8.2 policy-nat VPN port (5) ASA5510 of ASA5515 8.6 (1)

Similar Questions

• VPN site to Site with NAT and Port forwarding on a 871

  Hello

  Could someone please look at the config 871 router attached and tell me where I'm wrong!

  VPNs all work, work, BUT anyone trying to connect to a port that is sent through the VPN port forwarding fails.

  In the config attached Port 3389 (RDP) is sent to an internal server, if you connect to the external interface Internet connection is made and it works well, but if someone tries to connect to the IP address internal to that same server through VPN, it does not.

  We've added commands to stop working on the lines VPN NAT, but these do not seem to work.

  What Miss me?

  Thank you in advance and I will adjudicate all useful responses.

  It is a common problem. Yes you added controls to prevent NAT to work above the tunnel, but your static nat port to port 3389 takes precedence over the generic nat command, and there not all orders top to prevent it is nat would be above the tunnel.

  I wrote an example configuration for this some time, see here for more details:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

  If all goes well, he explains everything. Note that it is for a general order static host, not a static port that you have, but the concept is exactly the same. Just add a statement roadmap on the end of your static command of the port, and this route map - will reference an ACL that denies are used when going up above the tunnel.

• Policy overlapping NAT VPN

  Hello community,

  I'm going nuts here. We try to configure a NAT policy through a site to site VPN tunnel, but can't seem to turn it on. Here is our configuration:

  access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0

  access-list extended sheep allowed host ip 10.23.1.5 192.168.12.0 255.255.255.0

  inside_nat_static list extended access allowed host ip 192.168.1.5 192.168.12.0 255.255.255.0

  inside_nat_static2 list extended access permit ip host 192.168.1.5 everything

  NAT (inside) 0 access-list sheep

  NAT (inside) 2 192.168.1.0 255.255.255.0

  public static 10.23.1.5 (inside, outside) - inside_nat_static access list

  public static 63.123.4.56 (inside, outside) - inside_nat_static2 access list

  The VPN part I omitted because it is correct. When we initiate a ping the tunnel arrives. The problem we have is on our side with policy NAT I think. With a ping from the remote desktop on our ASA, we see all incoming traffic, but our server does not transfer out.

  Appreciate any input...

  -Tom

  Tom,

  Sorry for the delay, I forgot you, I've just been very busy

  Here's what you'll need:

  First remove this (intentionally want NAT traffic not to 'sheep')

  access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0

  access-list extended sheep allowed host ip 10.23.1.5 192.168.12.0 255.255.255.0

  Then add this to translate your outgoing traffic

  access-list 199 permit host ip 192.168.1.5 192.168.12.0 255.255.255.0

  public static 10.23.1.5 (inside, outside) access-list 199

  Translate your inbound traffic also:

  public static 192.168.12.0 (exterior, Interior) net of 192.168.1.0 255.255.255.0

  Describe your crypto since translated ACL localhost translated to the remote subnet.

  cryptomap list of allowed access host ip 10.23.1.5 192.168.12.0 255.255.255.0

  You can remove the other line of the ACL.

  Your host should access the 192.168.12.x which is translated remote network.

  Try it and let me know how it goes.

  Raga

• nat VPN question.

  Try to find what happened.  I had the remote end raise the tunnel, as they can ping resources on my side.  I am unable to ping 10.90.238.148 through this tunnel.  I used to be able to until the interface of K_Inc has been added.  The network behind this interface is 10/8.

  I asked a question earlier in another post and advises him to play opposite road of Cryptography.  And who did it.  I was able to ping 10.90.238.148 of 192.168.141.10, with the config below.

  I am at a loss to why I can't all of a sudden.  A bit of history, given routes have not changed.  By adding the command set opposite road to cryptography, I find myself with a static entry for the 10.90.238.0 network is what fixed it initially so I don't think it's a problem of route.  The remote end had an overlap with the 192.168.141.0/24 that is why my side is natted on the 10.40.27.0.  None of the nats have changed so if adding the reverse route worked for a day, it should still work.  Any thoughts?

  interface GigabitEthernet0/3.10

  VLAN 10

  nameif K_Inc

  security-level 100

  IP address 192.168.10.254 255.255.255.0

  interface GigabitEthernet0/3.141

  VLAN 141

  cold nameif

  security-level 100

  IP 192.168.141.254 255.255.255.0

  (Cold) NAT 0 access-list sheep

  NAT (cold) 1 192.168.141.0 255.255.255.0

  Access extensive list ip 192.168.141.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0

  Access extensive list ip 10.40.27.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0

  Access extensive list ip 192.168.141.0 CSVPNNAT allow 255.255.255.0 10.90.238.0 255.255.255.0

  IP 10.40.27.0 allow Access-list extended sheep 255.255.255.0 10.90.238.0 255.255.255.0

  static 10.40.27.0 (cold, outside) - CSVPNNAT access list

  card crypto Outside_map 5 corresponds to the address CSVPNOFFSITE

  card crypto Outside_map 5 the value reverse-road

  card crypto Outside_map 5 set pfs

  card crypto Outside_map 5 set peer 20.x.x.3

  Outside_map 5 transform-set ESP-3DES-MD5 crypto card game

  card crypto Outside_map 5 defined security-association life seconds 28800

  card crypto Outside_map 5 set security-association kilobytes of life 4608000

  tunnel-group 20.x.x.3 type ipsec-l2l

  20.x.x.3 Group of tunnel ipsec-attributes

  pre-shared-key *.

  Route outside 0.0.0.0 0.0.0.0 7.x.x.1 1

  Route 10.0.0.0 K_Inc 255.192.0.0 192.168.10.252 1

  Route K_Inc 10.64.0.0 255.224.0.0 192.168.10.252 1

  Route K_Inc 10.100.100.0 255.255.255.0 192.168.10.252 1

  Route K_Inc 10.128.0.0 255.128.0.0 192.168.10.252 1

  Tunnel is up:

  14 peer IKE: 20.x.x.243

  Type: L2L role: answering machine

  Generate a new key: no State: MM_ACTIVE

  EDIT:

  I just noticed when tracer packet i run I don't get a phase VPN or encrypt:

  Packet-trace entry cold tcp 192.168.141.10 80 80 10.90.238.148 det

  Phase: 1

  Type: FLOW-SEARCH

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Not found no corresponding stream, creating a new stream

  Phase: 2

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  in 10.90.238.0 255.255.255.0 outside

  Phase: 3

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0xad048d08, priority = 0, sector = option-ip-enabled, deny = true

  hits = 2954624, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 4

  Type: QOS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0xb2ed4b80, priority = 72, domain = qos by class, deny = false

  hits = 2954687, user_data = 0xb2ed49d8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 5

  Type: FOVER

  Subtype: Eve-updated

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0xad090180, priority = 20, area = read, deny = false

  hits = 618776, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0, Protocol = 6

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 6

  Type: NAT

  Subtype:

  Result: ALLOW

  Config:

  static (ColdSpring, external) 74.x.x.50 192.168.141.10 netmask 255.255.255.255

  match ip host 192.168.141.10 ColdSpring outside of any

  static translation at 74.x.x.50

  translate_hits = 610710, untranslate_hits = 188039

  Additional information:

  Definition of static 192.168.141.10/0 to 74.112.122.50/0 using subnet mask 255.255.255.255

  Direct flow from returns search rule:

  ID = 0xac541e50, priority = 5, area = nat, deny = false

  hits = 610742, user_data = 0xac541c08, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

  SRC ip = 192.168.141.10, mask is 255.255.255.255, port = 0

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 7

  Type: NAT

  Subtype: host-limits

  Result: ALLOW

  Config:

  static (ColdSpring, dmz) 192.168.141.0 192.168.141.0 netmask 255.255.255.0

  match ip ColdSpring 192.168.141.0 255.255.255.0 dmz all

  static translation at 192.168.141.0

  translate_hits = 4194, untranslate_hits = 20032

  Additional information:

  Direct flow from returns search rule:

  ID = 0xace2c1a0, priority = 5, area = host, deny = false

  hits = 2954683, user_data = 0xace2ce68, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 192.168.141.0, mask is 255.255.255.0, port = 0

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 8

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Reverse flow from returns search rule:

  ID = 0xaacbcb90, priority = 0, sector = option-ip-enabled, deny = true

  hits = 282827537, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 9

  Type: QOS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Reverse flow from returns search rule:

  ID = 0xb2ed5c78, priority = 72, domain = qos by class, deny = false

  hits = 4749562, user_data = 0xb2ed5ad0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 10

  Type: CREATING STREAMS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  New workflow created with the 339487904 id, package sent to the next module

  Information module for forward flow...

  snp_fp_inspect_ip_options

  snp_fp_tcp_normalizer

  snp_fp_translate

  snp_fp_adjacency

  snp_fp_fragment

  snp_fp_tracer_drop

  snp_ifc_stat

  Information for reverse flow...

  snp_fp_inspect_ip_options

  snp_fp_translate

  snp_fp_tcp_normalizer

  snp_fp_adjacency

  snp_fp_fragment

  snp_fp_tracer_drop

  snp_ifc_stat

  Phase: 11

  Type:-ROUTE SEARCH

  Subtype: output and contiguity

  Result: ALLOW

  Config:

  Additional information:

  found 7.x.x.1 of next hop using ifc of evacuation outside

  contiguity Active

  0007.B400.1402 address of stretch following mac typo 51982146

  Result:

  input interface: cold

  entry status: to the top

  entry-line-status: to the top

  output interface: outside

  the status of the output: to the top

  output-line-status: to the top

  Action: allow

  What version are you running to ASA?

  My guess is that your two static NAT is configured above policy nat you have configured for the VPN?  If this is the case, move your above these static NAT NAT policy and you should see the traffic start to flow properly.

  --

  Please note all useful posts

• Policy nat for L2L and external access

  Hello

  I'm running into an interesting question with a 506th PIX 6.3 (4)

  I created a VPN with our central location and implemented a policy nat on the 506th NAT their local 192.168.1.0/24 IPs to 10.200.25.0/24. This NATing works very well except for servers that also provide a static external IP address. I made a few captures of packets and traffic is crossing the VPN as expected and what actually at the remote end, but the answers are nat would be on the 'outside' ip of the host instead of the NAT. political I can ping other hosts on the remote network very well from the central location, not just those who have a static external IP address.

  Example:

  10.10.7.1 is my central site and try to ping a server with an IP address of 10.200.25.11 through the VPN. The traffic leaves the site central, is encrypted and delivered the firewall remotely. The firewall remotely translated 10.200.25.11-> 192.168.1.11 (the REAL Server IP) and delivers the package and the server responds, but answers are nat would be its public ip address of 75.X.X.X instead of 10.200.25.11.

  Any thoughs on how I can work around this problem?

  Here are the relevant config:

  permit for line of policy-nat access-list 1 ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

  allowed for access policy-nat-list line 2 ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0

  allowed for line of policy-nat to access list 3 ip 192.168.1.0 255.255.255.0 10.10.7.0 255.255.255.0

  list of access vpn-sheep allowed ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  list of access vpn-sheep allowed ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0

  list of access vpn-sheep allowed ip 192.168.1.0 255.255.255.0 10.100.11.0 255.255.255.0

  NAT (inside) 0-list of access vpn-sheep

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Global 1 interface (outside)

  public static 75.x.x.x (indoor, outdoor) 192.168.1.11 netmask 255.255.255.255 0 0

  public static 10.200.25.0 (inside, outside) - list of access policy-nat 0 0

  Try to rearrange your static rules:

  Do the static strategy, the first to be read by the pix

  public static 10.200.25.0 (inside, outside) - list of access policy-nat 0 0

  public static 75.x.x.x (indoor, outdoor) 192.168.1.11 netmask 255.255.255.255 0 0

  See how it goes

• Public static political static NAT in conflict with NAT VPN

  I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.

  The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:

  interface Vlan1

  IP 192.168.10.1 255.255.255.0

  access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0

  list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0

  public static 192.168.24.0 (inside, outside) - list of VPN access

  card crypto outside_map 1 match address outside_1_cryptomap

  In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:

  public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255

  The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.

  So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.

  What Miss me?

  Hello

  I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.

  I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.

  I guess you could choose any way seems best for you.

  Let me know if get you it working. I always find it strange that the original configuration did not work.

  Remember to mark a reply as the answer if it answered your question.

  Feel free to ask more if necessary

  -Jouni

• PIX v6.3 Site-to-Site with policy NAT

  Hi guys,.

  I need to set up a site to site with nat because we have overlapping subnet at the other end.

  They need access to both servers on our network with IP static.

  Site A: 192.168.100.0/24

  Site b: 192.168.200.128/25

  The other site has chosen this network for NAT: 10.200.50.0/28

  I need to translate

  192.168.100.10 > 10.200.50.2

  192.168.100.20 > 10.200.50.3

  through the tunnel

  That's what I've done so far, will this work? Any problem that may appear with this config?

  Crypto ACL:

  VPN ip 10.200.50.0 access list allow 255.255.255.240 192.168.200.128 255.255.255.128

  Policy_NAT1 list of allowed access host ip of 192.168.100.10 192.168.200.128 255.255.255.128

  Policy_NAT2 list of allowed access host ip 192.168.100.20 192.168.200.128 255.255.255.128

  NAT (inside) 10 access-list Policy_NAT1 0 0

  NAT (inside) 11 access-list Policy_NAT2 0 0

  overall 10 10.200.50.2 (outside)

  Overall 11 10.200.50.3 (outside)

  Thanks in advance!

  Hello

  Your configuration looks very good.

  Although I guess it's a dynamic configuration policy NAT/PAT.

  Incase you want to configure static policy NAT, you need to change a bit. I mean if you wanted a NAT configuration allowing to form bidirectional connection. Both from your site to the remote site and the remote site to your side. You can always use the same ACL you have configured, but you would use the "static" configurations.

  public static 10.200.50.2 (inside, outside) - Policy_NAT1 access list

  public static 10.200.50.3 (inside, outside) - Policy_NAT2 access list

  Review with the static NAT to politics and the dynamic policy NAT/PAT which would be if these hosts have static NAT configured at the direction of the 'outside' interface while static NAT would cancel both of these configurations.

  If you use the political dynamic NAT and had also a static NAT for the host, then you would have to change from the above static NAT in a policy to override the static NAT.

  And with the foregoing in mind possible existing static NAT and new static NAT of policy might have some problems as a whole. In this case the scheduling of NAT rules would determine if static NAT of the policy has been applied already. If you already had the configured static NAT then it would nullify the political new static NAT:. The solution would be to remove the static NAT and enter it again. This would move the static NAT once the static NAT to policy in the order that they appear on the CLI format configuration and, therefore, static political NAT would work for the specified destination and addresses the static NAT for all other destination addresses.

  Hope I made any sense

  Feel free to ask more if necessary while

  -Jouni

• Public and private IPs on the same Interface by using NAT Exemption/policy NAT

  I'm looking for some feedback on whether my thoughts on the installation program will run.

  Equipment: PIX 515E 6.2 (2)

  Scenario:

  The inside interface of the PIX will host 3 blocks of addresses IP - 24 public 2 blocks and 1 private/16 block. (All IP addresses have been replaced by dummy blocks.)

  Blocks of audiences:

  * 192.168.10.0/24

  * 192.168.20.0/24

  Block of private:

  * 10.50.0.0/16

  Traffic from the public 2/24 blocks should go through the firewall without address translation.

  The two blocs of the public will be able to receive connections initiated from the Internet.

  Public blocks will need to be able to send and receive traffic on a static VPN tunnel to our headquarters without subject to address translation

  Traffic leaving the sector private/16 block should be subjected to PAT before passing through the firewall.

  Private/block 16 will not receive incoming traffic from the Internet (other than responses to outbound connections initiated from within the private block).

  However, the private block will also have to be able to send and receive traffic on a static VPN tunnel to our headquarters * without * subject to address translation (i.e. hosts on our corporate network must be able to initiate connections to the private block and vice versa).

  The inside interface of the PIX will be connected to a Catalyst 3xxx series layer 3 switch, which will be responsible for routing all internal (so the PIX will never be routing of traffic on the interface, it was received).

  My ideas on how to implement are:

  * Use the exemption of NAT to exempt public address translation blocks. This will allow incoming and outgoing connections through the firewall.

  * Use the exemption of NAT to exempt the block private NAT when connecting to our head office on the VPN tunnel.

  * Use policy NAT w / PAT to translate the block private connecting to all other hosts.

  I have translated these thoughts in the following configuration snippet.

  Because the NAT exemption is processed before policy NAT in the evaluation of the NAT rules, I believe that this should allow the public IP blocks treat incoming/outgoing traffic without translation, while submitting the private translation block (except during handling of incoming/outgoing connections to our network of corporate office).

  Can someone confirm my assumptions about this?

  # ----------------------------------------------------------------------

  traffic of # which should be exempted from translation

  permit ip 192.168.10.0 access list nat_exempt 255.255.255.0 any

  nat_exempt 192.168.20.0 ip access list allow 255.255.255.0 any

  nat_exempt ip 10.50.0.0 access list allow 255.255.0.0 10.100.0.0/16

  traffic of # which should be the subject of translation

  policy_nat ip 10.50.0.0 access list allow 255.255.0.0 any

  # Suppose 192.168.5.1 is the address to use for PAT

  Global (outside) 1 192.168.5.1

  NAT (inside) 0-list of access nat_exempt

  NAT (inside) 1 access-list policy_nat

  # assumes that 192.168.10.7 is the IP address of the inside layer 3 switch

  Route inside 192.168.10.0 255.255.255.0 192.168.10.7 1

  Route inside 192.168.20.0 255.255.255.0 192.168.10.7 1

  Route inside 10.50.0.0 255.255.0.0 192.168.10.7 1

  #assume the following configuration sections appear elsewhere: static tunnel VPN, ACL, ifconfig, etc..

  # ----------------------------------------------------------------------

  Yes, this will work, even if you don't need political NAT for the 10.50.0.0 network. For PAT the 10.50.0.0 network when to anywhere (except via VPN) just do:

  Global 1 192.168.15.1 (outside)

  NAT (inside) 1 10.50.0.0 255.255.0.0

  As I said, you have works perfectly, the above is just an easier way to do it.

• Political L2L NAT and static NAT VPN

  Here's the scenario:  I'm to establish a VPN L2L.  When you try to determine who hosts inside my network access hosts on the remote network through the VPN, I can't get a straight answer from officials.

  My thought was to use a private network of 10.17.24.0/24 and NAT all hosts on my inside the network to 10.17.24.x.  As a side note, the hosts of my inner network can be on any subnet in the beach of 172.12.x.0.  I would then put 10.17.24.0/24 in my interesting traffic for my ACL crypto.  From the hosts inside my network need to browse Internet AND communicate with hosts on the remote network through the VPN, I was going to try to do this with policy NAT. is it possible to use NAT policy in this case?  Or what I need to use static? I start with static but could not navigate the Internet eventually.  I know I'm missing something with the static, but can not understand.  I'm still pretty new to all this stuff so please forgive my ignorance.

  For example:

  
  

  access-list allowed NAT1 host ip 172.21.1.1 REMOTEL2L_SUBNET
  access-list allowed NAT2 host ip 172.21.2.5 REMOTEL2L_SUBNET
  access-list allowed host ip 172.21.15.7 REMOTEL2L_SUBNET VIH3

  static (in, out) 10.17.24.1 access-list NAT1
  static (in, out) 10.17.24.2 access-list NAT2
  static (in, out) 10.17.24.3 access-list VIH3

  The above configuration will be NAT 172.21.1.1 to 10.17.24.1 when you go to the remote subnet (across the L2L).

  The same behavior for other hosts.

  The important thing is that the ACL for crypto will come from the address using a NAT:

  list of allowed VPN ip 10.17.24.1 REMOTEL2L_SUBNET host access
  list of allowed VPN ip 172.17.24.2 REMOTEL2L_SUBNET host access
  list of allowed VPN ip 172.17.24.3 REMOTEL2L_SUBNET host access

  Or just the whole subnet:

  VPN ip 172.17.24.0 access list allow 255.255.255.0 REMOTEL2L_SUBNET

  The important thing is that interesting traffic matches at both ends!

  In addition, you can still provide Internet and local as normally...

  Internet access:

  NAT (inside) 1 172.21.0.0 255.255.0.0

  Global 1 interface (outside)

  It will be useful.

  Federico.

• Bi-Directional policy NAT

  There's a possible two-way NATs based on strategies? I can find plenty of examples to manage a simple two-way NAT but the Cisco documentation I've read indicates that based on local addresses only translated strategies. However, I have read conflicting Cisco documentation where it says any NAT (in addition to the NAT exemption) can be configured for policy NAT I spent many hours of research a configuration that could handle this, but came up empty. I guess that I'm not the first person to run in this Cisco documentation is just not clear to me.

  Site A end VPN Site B and Site C of an ASA 5520 L2L. Site A has no administrative control over B or C. Site B and C choose to expose their same private address space that overlap.

  I'm not expert but forced to it by the unexpected release of our network engineer. Can anyone provide assistance?

  I know I need to:

  1. Enter the address to be translated

  2 specify the way inside global translation

  I think I do this with:

  • public static 172.17.1.1 (exterior, Interior) 10.128.0.0 netmask 255.128.0.0
  • access-list 101 permit ip 10.128.0.0 255.128.0.0
  • Access-group 101 inside the interface outside

  I think I'm going to need to create for this route and directions:

  • Route outside 10.128.0.0 255.128.0.0 12.126.x.x

  This satifies a VPN, but what about the Site C? Can I use policy NAT to map this client 10.128.0.0/9 to say 172.17.2.2? I know that the address space that I am mapping to does not support the 9 being exposed to me, but I will never exceed the range that I'm mapping. Once I know exactly how IP will come via the VPN, I will actually create a 1:1 translation as governed by our security policy.

  I hope I am on the right track here and explained this way that is not too complicated. Any help? I do not know if a bidirectional NAT policy-based device is possible based on the Cisco documentation by what I read. Help!

  -(12.126.x.x) Site B (10.128.0.0/9)

  Site A - WWW Cloud

  (ASA 5520)-(209.128.y.y) Site C (10.128.0.0/9)

  I agree with you 100% unfortunately documentation sucks!

  If you give to ASA a different public IP address on a different interface and terminate the tunnel there, you can always
  Use policy NAT in Site configuration, and it should work.

  Try it and tell us if you need assistance.

  Federico.

• Policy NAT for VPN L2L

  Summary:

  We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.

  My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.

  Here is the config:

  # #List of OUR guests

  the OURHosts object-group network

  network-host 192.168.x.y object

  # Hosts PARTNER #List

  the PARTNERHosts object-group network

  network-host 10.2.a.b object

  ###ACL for NAT

  # Many - to - many outgoing

  access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts

  # One - to - many incoming

  VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group

  # #NAT

  NAT (INSIDE) 2-list of access NAT2

  NAT (OUTSIDE) 2 172.20.n.0

  NAT (INSIDE) 3 access-list VIH3

  NAT (OUTSIDE) 3 172.20.n.1

  # #ACL for VPN

  access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group

  access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list

  # #Tunnel

  tunnel-group type ipsec-l2l

  card <#>crypto is the VPN address

  card crypto <#>the value transform-set VPN

  card <#>crypto defined peer

  I realize that the ACL for the VPN should read:

  access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list

  access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list

  .. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.

  What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?

  Thanks in advance.

  Patrick

  Here is the order of operations for NAT on the firewall:

  1 nat 0-list of access (free from nat)

  2. match the existing xlates

  3. match the static controls

  a. static NAT with no access list

  b. static PAT with no access list

  4. match orders nat

  a. nat [id] access-list (first match)

  b. nat [id] [address] [mask] (best match)

  i. If the ID is 0, create an xlate identity

  II. use global pool for dynamic NAT

  III. use global dynamic pool for PAT

  If you can try

  (1) a static NAT with an access list that will have priority on instruction of dynamic NAT

  (2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.

  I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.

  Jon

• ASA to Juniper VPN with policy NAT

  I'm trying to configure a VPN tunnel between a remote site 66.18.106.160/27 and my network 192.168.190.0/24 client.  I need NAT all traffic leaving 192.168.190.0/24 to 192.168.191.0/24.

  Here is my current config:

  xxxxx host name

  domain xxxxx.local
  enable the encrypted password xxxxx
  XXXXX encrypted passwd
  names of
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.190.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 207.98.218.26 255.255.255.248
  !
  interface Vlan3
  prior to interface Vlan1
  nameif DMZ
  security-level 50
  IP 192.168.100.1 address 255.255.255.0
  !
  interface Vlan12
  description of interface vlan2 backup
  nameif CharterBackup
  security-level 0
  IP 72.14.9.50 255.255.255.248
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  switchport access vlan 12
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  switchport access vlan 3
  !
  interface Ethernet0/7
  switchport access vlan 3
  !
  passive FTP mode
  DNS server-group DefaultDNS
  domain xxxxx.local
  access-list extended 110 permit ip 192.168.190.0 255.255.255.0 192.168.10.0 255.255.255.0
  access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224
  access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
  access-list extended 100 permit tcp any host 207.98.218.27 eq 3389
  access-list extended 100 permit tcp any host 207.98.218.28 eq 3389
  access-list extended 100 permit tcp any host 207.98.218.27 eq 9000
  access-list extended 100 permit tcp any host 207.98.218.27 eq 9001
  access-list extended 100 permit tcp any host 207.98.218.28 eq 9000
  access-list extended 100 permit tcp any host 207.98.218.28 eq 9001
  access-list standard split allow 192.168.190.0 255.255.255.0
  Access extensive list ip 192.168.190.0 POLICYNAT allow 255.255.255.0 66.18.106.160 255.255.255.224
  extended VPN ip 192.168.191.0 access list allow 255.255.255.0 66.18.106.160 255.255.255.224
  pager lines 24
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  MTU 1500 DMZ
  MTU 1500 CharterBackup
  IP local pool vpnpool 192.168.10.75 - 192.168.10.85
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 524.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  Global interface (CharterBackup) 1
  NAT (inside) - 0 110 access list
  NAT (inside) 1 0.0.0.0 0.0.0.0
  NAT (DMZ) 1 0.0.0.0 0.0.0.0
  public static 192.168.191.0 (inside, outside) - POLICYNAT access list
  Access-group 100 in external interface
  Route outside 0.0.0.0 0.0.0.0 207.98.218.25 1 track 1
  Route 0.0.0.0 CharterBackup 0.0.0.0 71.14.9.49 254
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  Enable http server
  http 192.168.190.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  monitor SLA 123
  type echo protocol ipIcmpEcho 4.2.2.2 outside interface
  timeout of 1000
  frequency 3
  Annex ALS life monitor 123 to always start-time now
  Crypto ipsec transform-set esp - esp-md5-hmac romanset
  Crypto ipsec transform-set esp-aes - AES-128-SHA esp-sha-hmac
  Crypto-map dynamic dynmap 10 transform-set romanset
  romanmap card crypto 10 corresponds to the VPN address
  peer set card crypto romanmap 10 66.18.99.68
  card crypto romanmap 10 game of transformation-AES-128-SHA
  map romanmap 65535-isakmp ipsec crypto dynamic dynmap
  romanmap interface card crypto outside
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  the Encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 20
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  !
  track 1 rtr 123 accessibility
  Telnet 0.0.0.0 0.0.0.0 inside
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH 0.0.0.0 0.0.0.0 CharterBackup
  SSH timeout 5
  Console timeout 0
  management-access inside
  dhcpd dns 8.8.8.8
  dhcpd outside auto_config
  !
  dhcpd address 192.168.100.100 - DMZ 192.168.100.130
  dhcpd enable DMZ
  !

  internal group xxxxx policy
  attributes of the strategy group xxxxx
  value of server WINS 192.168.190.3
  value of server DNS 192.168.190.3
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value split
  tunnel-group xxxxx type ipsec-ra
  tunnel-group xxxxx General attributes
  address vpnpool pool
  Group Policy - by default-romangroup
  tunnel-group ipsec-attributes xxxxx
  pre-shared-key *.
  ISAKMP ikev1-user authentication no
  tunnel-group 66.18.99.68 type ipsec-l2l
  IPSec-attributes tunnel-group 66.18.99.68
  pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  !
  global service-policy global_policy
  context of prompt hostname

  Currently, traffic that originates on 192.168.190.0/24 generates no traffic phase 1.  However, if the traffic is coming in FRO the side remote (66.18.106.160/27) the tunnel arrives, but no traffic passes.

  Although this isn't my area of expertise, it seems to me that my ASA is not 'see' interesting traffic from 192.168.190.0/24 will 66.18.106.160/27.

  Any help you could provide would be GREATLY appreciated.

  Just remove the 2 following lines:

  access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224

  access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224

  Then 'clear xlate '.

  That should solve your problem.

• By PAT and NAT VPN

  We have a place where you want to set up a tunnel VPN to our headquarters.

  In this place, there is a router that PAT (NAT overloading), and then a few jumps more, there is a firewall that makes the NAT.

  Is this could pose a problem for the VPN tunnel?

  Here's a "pattern" of what looks like the connection.

  Customer--> PAT - router-->--> Internet--> CVPN3005 NAT firewall

  I hope you can provide me with an answer.

  VPN tunnel will not work in your scenario. NAT second change address and the ports you want to use for the vpn tunnel. So the port 500 wil be translated to top port and will be rejected at HQ.

• The ASA with crossed VPN Port forwarding

  Hello

  I worked on a question for a while and I have managed to track down the issue, but I don't know how to solve the problem.

  I have an ASA 5505 8.4 (7) running with a tunnel for incoming remote users anyconnect vpn. I also want to configure incoming Web server port forwarding.

  The question seems to be traversed rule which stops incoming port forwarding:

  NAT (outside, outside) NETWORK_OBJ_172.16.1.0_28 interface description dynamic source hairpin to natting users vpn on the external interface

  When I disable the port forwarding will work perfectly (according to tracer packet that is).

  I have attached the config to this post. I would appreciate any idea how to get the through VPN and the transfer to the incoming port working.

  The config has been condensed to remove unneed config.

  Thank you

  Hello

  What is the configuration commands, you use to put in place the static PAT (Port Forward)?

  The problem is most likely order of the NAT configurations such as configuring NAT above in the upper part of the NAT configurations.

  Configuring static PAT, that you could use to make it work would be

  the SERVER object network

  host

  service object WWW

  tcp source eq www service

  NAT (server, on the outside) of the interface to the static SERVER 1 source WWW WWW service

  The above assumes the source for the host interface is "Server" and the service that you want to PAT static TCP/80.

  Note that we add the number '1' in the 'nat' command. This will add at the top. The same should be done for any other static PAT you configure you want for these VPN Clients.

  Hope this helps

  -Jouni

• NAT VPN

  I'm havening problems with NAT over VPN. with current configs below it will complete the first phase of the tunnel and then stop because the ip address is not natted. If I put a permit in the statement of the permits it will be nat to internet host, but not via the vpn. If I put in a static nat statement it will nat and attempt to create a tunnel but I get the error (increment the count of errors on his, try 1 5: retransmit the phase 1)

  version 12.3

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  encryption password service

  !

  hostname BatsVpnRouter

  !

  boot-start-marker

  start the system flash c1700-k9o3sy7 - mz.122 - 13.T.bin

  boot-end-marker

  !

  no console logging

  Select the secret xxx

  activate the password xxx

  !

  MMI-60 polling interval

  No mmi self-configuring

  No pvc mmi

  MMI snmp-timeout 180

  No aaa new-model

  no ip subnet zero

  !

  IP cef

  Max-events of po verification IP 100

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key xxx address 190.0.0.1

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac bats

  !

  bats_map 2 ipsec-isakmp crypto map

  defined by peer 190.0.0.1

  transformation-BALD-MOUSE game

  -More - match address BATSACL

  !

  !

  !

  interface Ethernet0

  IP address 11.0.x.x.255.255.224

  NAT outside IP

  full-duplex

  bats_map card crypto

  !

  interface FastEthernet0

  IP 192.168.1.2 255.255.255.0

  IP nat inside

  Speed 100

  full-duplex

  !

  IP nat inside source list bats-nat interface Ethernet0 overload

  IP classless

  IP route 0.0.0.0 0.0.0.0 11.0.0.1

  no ip address of the http server

  no ip http secure server

  !

  BATSACL extended IP access list

  permit ip host 11.0.0.5 200.0.0.1

  192.168.1.100 ip permit host 200.0.0.1

  permit ip host 11.0.0.5 200.0.0.2

  192.168.1.100 ip permit host 200.0.0.2

  permit ip host 11.0.0.5 200.0.0.3

  192.168.1.100 ip permit host 200.0.0.3

  IP extended access-list of the bats-nat

  permit log host 200.0.0.1 host 192.168.1.100 ip

  192.168.1.100 ip permit host 200.0.0.2

  192.168.1.100 ip permit host 200.0.0.3

  !

  public RO SNMP-server community

  Enable SNMP-Server intercepts ATS

  alias exec clip claire rou ip *.

  alias exec crs copy run start

  alias exec deb187 debug ip pack det 187

  alias exec ospfnei sh ip ospf nei

  alias exec ship sho ip route

  alias exec shr sho run

  alias exec Ibis show ip brief inter

  alias exec ip sip sho pro

  alias exec tr traceroute

  alias exec ss sho sess

  sho alias exec sl online

  alias exec cl clear line

  !

  Line con 0

  line to 0

  line vty 0 4

  password xxx

  opening of session

  Ok. You must make sure that the ACl:s are the same (but in reverse) on both sides, which means that you probably need to remove a few lines on the Router 1. The ACL should look like this:

  BATSACL extended IP access list

  permit ip host 11.0.0.5 200.0.0.1

  permit ip host 11.0.0.5 200.0.0.2

  permit ip host 11.0.0.5 200.0.0.3

  Remove the keyword "log" of this line:

  IP extended access-list of the bats-nat

  permit log host 200.0.0.1 host 192.168.1.100 ip

  OK, now you've cleaned it, trying to make appear the tunnel again, try it with 200.0.0.1 and 200.0.0.2.

  Then, check the remote debugging.