) to a Sonic wall appliance. The problem is, the ASA already has remote access VPN and anyconnect VPN configured. I'm not sure if its possible to add another secured tunnel to the device. Ive already got one NAT 0 statement.
  Thanks for your expert opinions!

  Hi,
  There should be no problem adding a Site to Site VPN on the ASA even if it has Client VPN configured.
  If you for example have an "inside" interface which has NAT0 configuration like
  nat (inside) 0 access-list NAT0
  You just add the needed ACL lines to that existing ACL for the L2L VPN.
  On the basis of the information you provided I dont see any problem configuring the L2L VPN on the ASA.
  - Jouni

• ASA 5505 Isolated Networks with Site-to-Site VPN Access

  I'm in the process of setting up an ASA 5505 for a remote site and needed some assistance determining if what I want to do is possible as well as if I need to upgrade the license from Base to Security Plus.
  Remote Site ASA 5505 Interfaces:
  Outside (Interface 0) - Public Internet, Static IP (Connected to Sierra Wireless AirLink Gateway)
  AMI (Interface 1) (VLAN 742) - 10.40.31.129/25 
  SCADA (Interface 2) (VLAN 772) - 10.70.0.5/30 
  I need to ensure that the two internal VLANs cannot access/talk to one another and the "SCADA" network cannot access Internet, just remote subnets across a VPN tunnel.
  ASA will need to have three IPsec tunnels:
  Tunnel 1 to SCADA Firewall
  Remote Site - 10.70.0.4/30 Subnet
  Central Site - 10.101.41.0/24 Subnet
  Tunnel 2 to Corporate Firewall
  Remote Site - 10.40.31.129/25 Subnet
  Central Site - 192.168.110.0/24 and 192.168.210.0/24 Subnet
  Tunnel 3 to Partner Firewall
  Remote Site - 10.40.31.129/25 Subnet
  Partner Site Subnets
  The ASA is running 9.1(5) and ASDM 7.1(6).  
  I've attached a diagram of what the connections look like between sites.

  I reviewed your diagram attached and trying to give you as much as I can.
  other gurus, pls correct me if I am missing anything.
  if I remember correctly, with base license, you can set up vpn peers.
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address public ip, subnet mask
  int e0/1
  nameif AMI
  security-level 100
  ip add 10.40.31.129 255.255.255.128
  int e0/2
  nameif SCADA
  security-level 10
  ip add 10.70.0.5 255.255.255.252
  route outside 0.0.0.0 0.0.0.0 public IP
  tunnel-group 173.8.244.181 type ipsec-l2l
  tunnel-group 173.8.244.181 ipsec-attributes
   ikev1 pre-shared-key Pr3$h@r3DkEyScAdA
  tunnel-group 173.8.244.189 type ipsec-l2l
  tunnel-group 173.8.244.189 ipsec-attributes
   ikev1 pre-shared-key Pr3$h@r3DkEyC0Rp
  tunnel-group 148.80.252.60 type ipsec-l2l
  tunnel-group 148.80.252.60 ipsec-attributes
   ikev1 pre-shared-key Pr3$h@r3DkEypArTN3R
  crypto ikev1 enable outside -- enabling for outside interface
  crypto ikev1 policy 10
   authentication pre-share
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 15
   authentication pre-share
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 20
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 28800
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec security-association lifetime seconds 86400
  crypto ipsec ikev1 transform-set kerseyami esp-aes-256 esp-sha-hmac
  crypto map VPN 10 match address SCADA
  crypto map VPN 10 set peer  173.8.244.181
  crypto map VPN 10 set ikev1 transform-set kerseyami
  crypto map VPN 10 set security-association lifetime seconds 86400
  crypto map VPN 20 match address CORP
  crypto map VPN 20 set peer  173.8.244.189
  crypto map VPN 20 set ikev1 transform-set kerseyami
  crypto map VPN 20 set security-association lifetime seconds 86400
  crypto map VPN 30 match address PARTNER-FW
  crypto map VPN 30 set peer 148.80.252.60   
  crypto map VPN 30 set ikev1 transform-set kerseyami
  crypto map VPN 30 set security-association lifetime seconds 86400
  access-list SCADA extended permit ip 10.40.31.128 255.255.255.128 10.101.41.0 255.255.255.0
  access-list CORP extended permit ip 10.40.31.128 255.255.255.128 192.168.110.0 255.255.255.0
  access-list PARTNER-FW extended permit ip 10.40.31.128 255.255.255.128 subnets behind your Partner-FW
  Note: on the other side of the firewalls, like SCADA side, CORP Side and Partner FW side, you need to configure same pre-shared key, same crypto ike 1 and 2 policies & same interesting traffic in order to have this working.
  let us know how this works.
  JD...

• Site-to-site VPN with dual ASA 5510s

  Hi,
  I have recently been asked to configure a VPN between two sites using an ASA 5510 at each end. I used the VPN Site-to-site wizard in ASDM on both devices and followed the instructions for the wizard to the letter. However I don't seem able to get any kind of VPN up and running. If anyone could point out where I'm going wrong then I would very much appreciate it.

  Here is the sanitised running config of SiteA:
  ASA Version 8.0(2)
  hostname MCRASA
  domain-name isal.local
  enable password xxx
  names
  interface Ethernet0/0
  description External WAN
  nameif outside
  security-level 0
  ip address 81.*.*.82 255.255.255.240
  interface Ethernet0/1
  description Internal LAN
  nameif inside
  security-level 100
  ip address 192.168.254.2 255.255.255.0
  interface Ethernet0/2
  description Demarcation zone
  nameif dmz
  security-level 50
  ip address 10.30.30.1 255.255.255.0
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  description MCRASA management
  nameif management
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  management-only
  passwd xxx
  ftp mode passive
  dns server-group DefaultDNS
  domain-name isal.local
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list outside_1_cryptomap extended permit ip 192.168.254.0 255.255.255.0 host 82.*.*.50
  access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 host 82.*.*.50
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu dmz 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-602.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 81.*.*.82 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.254.0 255.255.255.0 inside
  http 192.168.2.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 82.*.*.50
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp enable inside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.254.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access management
  dhcpd address 192.168.2.2-192.168.2.5 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  service-policy global_policy global
  webvpn
  csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
  username fraser password xxx encrypted privilege 15
  username fraser attributes
  memberof LOCAL
  tunnel-group 82.*.*.50 type ipsec-l2l
  tunnel-group 82.*.*.50 ipsec-attributes
  pre-shared-key *
  prompt hostname context
  Cryptochecksum:xxx

• Site to Site VPN issues between PIX506 and ASA5505

  Hello all, I have a PIX506 running 635, and an ASA5505 running 722. The PIX is at corporate and is setup for remote vpn access. The remote user VPN is working. I have also attempted to do a site to site vpn to the ASA, but its not working correctly. I feel like I am missing something, but I can't figure it out. Your help would be greatly appreciated. Sanitized relevant config is below
  Corporate
  PIX Version 6.3(5)
  access-list split_tunnel permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list nonat permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list nonat permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
  access-list outside_cryptomap_20 permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
  ip address outside xxx.yyy.170.160 255.255.255.0
  ip address inside 192.168.119.1 255.255.255.0
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map dynmap 10 set transform-set ESP-AES-256-SHA
  crypto map mymap 20 ipsec-isakmp
  crypto map mymap 20 match address outside_cryptomap_20
  crypto map mymap 20 set pfs group2
  crypto map mymap 20 set peer aaa.bbb.175.218
  crypto map mymap 20 set transform-set ESP-3DES-SHA
  crypto map mymap 65535 ipsec-isakmp dynamic dynmap
  crypto map mymap client authentication w2k3
  crypto map mymap interface outside
  isakmp enable outside
  isakmp key ******** address aaa.bbb.175.218 netmask 255.255.255.255 no-xauth no-config-mode
  isakmp identity address
  isakmp keepalive 10
  isakmp nat-traversal 10
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption aes-256
  isakmp policy 30 hash sha
  isakmp policy 30 group 5
  isakmp policy 30 lifetime 86400
  vpngroup vpners address-pool ippool
  vpngroup vpners dns-server 192.168.119.11
  vpngroup vpners default-domain mydomain.local
  vpngroup vpners split-tunnel split_tunnel
  vpngroup vpners idle-time 1800
  vpngroup vpners password ********
  Remote Site
  ASA Version 7.2(2)
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.2.1 255.255.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address aaa.bbb.175.218 255.255.128.0
  access-list outside_20_cryptomap extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map outside_map 20 match address outside_20_cryptomap
  crypto map outside_map 20 set pfs
  crypto map outside_map 20 set peer xxx.yyy.170.160
  crypto map outside_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  tunnel-group xxx.yyy.170.160 type ipsec-l2l
  tunnel-group xxx.yyy.170.160 ipsec-attributes
  pre-shared-key *

  I just figured it out. I did not issue the sysopt connection permit-ipsec on the ASA5505. Issuing that command made it work.

• Add new Site to Site VPN

  Hi,
  I have an active connection vpn site to site with one remote site (ASA to ASA) i want to configure another one on same interface;
  Main site is 1.1.1.1
  Remote site 1 : 2.2.2.2
  Main site and Remote site 1 has active connection,
  i want to add another one:
  Main site is :1.1.1.1
  Remote site 2 : 3.3.3.3
  both tunnels should be active what should i do to configure this connection also i want differenet preshared key for each connection ( i dont want to share pershared key of active connection)
  how can i achieve this               

  Hello alkabeer alkabeer,
  you can build the second VPN tunnel as how you have created the first one.
  crypto map outside_map (Order number) match address outside_cryptomap_20
  crypto map outside_map (Order number) set peer X.X.X.X
  crypto map outside_map (Order number) set transform-set (Eg:ESP-3DES-MD5)
  use the transform set correctly on both the firewall
  tunnel-group X.X.X.X type ipsec-l2l
  tunnel-group X.X.X.X ipsec-attributes
  pre-shared-key *************
  access-list outside_cryptomap_20 extended permit ip (Inside IP) X.X.X.X (outside ip) X.X.X.X
  access-list inside_nat0_outbound extended permit ip (Inside IP) X.X.X.X object-(outside ip) X.X.X.Xp
  nat (inside) 0 access-list inside_nat0_outbound (this statement would already be there in the firewall the no nat statement)
  based on your firewall version the NAT statement differes.
  and now your tunnel should be working.
  checking show  commands:
  sh cry isa sa
  sh cry ipsec sa
  Please let us know if this is working for you.
  Potha

• Communicate Directly Between VPN Tunnel Sites

  I have an ASA 5505 in the main office and at several remote sites. I have setup a site to site vpn tunnel between the main office and each remote site, "Hub and Spoke". I can ping between the main office through each tunnel to the respective remote site. I need to be able to ping directly from each remote site to all other remote sites. Please note I am using ASDM to configure the ASA 5505's. tks

  There are a few things you need to do here.
  Main ASA
  1. Enable "same-security-traffic permit intra-interface" to allow the vpn traffic to bounce off the outside interface on the hub firewall.
  2. Edit your interesting traffic (crypto) acls to reflect the new traffic which will be part of the vpn tunnels between main and remote sites. For instance right now your crypto acls include traffic between main site and remote sites. You need to add acl for traffic between remote site to remote site. The config below will allow traffic from remote site 1 to remote site 2.
  access-list crypto1 extended permit ip
  access-list crypto1 extended permit ip
  access-list crypto2 extended permit ip
  access-list crypto2 extended permit ip
  Remote ASA's
  1. Add the new interesting traffic (crypto) acls. Mirror of the acls at main site ASA.
  access-list crypto1 extended permit ip
  access-list crypto1 extended permit ip
  access-list crypto2 extended permit ip
  access-list crypto2 extended permit ip
  2. Add nat exemption for traffic from remote sites to remote sites for each remote ASA.
  access-list inside_nat0_outbound extended permit ip
  access-list inside_nat0_outbound extended permit ip
  access-list inside_nat0_outbound extended permit ip
  access-list inside_nat0_outbound extended permit ip

• Cannot ping inside IP behind sonicwall from Cisco ASA 5500

  I have a sonicwall at site B and the cisco asa5500 at the main office. (site A)
  The site to site VPN is working, but I can not ping the inside ip (10.1.5.2) of the sonic wall from Site A. I need this only to access the computers behind the sonicwall for remote desktop and dameware.
  I have another office that also has a sonicwall (same config)  and I can ping that inside IP from Site A.
  I can not see why I can ping one site and not the other.
  What needs to be configured on the ASA 5500 to be able to ping inside the sonicwall at site B?
  I prefer the wizard over the CLI.
  Thanks,

  Hi
  AFAIK No you can not make vpn, transparent and routing in the same unit.
  I would not want the DMZ and the outside interface to have overlapping ip address ranges.
  logging and trying to keep track of it all would be way to confusing for me.
  so what I would do is to split the external network into two network units (/25) and move all the units that can be moved to a dmz with rfc1918 addresses.
  The units that can not be moved from the external network would have to stay put "for now" in another dmz with the 190 addresses /25
  This would need the isp to change their routing table in the edge equipment, the lower (or upper) part of 190.X.X.X/25 would be the dmz and needs to be routed to the firewall ip address.
  Then as time passes by the DMZ will be depopulated when equipment is moved out and replaced and in the end you will have the isp to merge the two 190.x.x.x/25 address ranges to one /24 and you will be back to todays setup but with all the servers in a rfc1918 network.
  Do not use NAT, use PAT instead when it comes to the ip addresses translated from the internet side. it makes for a much more secure network and you do not need as much ip addresses (in a normal case)
  With NAT you are translating the whole ip address but with PAT you translate the port so you can have ip X port 25 go to ip Y and port 25 and then you can have ip X port 80 go to ip Z port 80 or maybe 8080 or what ever port you want.
  good luck
  HTH

• ASA deny icmp

  Hello,
  I have two ASA-sites, Site A and Site B. ASA type is 5512-X. In Site A there is a router behind ASA which I try to ping.
  When I try to ping from Site B (192.168.11.11 laptop) to Site A Cisco router's management address (192.168.100.1)
  Site B ASA tells that
  "the ASA deny inbound icmp src 192.168.11.11 ip address destination management 192.168.100.1."
  Here is Site B ACL's, is there some errors or missing something? How ACL and NAT should be configured that traffic between these two LAN would success?
  access-list outside_cryptomap extended permit object-group DM_INLINE_SERVICE_1 object site-SiteB object-group DM_INLINE_NETWORK_1
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_2 object site-SiteB
  nat (inside,outside) source static site-SiteB site-SiteB destination static SiteA SiteA no-proxy-arp route-lookup inactive
  access-group outside_access_in in interface outside
  Thnx for help.

  OK, here...
  It seems that tunnel between my LAN-to-LAN network 11.0 <-> 20.0 works?
  But I would like to use my management network 100.0 at Site A and also at Site B.
  How this should be configured that from Site B (management address 100.5) can have management access to Site A (100.1) through this tunnel?
  Address 100.1 is located behind SiteA ASA and address 100.5 is located behind SiteB ASA.
  ASA01# show isakmp sa
  IKEv1 SAs:
  Active SA: 1
  Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 10.0.1.2
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  There are no IKEv2 SAs
  ASA01# show crypto ipsec sa
  interface: outside
      Crypto map tag: outside_map, seq num: 1, local addr: 10.0.1.1
        access-list outside_cryptomap extended permit icmp 192.168.20.0 255.255.255.0 192.168.11.0 255.255.255.0
        local ident (addr/mask/prot): (192.168.20.0/255.255.255.0/1)
        remote ident (addr/mask/prot): (192.168.11.0/255.255.255.0/1)
        current_peer: 10.0.1.2
        #pkts encaps: 9218, #pkts encrypt: 9218, #pkts digest: 9218
        #pkts decaps: 9218, #pkts decrypt: 9218, #pkts verify: 9218
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 9218, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #TFC rcvd: 0, #TFC sent: 0
        #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 10.0.1.1/0, remote crypto endpt.: 10.0.1.2/0
        path mtu 1500, ipsec overhead 74(44), media mtu 1500
        PMTU time remaining (sec): 0, DF policy: copy-df
        ICMP error validation: disabled, TFC packets: disabled
        current outbound spi: A9B7358F
        current inbound spi : 41511E3F
      inbound esp sas:
        spi: 0x41511E3F (1095835199)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
           slot: 0, conn_id: 1945600, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (3914987/9138)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xA9B7358F (2847356303)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
           slot: 0, conn_id: 1945600, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (3914987/9138)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  BR,
  Terno