8.2 policy-nat VPN port (5) ASA5510 of ASA5515 8.6 (1)
I have this existing config (which works) on ASA5510 v8.2 (5)
Need this port above ASA5515 v8.6 (1) running
ASA5510 inside the net: 192.168.1.0/24
On the remote VPN peer network: 172.16.21.192/28
!
InsideGlobal-2-OutsideNetwork to the list of allowed access host ip 10.0.200.211 172.16.21.192 255.255.255.240
InsideGlobal-2-OutsideNetwork to the list of allowed access host ip 10.0.202.39 172.16.21.192 255.255.255.240
!
InsideLocal.1 - 2-OutsideNetwork from the list of allowed access host ip 192.168.1.1 172.16.21.192 255.255.255.240
InsideLocal.191 - 2-OutsideNetwork to the list of allowed access host ip 192.168.1.191 172.16.21.192 255.255.255.240
!
public static 10.0.200.211 (inside, outside) access-list InsideLocal.1 - 2-OutsideNetwork
public static 10.0.202.39 (inside, outside) access-list InsideLocal.191 - 2-OutsideNetwork
!
correspondence address 1 card crypto outside_map InsideGlobal-2-OutsideNetwork
!
I think what I need is the following:
!
network of the OBJ_172.16.21.192_28 object
subnet 172.16.21.192 255.255.255.240
!
network of the OBJ_10.0.200.211_32 object
Home 10.0.200.211
!
network of the OBJ_10.0.202.39_32 object
Home 10.0.202.39
!
network of the OBJ_192.168.1.1_32 object
host 192.168.1.1
!
network of the OBJ_192.168.1.191_32 object
Home 192.168.1.191
!
InsideGlobal-2-OutsideNetwork of the ip object OBJ_10.0.200.211_32 object OBJ_172.16.21.192_28 allowed extended access list
InsideGlobal-2-OutsideNetwork of the ip object OBJ_10.0.202.39_32 object OBJ_172.16.21.192_28 allowed extended access list
!
NAT (inside, outside) static source OBJ_192.168.1.1_32 OBJ_10.0.200.211_32 OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 non-proxy-arp-search of route static destination
NAT (inside, outside) static source OBJ_192.168.1.191_32 OBJ_10.0.200.39_32 OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 non-proxy-arp-search of route static destination
!
correspondence address 1 card crypto outside_map InsideGlobal-2-OutsideNetwork
THX - Phil
Hi Phil,
The converted 8.6.x 8.2.x configuration is correct. Go with him.
Vishnu
Tags: Cisco Security
Similar Questions
-
VPN site to Site with NAT and Port forwarding on a 871
Hello
Could someone please look at the config 871 router attached and tell me where I'm wrong!
VPNs all work, work, BUT anyone trying to connect to a port that is sent through the VPN port forwarding fails.
In the config attached Port 3389 (RDP) is sent to an internal server, if you connect to the external interface Internet connection is made and it works well, but if someone tries to connect to the IP address internal to that same server through VPN, it does not.
We've added commands to stop working on the lines VPN NAT, but these do not seem to work.
What Miss me?
Thank you in advance and I will adjudicate all useful responses.
It is a common problem. Yes you added controls to prevent NAT to work above the tunnel, but your static nat port to port 3389 takes precedence over the generic nat command, and there not all orders top to prevent it is nat would be above the tunnel.
I wrote an example configuration for this some time, see here for more details:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml
If all goes well, he explains everything. Note that it is for a general order static host, not a static port that you have, but the concept is exactly the same. Just add a statement roadmap on the end of your static command of the port, and this route map - will reference an ACL that denies are used when going up above the tunnel.
-
Hello community,
I'm going nuts here. We try to configure a NAT policy through a site to site VPN tunnel, but can't seem to turn it on. Here is our configuration:
access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list extended sheep allowed host ip 10.23.1.5 192.168.12.0 255.255.255.0
inside_nat_static list extended access allowed host ip 192.168.1.5 192.168.12.0 255.255.255.0
inside_nat_static2 list extended access permit ip host 192.168.1.5 everything
NAT (inside) 0 access-list sheep
NAT (inside) 2 192.168.1.0 255.255.255.0
public static 10.23.1.5 (inside, outside) - inside_nat_static access list
public static 63.123.4.56 (inside, outside) - inside_nat_static2 access list
The VPN part I omitted because it is correct. When we initiate a ping the tunnel arrives. The problem we have is on our side with policy NAT I think. With a ping from the remote desktop on our ASA, we see all incoming traffic, but our server does not transfer out.
Appreciate any input...
-Tom
Tom,
Sorry for the delay, I forgot you, I've just been very busy
Here's what you'll need:
First remove this (intentionally want NAT traffic not to 'sheep')
access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list extended sheep allowed host ip 10.23.1.5 192.168.12.0 255.255.255.0
Then add this to translate your outgoing traffic
access-list 199 permit host ip 192.168.1.5 192.168.12.0 255.255.255.0
public static 10.23.1.5 (inside, outside) access-list 199
Translate your inbound traffic also:
public static 192.168.12.0 (exterior, Interior) net of 192.168.1.0 255.255.255.0
Describe your crypto since translated ACL localhost translated to the remote subnet.
cryptomap list of allowed access host ip 10.23.1.5 192.168.12.0 255.255.255.0
You can remove the other line of the ACL.
Your host should access the 192.168.12.x which is translated remote network.
Try it and let me know how it goes.
Raga
-
Try to find what happened. I had the remote end raise the tunnel, as they can ping resources on my side. I am unable to ping 10.90.238.148 through this tunnel. I used to be able to until the interface of K_Inc has been added. The network behind this interface is 10/8.
I asked a question earlier in another post and advises him to play opposite road of Cryptography. And who did it. I was able to ping 10.90.238.148 of 192.168.141.10, with the config below.
I am at a loss to why I can't all of a sudden. A bit of history, given routes have not changed. By adding the command set opposite road to cryptography, I find myself with a static entry for the 10.90.238.0 network is what fixed it initially so I don't think it's a problem of route. The remote end had an overlap with the 192.168.141.0/24 that is why my side is natted on the 10.40.27.0. None of the nats have changed so if adding the reverse route worked for a day, it should still work. Any thoughts?
interface GigabitEthernet0/3.10
VLAN 10
nameif K_Inc
security-level 100
IP address 192.168.10.254 255.255.255.0
interface GigabitEthernet0/3.141
VLAN 141
cold nameif
security-level 100
IP 192.168.141.254 255.255.255.0
(Cold) NAT 0 access-list sheep
NAT (cold) 1 192.168.141.0 255.255.255.0
Access extensive list ip 192.168.141.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0
Access extensive list ip 10.40.27.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0
Access extensive list ip 192.168.141.0 CSVPNNAT allow 255.255.255.0 10.90.238.0 255.255.255.0
IP 10.40.27.0 allow Access-list extended sheep 255.255.255.0 10.90.238.0 255.255.255.0
static 10.40.27.0 (cold, outside) - CSVPNNAT access list
card crypto Outside_map 5 corresponds to the address CSVPNOFFSITE
card crypto Outside_map 5 the value reverse-road
card crypto Outside_map 5 set pfs
card crypto Outside_map 5 set peer 20.x.x.3
Outside_map 5 transform-set ESP-3DES-MD5 crypto card game
card crypto Outside_map 5 defined security-association life seconds 28800
card crypto Outside_map 5 set security-association kilobytes of life 4608000
tunnel-group 20.x.x.3 type ipsec-l2l
20.x.x.3 Group of tunnel ipsec-attributes
pre-shared-key *.
Route outside 0.0.0.0 0.0.0.0 7.x.x.1 1
Route 10.0.0.0 K_Inc 255.192.0.0 192.168.10.252 1
Route K_Inc 10.64.0.0 255.224.0.0 192.168.10.252 1
Route K_Inc 10.100.100.0 255.255.255.0 192.168.10.252 1
Route K_Inc 10.128.0.0 255.128.0.0 192.168.10.252 1
Tunnel is up:
14 peer IKE: 20.x.x.243
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
EDIT:
I just noticed when tracer packet i run I don't get a phase VPN or encrypt:
Packet-trace entry cold tcp 192.168.141.10 80 80 10.90.238.148 det
Phase: 1
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.90.238.0 255.255.255.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xad048d08, priority = 0, sector = option-ip-enabled, deny = true
hits = 2954624, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 4
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xb2ed4b80, priority = 72, domain = qos by class, deny = false
hits = 2954687, user_data = 0xb2ed49d8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 5
Type: FOVER
Subtype: Eve-updated
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xad090180, priority = 20, area = read, deny = false
hits = 618776, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0, Protocol = 6
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (ColdSpring, external) 74.x.x.50 192.168.141.10 netmask 255.255.255.255
match ip host 192.168.141.10 ColdSpring outside of any
static translation at 74.x.x.50
translate_hits = 610710, untranslate_hits = 188039
Additional information:
Definition of static 192.168.141.10/0 to 74.112.122.50/0 using subnet mask 255.255.255.255
Direct flow from returns search rule:
ID = 0xac541e50, priority = 5, area = nat, deny = false
hits = 610742, user_data = 0xac541c08, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
SRC ip = 192.168.141.10, mask is 255.255.255.255, port = 0
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (ColdSpring, dmz) 192.168.141.0 192.168.141.0 netmask 255.255.255.0
match ip ColdSpring 192.168.141.0 255.255.255.0 dmz all
static translation at 192.168.141.0
translate_hits = 4194, untranslate_hits = 20032
Additional information:
Direct flow from returns search rule:
ID = 0xace2c1a0, priority = 5, area = host, deny = false
hits = 2954683, user_data = 0xace2ce68, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 192.168.141.0, mask is 255.255.255.0, port = 0
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xaacbcb90, priority = 0, sector = option-ip-enabled, deny = true
hits = 282827537, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xb2ed5c78, priority = 72, domain = qos by class, deny = false
hits = 4749562, user_data = 0xb2ed5ad0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 10
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 339487904 id, package sent to the next module
Information module for forward flow...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Information for reverse flow...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 11
Type:-ROUTE SEARCH
Subtype: output and contiguity
Result: ALLOW
Config:
Additional information:
found 7.x.x.1 of next hop using ifc of evacuation outside
contiguity Active
0007.B400.1402 address of stretch following mac typo 51982146
Result:
input interface: cold
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
What version are you running to ASA?
My guess is that your two static NAT is configured above policy nat you have configured for the VPN? If this is the case, move your above these static NAT NAT policy and you should see the traffic start to flow properly.
--
Please note all useful posts
-
Policy nat for L2L and external access
Hello
I'm running into an interesting question with a 506th PIX 6.3 (4)
I created a VPN with our central location and implemented a policy nat on the 506th NAT their local 192.168.1.0/24 IPs to 10.200.25.0/24. This NATing works very well except for servers that also provide a static external IP address. I made a few captures of packets and traffic is crossing the VPN as expected and what actually at the remote end, but the answers are nat would be on the 'outside' ip of the host instead of the NAT. political I can ping other hosts on the remote network very well from the central location, not just those who have a static external IP address.
Example:
10.10.7.1 is my central site and try to ping a server with an IP address of 10.200.25.11 through the VPN. The traffic leaves the site central, is encrypted and delivered the firewall remotely. The firewall remotely translated 10.200.25.11-> 192.168.1.11 (the REAL Server IP) and delivers the package and the server responds, but answers are nat would be its public ip address of 75.X.X.X instead of 10.200.25.11.
Any thoughs on how I can work around this problem?
Here are the relevant config:
permit for line of policy-nat access-list 1 ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
allowed for access policy-nat-list line 2 ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
allowed for line of policy-nat to access list 3 ip 192.168.1.0 255.255.255.0 10.10.7.0 255.255.255.0
list of access vpn-sheep allowed ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
list of access vpn-sheep allowed ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0
list of access vpn-sheep allowed ip 192.168.1.0 255.255.255.0 10.100.11.0 255.255.255.0
NAT (inside) 0-list of access vpn-sheep
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Global 1 interface (outside)
public static 75.x.x.x (indoor, outdoor) 192.168.1.11 netmask 255.255.255.255 0 0
public static 10.200.25.0 (inside, outside) - list of access policy-nat 0 0
Try to rearrange your static rules:
Do the static strategy, the first to be read by the pix
public static 10.200.25.0 (inside, outside) - list of access policy-nat 0 0
public static 75.x.x.x (indoor, outdoor) 192.168.1.11 netmask 255.255.255.255 0 0
See how it goes
-
Public static political static NAT in conflict with NAT VPN
I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.
The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:
interface Vlan1
IP 192.168.10.1 255.255.255.0
access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0
list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
public static 192.168.24.0 (inside, outside) - list of VPN access
card crypto outside_map 1 match address outside_1_cryptomap
In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:
public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255
The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.
So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.
What Miss me?
Hello
I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.
I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.
I guess you could choose any way seems best for you.
Let me know if get you it working. I always find it strange that the original configuration did not work.
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
PIX v6.3 Site-to-Site with policy NAT
Hi guys,.
I need to set up a site to site with nat because we have overlapping subnet at the other end.
They need access to both servers on our network with IP static.
Site A: 192.168.100.0/24
Site b: 192.168.200.128/25
The other site has chosen this network for NAT: 10.200.50.0/28
I need to translate
192.168.100.10 > 10.200.50.2
192.168.100.20 > 10.200.50.3
through the tunnel
That's what I've done so far, will this work? Any problem that may appear with this config?
Crypto ACL:
VPN ip 10.200.50.0 access list allow 255.255.255.240 192.168.200.128 255.255.255.128
Policy_NAT1 list of allowed access host ip of 192.168.100.10 192.168.200.128 255.255.255.128
Policy_NAT2 list of allowed access host ip 192.168.100.20 192.168.200.128 255.255.255.128
NAT (inside) 10 access-list Policy_NAT1 0 0
NAT (inside) 11 access-list Policy_NAT2 0 0
overall 10 10.200.50.2 (outside)
Overall 11 10.200.50.3 (outside)
Thanks in advance!
Hello
Your configuration looks very good.
Although I guess it's a dynamic configuration policy NAT/PAT.
Incase you want to configure static policy NAT, you need to change a bit. I mean if you wanted a NAT configuration allowing to form bidirectional connection. Both from your site to the remote site and the remote site to your side. You can always use the same ACL you have configured, but you would use the "static" configurations.
public static 10.200.50.2 (inside, outside) - Policy_NAT1 access list
public static 10.200.50.3 (inside, outside) - Policy_NAT2 access list
Review with the static NAT to politics and the dynamic policy NAT/PAT which would be if these hosts have static NAT configured at the direction of the 'outside' interface while static NAT would cancel both of these configurations.
If you use the political dynamic NAT and had also a static NAT for the host, then you would have to change from the above static NAT in a policy to override the static NAT.
And with the foregoing in mind possible existing static NAT and new static NAT of policy might have some problems as a whole. In this case the scheduling of NAT rules would determine if static NAT of the policy has been applied already. If you already had the configured static NAT then it would nullify the political new static NAT:. The solution would be to remove the static NAT and enter it again. This would move the static NAT once the static NAT to policy in the order that they appear on the CLI format configuration and, therefore, static political NAT would work for the specified destination and addresses the static NAT for all other destination addresses.
Hope I made any sense
Feel free to ask more if necessary while
-Jouni
-
Public and private IPs on the same Interface by using NAT Exemption/policy NAT
I'm looking for some feedback on whether my thoughts on the installation program will run.
Equipment: PIX 515E 6.2 (2)
Scenario:
The inside interface of the PIX will host 3 blocks of addresses IP - 24 public 2 blocks and 1 private/16 block. (All IP addresses have been replaced by dummy blocks.)
Blocks of audiences:
* 192.168.10.0/24
* 192.168.20.0/24
Block of private:
* 10.50.0.0/16
Traffic from the public 2/24 blocks should go through the firewall without address translation.
The two blocs of the public will be able to receive connections initiated from the Internet.
Public blocks will need to be able to send and receive traffic on a static VPN tunnel to our headquarters without subject to address translation
Traffic leaving the sector private/16 block should be subjected to PAT before passing through the firewall.
Private/block 16 will not receive incoming traffic from the Internet (other than responses to outbound connections initiated from within the private block).
However, the private block will also have to be able to send and receive traffic on a static VPN tunnel to our headquarters * without * subject to address translation (i.e. hosts on our corporate network must be able to initiate connections to the private block and vice versa).
The inside interface of the PIX will be connected to a Catalyst 3xxx series layer 3 switch, which will be responsible for routing all internal (so the PIX will never be routing of traffic on the interface, it was received).
My ideas on how to implement are:
* Use the exemption of NAT to exempt public address translation blocks. This will allow incoming and outgoing connections through the firewall.
* Use the exemption of NAT to exempt the block private NAT when connecting to our head office on the VPN tunnel.
* Use policy NAT w / PAT to translate the block private connecting to all other hosts.
I have translated these thoughts in the following configuration snippet.
Because the NAT exemption is processed before policy NAT in the evaluation of the NAT rules, I believe that this should allow the public IP blocks treat incoming/outgoing traffic without translation, while submitting the private translation block (except during handling of incoming/outgoing connections to our network of corporate office).
Can someone confirm my assumptions about this?
# ----------------------------------------------------------------------
traffic of # which should be exempted from translation
permit ip 192.168.10.0 access list nat_exempt 255.255.255.0 any
nat_exempt 192.168.20.0 ip access list allow 255.255.255.0 any
nat_exempt ip 10.50.0.0 access list allow 255.255.0.0 10.100.0.0/16
traffic of # which should be the subject of translation
policy_nat ip 10.50.0.0 access list allow 255.255.0.0 any
# Suppose 192.168.5.1 is the address to use for PAT
Global (outside) 1 192.168.5.1
NAT (inside) 0-list of access nat_exempt
NAT (inside) 1 access-list policy_nat
# assumes that 192.168.10.7 is the IP address of the inside layer 3 switch
Route inside 192.168.10.0 255.255.255.0 192.168.10.7 1
Route inside 192.168.20.0 255.255.255.0 192.168.10.7 1
Route inside 10.50.0.0 255.255.0.0 192.168.10.7 1
#assume the following configuration sections appear elsewhere: static tunnel VPN, ACL, ifconfig, etc..
# ----------------------------------------------------------------------
Yes, this will work, even if you don't need political NAT for the 10.50.0.0 network. For PAT the 10.50.0.0 network when to anywhere (except via VPN) just do:
Global 1 192.168.15.1 (outside)
NAT (inside) 1 10.50.0.0 255.255.0.0
As I said, you have works perfectly, the above is just an easier way to do it.
-
Political L2L NAT and static NAT VPN
Here's the scenario: I'm to establish a VPN L2L. When you try to determine who hosts inside my network access hosts on the remote network through the VPN, I can't get a straight answer from officials.
My thought was to use a private network of 10.17.24.0/24 and NAT all hosts on my inside the network to 10.17.24.x. As a side note, the hosts of my inner network can be on any subnet in the beach of 172.12.x.0. I would then put 10.17.24.0/24 in my interesting traffic for my ACL crypto. From the hosts inside my network need to browse Internet AND communicate with hosts on the remote network through the VPN, I was going to try to do this with policy NAT. is it possible to use NAT policy in this case? Or what I need to use static? I start with static but could not navigate the Internet eventually. I know I'm missing something with the static, but can not understand. I'm still pretty new to all this stuff so please forgive my ignorance.
For example:
access-list allowed NAT1 host ip 172.21.1.1 REMOTEL2L_SUBNET
access-list allowed NAT2 host ip 172.21.2.5 REMOTEL2L_SUBNET
access-list allowed host ip 172.21.15.7 REMOTEL2L_SUBNET VIH3static (in, out) 10.17.24.1 access-list NAT1
static (in, out) 10.17.24.2 access-list NAT2
static (in, out) 10.17.24.3 access-list VIH3The above configuration will be NAT 172.21.1.1 to 10.17.24.1 when you go to the remote subnet (across the L2L).
The same behavior for other hosts.
The important thing is that the ACL for crypto will come from the address using a NAT:
list of allowed VPN ip 10.17.24.1 REMOTEL2L_SUBNET host access
list of allowed VPN ip 172.17.24.2 REMOTEL2L_SUBNET host access
list of allowed VPN ip 172.17.24.3 REMOTEL2L_SUBNET host accessOr just the whole subnet:
VPN ip 172.17.24.0 access list allow 255.255.255.0 REMOTEL2L_SUBNET
The important thing is that interesting traffic matches at both ends!
In addition, you can still provide Internet and local as normally...
Internet access:
NAT (inside) 1 172.21.0.0 255.255.0.0
Global 1 interface (outside)
It will be useful.
Federico.
-
There's a possible two-way NATs based on strategies? I can find plenty of examples to manage a simple two-way NAT but the Cisco documentation I've read indicates that based on local addresses only translated strategies. However, I have read conflicting Cisco documentation where it says any NAT (in addition to the NAT exemption) can be configured for policy NAT I spent many hours of research a configuration that could handle this, but came up empty. I guess that I'm not the first person to run in this Cisco documentation is just not clear to me.
Site A end VPN Site B and Site C of an ASA 5520 L2L. Site A has no administrative control over B or C. Site B and C choose to expose their same private address space that overlap.
I'm not expert but forced to it by the unexpected release of our network engineer. Can anyone provide assistance?
I know I need to:
1. Enter the address to be translated
2 specify the way inside global translation
I think I do this with:
- public static 172.17.1.1 (exterior, Interior) 10.128.0.0 netmask 255.128.0.0
- access-list 101 permit ip 10.128.0.0 255.128.0.0
- Access-group 101 inside the interface outside
I think I'm going to need to create for this route and directions:
- Route outside 10.128.0.0 255.128.0.0 12.126.x.x
This satifies a VPN, but what about the Site C? Can I use policy NAT to map this client 10.128.0.0/9 to say 172.17.2.2? I know that the address space that I am mapping to does not support the 9 being exposed to me, but I will never exceed the range that I'm mapping. Once I know exactly how IP will come via the VPN, I will actually create a 1:1 translation as governed by our security policy.
I hope I am on the right track here and explained this way that is not too complicated. Any help? I do not know if a bidirectional NAT policy-based device is possible based on the Cisco documentation by what I read. Help!
-(12.126.x.x) Site B (10.128.0.0/9)
Site A - WWW Cloud
(ASA 5520)-(209.128.y.y) Site C (10.128.0.0/9)
I agree with you 100% unfortunately documentation sucks!
If you give to ASA a different public IP address on a different interface and terminate the tunnel there, you can always
Use policy NAT in Site configuration, and it should work.Try it and tell us if you need assistance.
Federico.
-
Summary:
We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.
My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.
Here is the config:
# #List of OUR guests
the OURHosts object-group network
network-host 192.168.x.y object
# Hosts PARTNER #List
the PARTNERHosts object-group network
network-host 10.2.a.b object
###ACL for NAT
# Many - to - many outgoing
access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts
# One - to - many incoming
VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group
# #NAT
NAT (INSIDE) 2-list of access NAT2
NAT (OUTSIDE) 2 172.20.n.0
NAT (INSIDE) 3 access-list VIH3
NAT (OUTSIDE) 3 172.20.n.1
# #ACL for VPN
access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group
access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list
# #Tunnel
tunnel-group
type ipsec-l2l card
<#>crypto is the VPN address card crypto
<#>the value transform-set VPN #>card
<#>crypto defined peer #> #>I realize that the ACL for the VPN should read:
access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list
access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list
.. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.
What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?
Thanks in advance.
Patrick
Here is the order of operations for NAT on the firewall:
1 nat 0-list of access (free from nat)
2. match the existing xlates
3. match the static controls
a. static NAT with no access list
b. static PAT with no access list
4. match orders nat
a. nat [id] access-list (first match)
b. nat [id] [address] [mask] (best match)
i. If the ID is 0, create an xlate identity
II. use global pool for dynamic NAT
III. use global dynamic pool for PAT
If you can try
(1) a static NAT with an access list that will have priority on instruction of dynamic NAT
(2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.
I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.
Jon
-
ASA to Juniper VPN with policy NAT
I'm trying to configure a VPN tunnel between a remote site 66.18.106.160/27 and my network 192.168.190.0/24 client. I need NAT all traffic leaving 192.168.190.0/24 to 192.168.191.0/24.
Here is my current config:
xxxxx host name
domain xxxxx.local
enable the encrypted password xxxxx
XXXXX encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.190.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 207.98.218.26 255.255.255.248
!
interface Vlan3
prior to interface Vlan1
nameif DMZ
security-level 50
IP 192.168.100.1 address 255.255.255.0
!
interface Vlan12
description of interface vlan2 backup
nameif CharterBackup
security-level 0
IP 72.14.9.50 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passive FTP mode
DNS server-group DefaultDNS
domain xxxxx.local
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 100 permit tcp any host 207.98.218.27 eq 3389
access-list extended 100 permit tcp any host 207.98.218.28 eq 3389
access-list extended 100 permit tcp any host 207.98.218.27 eq 9000
access-list extended 100 permit tcp any host 207.98.218.27 eq 9001
access-list extended 100 permit tcp any host 207.98.218.28 eq 9000
access-list extended 100 permit tcp any host 207.98.218.28 eq 9001
access-list standard split allow 192.168.190.0 255.255.255.0
Access extensive list ip 192.168.190.0 POLICYNAT allow 255.255.255.0 66.18.106.160 255.255.255.224
extended VPN ip 192.168.191.0 access list allow 255.255.255.0 66.18.106.160 255.255.255.224
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 DMZ
MTU 1500 CharterBackup
IP local pool vpnpool 192.168.10.75 - 192.168.10.85
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global interface (CharterBackup) 1
NAT (inside) - 0 110 access list
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (DMZ) 1 0.0.0.0 0.0.0.0
public static 192.168.191.0 (inside, outside) - POLICYNAT access list
Access-group 100 in external interface
Route outside 0.0.0.0 0.0.0.0 207.98.218.25 1 track 1
Route 0.0.0.0 CharterBackup 0.0.0.0 71.14.9.49 254
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
Enable http server
http 192.168.190.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 123
type echo protocol ipIcmpEcho 4.2.2.2 outside interface
timeout of 1000
frequency 3
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set esp - esp-md5-hmac romanset
Crypto ipsec transform-set esp-aes - AES-128-SHA esp-sha-hmac
Crypto-map dynamic dynmap 10 transform-set romanset
romanmap card crypto 10 corresponds to the VPN address
peer set card crypto romanmap 10 66.18.99.68
card crypto romanmap 10 game of transformation-AES-128-SHA
map romanmap 65535-isakmp ipsec crypto dynamic dynmap
romanmap interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
sha hash
Group 2
life 86400
!
track 1 rtr 123 accessibility
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 CharterBackup
SSH timeout 5
Console timeout 0
management-access inside
dhcpd dns 8.8.8.8
dhcpd outside auto_config
!
dhcpd address 192.168.100.100 - DMZ 192.168.100.130
dhcpd enable DMZ
!internal group xxxxx policy
attributes of the strategy group xxxxx
value of server WINS 192.168.190.3
value of server DNS 192.168.190.3
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split
tunnel-group xxxxx type ipsec-ra
tunnel-group xxxxx General attributes
address vpnpool pool
Group Policy - by default-romangroup
tunnel-group ipsec-attributes xxxxx
pre-shared-key *.
ISAKMP ikev1-user authentication no
tunnel-group 66.18.99.68 type ipsec-l2l
IPSec-attributes tunnel-group 66.18.99.68
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostnameCurrently, traffic that originates on 192.168.190.0/24 generates no traffic phase 1. However, if the traffic is coming in FRO the side remote (66.18.106.160/27) the tunnel arrives, but no traffic passes.
Although this isn't my area of expertise, it seems to me that my ASA is not 'see' interesting traffic from 192.168.190.0/24 will 66.18.106.160/27.
Any help you could provide would be GREATLY appreciated.
Just remove the 2 following lines:
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
Then 'clear xlate '.
That should solve your problem.
-
We have a place where you want to set up a tunnel VPN to our headquarters.
In this place, there is a router that PAT (NAT overloading), and then a few jumps more, there is a firewall that makes the NAT.
Is this could pose a problem for the VPN tunnel?
Here's a "pattern" of what looks like the connection.
Customer--> PAT - router-->--> Internet--> CVPN3005 NAT firewall
I hope you can provide me with an answer.
VPN tunnel will not work in your scenario. NAT second change address and the ports you want to use for the vpn tunnel. So the port 500 wil be translated to top port and will be rejected at HQ.
-
The ASA with crossed VPN Port forwarding
Hello
I worked on a question for a while and I have managed to track down the issue, but I don't know how to solve the problem.
I have an ASA 5505 8.4 (7) running with a tunnel for incoming remote users anyconnect vpn. I also want to configure incoming Web server port forwarding.
The question seems to be traversed rule which stops incoming port forwarding:
NAT (outside, outside) NETWORK_OBJ_172.16.1.0_28 interface description dynamic source hairpin to natting users vpn on the external interface
When I disable the port forwarding will work perfectly (according to tracer packet that is).
I have attached the config to this post. I would appreciate any idea how to get the through VPN and the transfer to the incoming port working.
The config has been condensed to remove unneed config.
Thank you
Hello
What is the configuration commands, you use to put in place the static PAT (Port Forward)?
The problem is most likely order of the NAT configurations such as configuring NAT above in the upper part of the NAT configurations.
Configuring static PAT, that you could use to make it work would be
the SERVER object network
host
service object WWW
tcp source eq www service
NAT (server, on the outside) of the interface to the static SERVER 1 source WWW WWW service
The above assumes the source for the host interface is "Server" and the service that you want to PAT static TCP/80.
Note that we add the number '1' in the 'nat' command. This will add at the top. The same should be done for any other static PAT you configure you want for these VPN Clients.
Hope this helps
-Jouni
-
I'm havening problems with NAT over VPN. with current configs below it will complete the first phase of the tunnel and then stop because the ip address is not natted. If I put a permit in the statement of the permits it will be nat to internet host, but not via the vpn. If I put in a static nat statement it will nat and attempt to create a tunnel but I get the error (increment the count of errors on his, try 1 5: retransmit the phase 1)
version 12.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname BatsVpnRouter
!
boot-start-marker
start the system flash c1700-k9o3sy7 - mz.122 - 13.T.bin
boot-end-marker
!
no console logging
Select the secret xxx
activate the password xxx
!
MMI-60 polling interval
No mmi self-configuring
No pvc mmi
MMI snmp-timeout 180
No aaa new-model
no ip subnet zero
!
IP cef
Max-events of po verification IP 100
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key xxx address 190.0.0.1
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac bats
!
bats_map 2 ipsec-isakmp crypto map
defined by peer 190.0.0.1
transformation-BALD-MOUSE game
-More - match address BATSACL
!
!
!
interface Ethernet0
IP address 11.0.x.x.255.255.224
NAT outside IP
full-duplex
bats_map card crypto
!
interface FastEthernet0
IP 192.168.1.2 255.255.255.0
IP nat inside
Speed 100
full-duplex
!
IP nat inside source list bats-nat interface Ethernet0 overload
IP classless
IP route 0.0.0.0 0.0.0.0 11.0.0.1
no ip address of the http server
no ip http secure server
!
BATSACL extended IP access list
permit ip host 11.0.0.5 200.0.0.1
192.168.1.100 ip permit host 200.0.0.1
permit ip host 11.0.0.5 200.0.0.2
192.168.1.100 ip permit host 200.0.0.2
permit ip host 11.0.0.5 200.0.0.3
192.168.1.100 ip permit host 200.0.0.3
IP extended access-list of the bats-nat
permit log host 200.0.0.1 host 192.168.1.100 ip
192.168.1.100 ip permit host 200.0.0.2
192.168.1.100 ip permit host 200.0.0.3
!
public RO SNMP-server community
Enable SNMP-Server intercepts ATS
alias exec clip claire rou ip *.
alias exec crs copy run start
alias exec deb187 debug ip pack det 187
alias exec ospfnei sh ip ospf nei
alias exec ship sho ip route
alias exec shr sho run
alias exec Ibis show ip brief inter
alias exec ip sip sho pro
alias exec tr traceroute
alias exec ss sho sess
sho alias exec sl online
alias exec cl clear line
!
Line con 0
line to 0
line vty 0 4
password xxx
opening of session
Ok. You must make sure that the ACl:s are the same (but in reverse) on both sides, which means that you probably need to remove a few lines on the Router 1. The ACL should look like this:
BATSACL extended IP access list
permit ip host 11.0.0.5 200.0.0.1
permit ip host 11.0.0.5 200.0.0.2
permit ip host 11.0.0.5 200.0.0.3
Remove the keyword "log" of this line:
IP extended access-list of the bats-nat
permit log host 200.0.0.1 host 192.168.1.100 ip
OK, now you've cleaned it, trying to make appear the tunnel again, try it with 200.0.0.1 and 200.0.0.2.
Then, check the remote debugging.
Maybe you are looking for
-
Satellite Pro M30 - error message: the user is not authorized to update BIOS
Hello I bought a Satellite Pro M30 of second hand. This one has the Bios 1.30... I would like to install the bios v1.70. I am running Windows XP Pro SP3 and tried first update in Windows.I however got the message "the user is not allowed to update BI
-
NB100 - need help with Toshiba Eco Utility to advanced user
I want to ask the advanced user (knowing regedit, windows services and processes) and Eco Utility installed to help me with Toshiba Eco Utility. (1) I need the registry branch where Eco Utility to store preferences.(2) screenshot for TecoService serv
-
How to fix: Unboundle does not everything boundled
Hello!! In the image as an attachment, you can see in my VI I use a table to build and after something I converted it to a cluster. Everything was good before you insert the 9 in the table element, then now, unboundle does not show the 9th element in
-
Fix directly 8 servers to MD3600F
Help. I'm trying to join Live 8 servers to a dual controller MD3600F. I have a logical unit number I need all 8 access servers. Servers on the first controller can access the lun without problem but can not the servers on the second controller. I can
-
Error message AIOC exe has stopped working when I try to scan on Dell AIO 924 printer
I recently bought a Dell studio with Vista (old computer ran XP) desktop computer. I installed my printer and have been able to do print, but not to digitize from all in one centre, get the above error message