Application of VPN S2S (with NAT)

Hello experts,

ASA (8.2) and standard Site 2 Site Internet access related configs.

Outside: 1.1.1.1/24-> peer IP VPN S2S.

Inside: Pvt subnets

Standard "Nat 0' orders and crypto ACL for our remote offices, local networks with IP whp program.

Requirement:

Need to connect the PC to external clients (3.3.3.3 & 4.4.4.4) on tcp/443 via vpn S2S on our LAN. Client only accepts only the host with public IPs.

I need NAT to my internal IP to the public IP say 1.1.1.2 and establish the VPN tunnel between 1.1.1.1-> PRi Client-side & secondary IPs (Cisco router).

(without losing connectivity to remote offices). No policy NAT work here?

ex:

My Intern: 10.0.0.0/8 and 192.168.0.0/16
Assigned IP available for NAT (some time to connect to the client only): 1.1.1.5

External client LAN IPs: 3.3.3.3 & 4.4.4.4

PAT: permit TOCLIENT object-group MYLAN object-group CUSTOMER LAN ip extended access-list

NAT (inside) 5-list of access TOCLIENT

5 1.1.1.5 (outside) global

Crypto: tcp host 1.1.1.5 allowed extended CRYPTO access list object-group CUSTOMER LAN eq 443

Outsidemap 1 crypto card matches the address CRYPTO

Customer will undertake to peer with IP 1.1.1.1 only.

Do I need a ' Nat 0' configs here?

Also, for the specifications of the phase 2, it is not transform-set options gives. Info given was

Phase2: AH: people with mobility reduced, life: 3 600 s, PFS: disabled, LZS Compression: disabled.
This works with options of the phase 2?

Thanks in advance

Hello

«Existing NAT (inside) 1 & global (outside) does not interfere with NAT 5 when users try to reach the ClientLAN.»

Your inside nat index is '1', while the dynamic policy-nat is index '5 '.

"" For the phase 2 in general, we define Crypto ipsec transform-set TEST ".

Sure, the remote tunnel peers even accept transform set, everything you put up with the example below and distant homologous put the same tunnel.

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

"In this scenario, no need to define any what and just add empty transform don't set statement under card crypto?

No you need a defined transformation.

"3. If we want to limit the destination port 443, I need to use separate VPN filters?

That's right, use a vpn-filter.

"4. we have several phase 1 configs, but wanted to use AES256 & DH5 (new policy)"... for s2s, these options work fine. ""

Of course, you have set the phase 1, as required.

Thank you

Rizwan James

Tags: Cisco Security

Similar Questions

On the Question of VPN S2S source NAT

Currently we have a number of implementation of VPN with various clients. We are NAT'ing range them at a 24 in our network to keep simple routing, but we seek to NAT Source our resources due to security problems. It is an example of a current virtual private network that we have configured:

outside_map crypto card 5 corresponds to the address SAMPLE_cryptomap

outside_map 5 peer set 99.99.99.99 crypto card

card crypto outside_map 5 set ikev1 transform-set ESP-3DES-MD5 SHA-ESP-3DES

card crypto outside_map 5 the value reverse-road

SAMPLE_cryptomap list extended access permitted ip object-group APP_CLIENT_Hosts-group of objects CLIENT_Hosts

NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

the APP_CLIENT_Hosts object-group network

network-object, object SITE1_APP_JCAPS_Dev_VIP

network-object, object SITE1_APP_JCAPS_Prod_VIP

network-object, object SITE2_APP_JCAPS_Dev_Host

network-object, object SITE2_APP_JCAPS_Prod_VIP

network-object, object SITE1_APP_PACS_Primary

network of the SITE1_APP_JCAPS_Dev_VIP object

Home 10.200.125.32

network of the SITE1_APP_JCAPS_Prod_VIP object

Home 10.200.120.32

network of the SITE2_APP_JCAPS_Dev_Host object

Home 10.30.15.30

network of the SITE2_APP_JCAPS_Prod_VIP object

Home 10.30.10.32

network of the SITE1_APP_PACS_Primary object

Home 10.200.10.75

network of the CLIENT_Host_1 object

host of the object-Network 192.168.15.100

network of the CLIENT_Host_2 object

host of the object-Network 192.168.15.130

network of the CLIENT_Host_3 object

host of the object-Network 192.168.15.15

network of the CLIENT_Host_1_NAT object

host of the object-Network 10.200.192.31

network of the CLIENT_Host_2_NAT object

host of the object-Network 10.200.192.32

network of the CLIENT_Host_3_NAT object

host of the object-Network 10.200.192.33

My question revolves around the Source NAT configuration. If I understand correctly, I have to configure 3 statements of NAT per NAT Source since there are three different destinations that are NAT' ed. I think I would need to add this:

network of the SITE1_APP_JCAPS_Dev_VIP_NAT object

Home 88.88.88.81

network of the SITE1_APP_JCAPS_Prod_VIP_NAT object

Home 88.88.88.82

network of the SITE2_APP_JCAPS_Dev_Host_NAT object

Home 88.88.88.83

network of the SITE2_APP_JCAPS_Prod_VIP_NAT object

Home 88.88.88.84

network of the SITE1_APP_PACS_Primary_NAT object

Home 88.88.88.85

NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

Is that correct, or is at - it an easier way to do this without having to add all statements of NAT? Moreover, any change would be to do on the access list?

Hello

To my knowledge you should not create several new instructions from NAT. You should be well just create a new Group 'object' for new addresses your source address NAT.

To better explain, take a look at your current ' object-group ' that defines your source addresses

the APP_CLIENT_Hosts object-group network

network-object, object SITE1_APP_JCAPS_Dev_VIP

network-object, object SITE1_APP_JCAPS_Prod_VIP

network-object, object SITE2_APP_JCAPS_Dev_Host

network-object, object SITE2_APP_JCAPS_Prod_VIP

network-object, object SITE1_APP_PACS_Primary

Now you can do this sets up a "object-group" that contains a NAT IP address for each of the IP addresses inside the ' object-group ' and 'object' used above. The IMPORTANT thing is that the ' object-group ' that contains the NAT IP addresses is in the SAME ORDER as the actual source addresses.

I mean, this is the first IP address is in most object - group ' will correspond to the first IP address in the newly created "object-group" for the IP NAT addresses.

As above, you can simply have the same "nat" configurations 3 as before but you change/add in the newly created "object-group"

For example, you might do the following

network of the SITE1_APP_JCAPS_Dev_VIP_NAT object

Home 88.88.88.81

network of the SITE1_APP_JCAPS_Prod_VIP_NAT object

Home 88.88.88.82

network of the SITE2_APP_JCAPS_Dev_Host_NAT object

Home 88.88.88.83

network of the SITE2_APP_JCAPS_Prod_VIP_NAT object

Home 88.88.88.84

network of the SITE1_APP_PACS_Primary_NAT object

Home 88.88.88.85

the APP_CLIENT_Hosts_NAT object-group network

network-object, object SITE1_APP_JCAPS_Dev_VIP_NAT

network-object, object SITE1_APP_JCAPS_Prod_VIP_NAT

network-object, object SITE2_APP_JCAPS_Dev_Host_NAT

network-object, object SITE2_APP_JCAPS_Prod_VIP_NAT

network-object, object SITE1_APP_PACS_Primary_NAT

Then you add the following configurations of "nat"

NAT (inside, outside) 1 static source APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

Static NAT APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT static destination CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of source route 2 (inside, outside)

NAT 3 (indoor, outdoor) static source APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

Note line numbers, we added the above commands. This allows them to enter the upper part of the ASAs NAT rules, and therefore, they will become active immediately. Without line numbers that they will only be used after when you remove the old lines.

Then you can remove the "old"

no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

This should leave you with 3 configurations "nat" who made the NAT source addresses and destination.

Naturally while you perform this change you will also have to change the ACL Crypto to match the new source NAT. This is because as all NAT is done before any VPN on the ASA. So the destination addresses are Nations United for before VPN and source addresses are translated before VPN.

If you do not want to make the changes without affecting the connections too so I suggest
- Add rules to the ACL Crypto for new addresses (NAT) source. Of course, this must be done on both sides of the VPN L2L. You would still be leaving the original configurations to the Crypto ACL does not not the functioning of the L2L VPN.
- Add new configurations of "nat" above without the line numbers I mentioned who mean you that they wont be used until you remove the "old".
- When you are ready to be migrated to use the new IP addresses, simply remove the original "nat" configurations and the ASA will start the corresponding traffic for new "nat" configurations. Provided of course that there is no other "nat" configuration before the nine that could mess things up. This should be verified by the person making the changes.
Of course if you can afford a small cut when then changing the order in which you do things should not matter that much. In my work, that connections are usually not that critical that you can't make these changes almost at any point as it is a matter of minutes what it takes to make changes.

Hope this made sense and helped

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary.

-Jouni

VPN IPsec with NAT

ASA5510, 8.0.x

I need to set up a VPN from Site to Site (L2L) in a remote location.

The remote IT consultant asks me NOT to go out with my real (pulbic), IP address, but translated to a single IP address.

From my side, I have a 24 network, on the remote site, I have to reach only 4 IP addresses.

The VPN is one way only: I need to reach their servers, but not vice versa.

I tried to follow the document ID-99122 (http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml), but it seems not to work with a static NAT to a translated 24 on a single IP address.

I tried to ask them to allow me to NAT a 24, but they disagree.

Any solution?

Kind regards

Claudio

Hello

If I understand, you want to translate your 24 network to IP address dynamic PAT unique when contacting the remote site only via VPN L2L.

For this, you can try to use the PAT political dynamics

access-list L2LVPN - POLICYNAT note define traffic for the political dynamics for VPN L2L PAT

L2LVPN-POLICYNAT ip 10.10.10.0 access list allow 255.255.255.0 host 1.1.1.1

L2LVPN-POLICYNAT ip 10.10.10.0 access list allow 255.255.255.0 host 1.1.1.2

L2LVPN-POLICYNAT ip 10.10.10.0 access list allow 255.255.255.0 host 1.1.1.3

L2LVPN-POLICYNAT ip 10.10.10.0 access list allow 255.255.255.0 host 1.1.1.4

Global 200 (outside)

NAT (inside) 200 access-list L2LVPN-POLICYNAT

Also of course your L2L Crypto VPN ACL map should look like this

access-list L2LVPN-CRYPTOMAP Note set encryption to connect VPN L2L domain

access-list L2LVPN-CRYPTOMAP allowed ip 1.1.1.1 host

access-list L2LVPN-CRYPTOMAP allowed IP host 1.1.1.2

access-list L2LVPN-CRYPTOMAP allowed IP host 1.1.1.3

access-list L2LVPN-CRYPTOMAP allowed IP host 1.1.1.4

crypto card matches the address L2LVPN-CRYPTOMAP

Where
- 10.10.10.0/24 = is your souce LAN network
- 1.1.1.1 - 4 = are the remote end 4 hosts, you must contact by the VPN L2L
- PAT = IP is the IP address assigned by the remote end to be used with VPN L2L
Hope this helps

EDIT: Copy/paste strikes again. I had both the ACL with the same name. Which corrected.

-Jouni

Tunnel VPN L2L with NATTing will not allow traffic which will be initiated by spoke to the hub.

Traffic from internal hosts will NAT address works ok, but what speaks tests it traffic never connects.

get the 10.1.12.232 NAT host would be 172.27.63.133 and past through the VPN tunnel to 10.24.4.65 without problem. However when 10.24.4.65 tries to ping or connect to 172.27.63.133 traffic does not make inside host 10.1.12.232

ASA-1 #.
!
network object obj - 172.27.73.0
172.27.73.0 subnet 255.255.255.0
network object obj - 172.27.63.0
172.27.63.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 10.24.4.64
subnet 10.24.4.64 255.255.255.224
network object obj - 172.27.73.0 - 172.27.73.255
range 172.27.73.0 172.27.73.255
the object of the 10.0.0.0 network
subnet 10.0.0.0 255.0.0.0
network object obj - 24.173.237.212
Home 24.173.237.212
network object obj - 10.1.12.232
Home 10.1.12.232
network object obj - 172.27.63.133
Home 172.27.63.133
the DM_INLINE_NETWORK_9 object-group network
object-network 10.0.0.0 255.255.255.0
object-network 10.0.11.0 255.255.255.0
object-network 10.0.100.0 255.255.255.0
object-network 10.0.101.0 255.255.255.0
object-network 10.0.102.0 255.255.255.0
object-network 10.0.103.0 255.255.255.0
the DM_INLINE_NETWORK_16 object-group network
object-network 10.1.11.0 255.255.255.0
object-network 10.1.12.0 255.255.255.0
object-network 10.1.13.0 255.255.255.0
object-network 10.1.3.0 255.255.255.0
!
outside_1_cryptomap list extended access permitted ip object-group DM_INLINE_NETWORK_16-group of objects DM_INLINE_NETWORK_9
access extensive list ip 172.27.73.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
access extensive list ip 172.27.63.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
!
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 172.27.63.0 255.255.255.0
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 10.1.0.0 255.255.0.0
list of allowed outside access extended ip 172.27.63.0 255.255.255.0 10.1.0.0 255.255.0.0
!
NAT (inside, all) source static obj - 172.27.73.0 obj - 172.27.73.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 172.27.63.0 obj - 172.27.63.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, outside) source dynamic obj - 10.66.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.70.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.228.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.229.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 192.168.5.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.75.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.11.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source static obj - 10.1.3.37 obj - 10.71.0.37 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.3.38 obj - 10.71.0.38 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.12.232 obj - 172.27.63.133 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.1.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
!
NAT (exterior, Interior) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232
NAT (outside, outside) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232

the object of the 10.0.0.0 network
NAT (inside, outside) dynamic obj - 24.173.237.212
!
NAT (VendorDMZ, outside) the after-service automatic source dynamic obj - 192.168.13.0 obj - 24.173.237.212
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 24.173.237.209 1
Route inside 10.1.0.0 255.255.0.0 10.1.10.1 1
Route inside 10.2.1.0 255.255.255.248 10.1.10.1 1
!
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-DH2-esp-3des esp-sha-hmac
Crypto ipsec pmtu aging infinite - the security association
!
card crypto GEMed 8 corresponds to the address outside_8_cryptomap
card crypto GEMed 8 set peer 64.245.57.4
card crypto GEMed 8 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5
GEMed outside crypto map interface
!
: end
ASA-1 #.

Hello

First of all, I would like to remove these two lines because they do nothing productive
```
nat (outside,inside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232nat (outside,outside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232
```
Then, I was running packet - trace to see what NAT rule actually hit you.
```
packet-tracer input inside 10.1.12.232 12345 10.24.4.65 12345
```

Application of VPN S2S packet capture

Dear team,

Consider the below configuration of IPSec site to site vpn between two firewalls, I would like to capture packets in each direction 1 firewall.

LAN - wan - ip - wan - ip - Lan 2.2.2.2 1.1.1.1 172.16.1.1 - 10.1.1.1

lan2pc 172.16.1.100 = ASA2 = {ISP} = ASA1 = lan1pc 10.1.1.100

Can I use the screenshots below to see if the packets are transmitting properly? Or would I need to use any other filter to capture packets?

Assuming that I started a traffic interesting as 10.1.1.100 ping machine 172.16.1.100 and assuming I'm facing some decaps or program values increment no questions, for which I want to make these troubleshooting. Pls help.

# capture/all clear
# capture capout interface inside the ip host 10.1.1.100 match host 172.16.1.100
# See the CAP capout
# capture/all clear
# capture capout interface outside match ip host 10.1.1.100 home 172.16.1.100
# See the CAP capout
# capture/all clear
# capture capout interface outside match ip host 172.16.1.100 10.1.1.100 home
# See the CAP capout
# capture/all clear
# capture capout interface inside the ip host 172.16.1.100 match host 10.1.1.100
# See the CAP capout
# capture/all clear

Hi s HE,

If you are looking for a way to solve traffic problems that capture works perfectly well.

Hope this info helps!

Note If you help!

-JP-

Cisco Asa vpn site-to-site with nat

Hi all

I need help
I want to make a site from the site with nat vpn
Site A = 10.0.0.0/24
Site B = 10.1.252.0/24

I want when site A to site B, either by ip 172.26.0.0/24

Here is my configuration

inside_nat_outbound to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key!

ISAKMP retry threshold 10 keepalive 2

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
card crypto outside_map 2 match address inside_nat_outbound

card crypto outside_map 2 pfs set group5
card crypto outside_map 2 peers set x.x.x.x

card crypto outside_map 2 game of transformation-ESP-AES-256-SHA

NAT (inside) 10 inside_nat_outbound

Global 172.26.0.1 - 172.26.0.254 10 (outside)

but do not work.

Can you help me?

Concerning

Frédéric

You must ensure that there is no NAT 0 ACL statement because it will take precedence over the static NAT.

You don't need:

Global 172.26.0.1 - 172.26.0.254 10 (outside)

NAT (inside) 10 access-list nattoyr

Because it will be replaced by the static NAT.

In a Word is enough:

nattoyr to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0

access extensive list ip 172.26.0.0 vpntoyr allow 255.255.255.0 10.1.252.0 255.255.255.0

public static 172.26.0.0 (inside, outside) - nattoyr access list

card crypto outside_map 2 match address vpntoyr

card crypto outside_map 2 pfs set group5

card crypto outside_map 2 defined peer "public ip".

card crypto outside_map 2 game of transformation-ESP-AES-256-SHA

outside_map interface card crypto outside

tunnel-group "public ip" type ipsec-l2l

tunnel-group "public ip" ipsec-attributes

pre-shared key *.

-Make sure that it not there no NAT ACL 0 including the above statements and check if NAT happening (sh xlate) and the

traffic is being encryption (sh cry ips its)

Federico.

VPN with NAT Interface

Hello

I am trying to set up a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.

I created the VPN with crypto card and the VPN is successfully registered.

The problem I encounter is that with NAT is enabled, internet access is working but I can ping through the VPN.

If I disable NAT, VPN works perfectly, but then him VLAN cannot access the internet.

What should I do differently?

Here is the config:

Feature: 2911 with security package

Local network: 10.10.104.0/24

Remote network: 192.168.1.0/24

Public beach: 65.49.46.68/28

crypto ISAKMP policy 104

BA 3des

preshared authentication

Group 2

lifetime 28800

ISAKMP crypto key REDACTED address 75.76.102.50

Crypto ipsec transform-set esp-3des esp-sha-hmac strongsha

OFFICE 104 ipsec-isakmp crypto map

defined by peer 75.76.102.50

Set transform-set strongsha

match address 104

interface GigabitEthernet0/0

IP 65.49.46.68 255.255.255.240

penetration of the IP stream

NAT outside IP

IP virtual-reassembly

full duplex

Speed 100

standby mode 0 ip 65.49.46.70

0 6 2 sleep timers

standby 0 preempt

card crypto OFFICE WAN redundancy

interface GigabitEthernet0/2.104

encapsulation dot1Q 104

IP 10.10.104.254 255.255.255.0

IP nat pool wan_access 65.49.46.70 65.49.46.70 prefix length 28

overload of IP nat inside source list 99 pool wan_access

access-list 99 permit 10.10.104.0 0.0.0.255

access-list 104. allow ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 104. allow ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255

access-list 104 allow icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 104 allow icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255

ISAKMP crypto #sh her

IPv4 Crypto ISAKMP Security Association

DST CBC conn-State id

65.49.46.70 75.76.102.50 QM_IDLE 1299 ACTIVE

Hello!

Please, make these changes:

extended Internet-NAT IP access list

deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

IP 10.10.104.0 allow 0.0.0.255 any

IP nat inside source list Internet-NAT pool access-wan overload

* Please do not remove the old NAT instance until you add that above.

Please hold me.

Thank you!

Sent by Cisco Support technique Android app

VPN with NAT

I'm sure this question has been asked several times, but I want to assure you that I understand before proceeding.

I set up a site to site VPN IPSec between two ASAs.

I want to an internal host NAT which link to the counterpart of my VPN network. So I need to make sure that traffic from this host internal is NATted before entering the VPN tunnel as "interesting traffic.

So let's say that distance 192.168.20.0/24 network connects via the IPSec VPN tunnel with their peers, 65.200.1.1 and 198.14.7.10, to host the 10.100.1.7 on my network.

I want NAT host 10.100.1.7 to 192.168.100.5 to the remote network connects to the 192 address, not the 10

How can I do this?

(I use an ASA 5505)

Hello Colin,

That's right, it's one of the great things about the changes on the version 8.3 and prior. You can create a political rule of nat in a single line.

Please let me know if you understand this or if there is something else I can do for you.

Evaluate the useful ticket.

Have a good night,

Julio

VPN IPSec with no. - Nat and Nat - No.

On a 6.3 (5) PIX 515 that I currently have an IPSec VPN configured with no. - nat, using all public IPs internally and on the remote control. Can I add two hosts to the field of encryption that have private IP addresses and NAT to the same public IP in the address card Crypto? What commands would be involved in this?

Current config:

-------

ipsectraffic_boston list of allowed access host ip host PublicIP11 PublicIP1

ipsectraffic_boston list of allowed access host ip host PublicIP22 PublicIP2

outside2_outbound_nat0_acl list of allowed access host ip host PublicIP PublicIP

card crypto mymap 305 correspondence address ipsectraffic_boston
mymap 305 peer IPAdd crypto card game.
mymap 305 transform-set ESP-3DES-SHA crypto card game
life card crypto mymap 305 set security-association seconds 86400 4608000 kilobytes

---------

I would add two IP private to the 'ipsectraffic_boston access-list' and have NAT to a public IP address, as the remote site asks that I don't use the private IP. This would save the effort to add a public IP address to my internal host.

Thank you

Dan

Hello

If for example you have an internal host 192.168.1.1 and you want NAT public IP 200.1.1.1 it address

You can make a static NAT:

(in, out) static 200.1.1.1 192.168.1.1

And include the 200.1.1.1 in crypto ACL.

Federico.

concentrator 3000 2 lan lan VPN with NAT

I need to configure a vpn lan-2lan between 2 3030 concentrators (separate companies) on the Internet. My company assigns a small subnet for hosts sitting on the client network. The customer wants to use their own IP subnet and assign IP addresses within their range. So, they do static NAT on their hub. Is this possible? Or have they NAT s pc before arriving to the hub? Any help much appreciated.

Hello

Concentrator VPN supports the NAT.

http://Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml

HTH

Kind regards

GE.

How to pass the traffic of a site VPN S2S by ASA to another S2S VPN site?

I have a need for hosts on separate VPN networks connected to my ASA corp to communicate among themselves. Example: Host A site 1 a need to communicate with host B on the site 2. Both sites 1 & 2 are connected via the VPN S2S. I would get every site traffic to flow through the ASA at the other site. Where should I start my configuration? NAT? ACL?

I can ping each host in the network Corp. but cannot ping from one site to the other. I set up same-security-traffic permit intra-interface and addition of NAT and rules the ACL to allow/permit 1 Site to contact Site 2. When I do a trace of package through Deputy Ministers DEPUTIES, packets are allowed to pass. I read different that tell no NAT y at - it something at the other end of the VPN to do? should NAT and ACLs rules be mirrored? Just in case, a site is an instance of MS Azure VM and the other is a 3rd party VM instance.

On the HubASA, can I set up a new card encryption that selects the Site1 Site2 traffic and protect the traffic and value her counterpart Site2 public IP or just add this selection of traffic to the existing encryption card for the existing tunnel between HubASA and Site2?

Just add this traffic to the existing encryption card.

Remember that this should be added on three routers (two hubs and there has been talk).

Site1

CRYPTO ip access list allow Site2 subnet >

CRYPTO ip access list allow subnet training3 >

CRYPTO ip access list allow subnet HUB >

Site2

CRYPTO ip access list allow Site1 subnet >

CRYPTO ip access list allow subnet training3 >

CRYPTO ip access list allow subnet HUB >

Training3

CRYPTO ip access list allow Site1 subnet >

CRYPTO ip access list allow Site2 subnet >

CRYPTO ip access list allow subnet HUB >

HUB

CRYPTO_1 ip access list allow Site1 subnet >

CRYPTO_1 ip access list allow Site1 subnet >

CRYPTO_1 ip access list allow Site1 subnet >

CRYPTO_2 ip access list allow Site2 subnet >

CRYPTO_2 ip access list allow Site2 subnet >

CRYPTO_2 ip access list allow Site2 subnet >

CRYPTO_3 ip access list allow subnet training3 >

CRYPTO_3 ip access list allow subnet training3 >

CRYPTO_3 ip access list allow subnet training3 >

Each of these ACLs is attributed to their respective crypto cards. CRYPTO_1 is assigned the site1 crypto map, CRYPTO_2 is assigned to the site2 crypto card... etc.

I hope that's clear

In addition to this, you need to configure identity NAT / NAT provides both the HUB and the spokes of sites.

--

Please do not forget to select a correct answer and rate useful posts

IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

Hello

My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

"Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

NAT takes place before the encryption verification!

In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

Thanks for any help

Best regards

Heiko

Hello

Try to change your static NAT with static NAT based policy.

That is to say the static NAT should not be applicable for VPN traffic

permissible static route map 1

corresponds to the IP 104

access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

access-list 104 allow the host ip 10.1.110.10 all

IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

HTH

Kind regards

GE.

ASA L2L VPN UP with incoming traffic

Hello

I need help with this one, I have two identical VPN tunnel with two different customers who need access to one of our internal server, one of them (customer) works well, but the other (CustomerB) I can only see traffic from the remote peer (ok, RX but no TX). I put a sniffer on ports where the ASA and the server are connected and saw that traffic is to reach the server and traffic to reach the ASA of the server then nothing...

See the result of sh crypto ipsec his below and part of the config for both clients

------------------

address:

local peer 100.100.100.178

local network 10.10.10.0 / 24

local server they need access to the 10.10.10.10

Customer counterpart remote 200.200.200.200

Customer remote network 172.16.200.0 / 20

CustomerB peer remote 160.160.143.4

CustomerB remote network 10.15.160.0 / 21

---------------------------

Output of the command: "SH crypto ipsec its peer 160.160.143.4 det".

address of the peers: 160.160.143.4
Tag crypto map: outside_map, seq num: 3, local addr: 100.100.100.178

outside_cryptomap list of allowed access host ip 10.10.10.10 10.15.160.0 255.255.248.0
local ident (addr, mask, prot, port): (10.10.10.10/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (10.15.160.0/255.255.248.0/0/0)
current_peer: 160.160.143.4

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 827, #pkts decrypt: 827, #pkts check: 827
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#pkts not his (send): 0, invalid #pkts his (RRs): 0
#pkts program failed (send): 0, #pkts decaps failed (RRs): 0
#pkts invalid prot (RRs): 0, #pkts check failed: 0
invalid identity #pkts (RRs): 0, #pkts invalid len (RRs): 0
#pkts incorrect key (RRs): 0,
#pkts invalid ip version (RRs): 0,
replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0
#pkts replay failed (RRs): 0
#pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0
#pkts internal err (send): 0, #pkts internal err (RRs): 0

local crypto endpt. : 100.100.100.178, remote Start crypto. : 160.160.143.4

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C2AC8AAE

SAS of the esp on arrival:
SPI: 0xD88DC8A9 (3633170601)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4373959/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xC2AC8AAE (3266087598)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

-The configuration framework

ASA Version 8.2 (1)

!

172.16.200.0 customer name

name 10.15.160.0 CustomerB

!

interface Ethernet0/0

nameif outside

security-level 0

IP 100.100.100.178 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

10.10.10.0 IP address 255.255.255.0

!

outside_1_cryptomap list extended access allowed host ip 10.10.10.10 customer 255.255.240.0

inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 customer 255.255.240.0

inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0

outside_cryptomap list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0

NAT-control

Overall 101 (external) interface

NAT (inside) 0-list of access inside_nat0_outbound_1

NAT (inside) 101 0.0.0.0 0.0.0.0

Route outside 0.0.0.0 0.0.0.0 100.100.100.177

Route inside 10.10.10.0 255.255.255.0 10.10.10.254 1

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 200.200.200.200

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

card crypto outside_map 3 match address outside_cryptomap

peer set card crypto outside_map 3 160.160.143.4

card crypto outside_map 3 game of transformation-ESP-3DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 20

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP ipsec-over-tcp port 10000

attributes of Group Policy DfltGrpPolicy

Protocol-tunnel-VPN IPSec svc

internal customer group strategy

Customer group policy attributes

Protocol-tunnel-VPN IPSec svc

internal CustomerB group strategy

attributes of Group Policy CustomerB

Protocol-tunnel-VPN IPSec

tunnel-group 160.160.143.4 type ipsec-l2l

tunnel-group 160.160.143.4 General-attributes

Group Policy - by default-CustomerB

IPSec-attributes tunnel-group 160.160.143.4

pre-shared key xxx

tunnel-group 200.200.200.200 type ipsec-l2l

tunnel-group 200.200.200.200 General attributes

Customer by default-group-policy

IPSec-attributes tunnel-group 200.200.200.200

pre-shared key yyy

Thank you

A.

Hello

It seems that the ASA is not Encrypting traffic to the second peer (However there is no problem of routing).

I saw this 7.x code behaviors not on code 8.x

However you can do a test?

You can change the order of cryptographic cards?

card crypto outside_map 1 match address outside_cryptomap

peer set card crypto outside_map 1 160.160.143.4

map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

card crypto outside_map 3 match address outside_1_cryptomap

card crypto outside_map 3 set pfs

peer set card crypto outside_map 3 200.200.200.200

card crypto outside_map 3 game of transformation-ESP-3DES-SHA

I just want to see if by setting the peer nonworking time to be the first, it works...

I know it should work the way you have it, I just want to see if this is the same behavior I've seen.

Thank you.

Federico.

Traffic to the VPN router IOS NAT tunnel

I need to configure a VPN tunnel that NATs traffic above him. I have already established VPN tunnels and NAT traffic. I did this on a concentrator VPN and ASA, but have seen some places where people say is not possible on a router or I saw real hard evidence that it is. For example, I use a Cisco 2801 router with 12.4(8a) and advanced security. This can be quite difficult as the subnet / vlan that we need NAT needs to pass normal traffic on other VPN tunnels and using a NAT on the Internet directly. Y does it have, any restrictions on it as the IOS version, being a router itself, NAT configuration. Any help is greatly appreciated.

Hi James,

NAT VPN traffic, you can like you do with ASAs on IOS routers.

If you do, it is that you create an ACL to set traffic to be coordinated, apply the ACL to a NAT rule and a condition that NAT statement with a roadmap to occur only when the traffic will be sent through the tunnel.

Federico.

Identity firewall does not work with NAT

We implement an environment that restrict access to Internet with rules based on users and groups to Active Directory.

There were many difficulties, but the current state is:

-The 'Test' of the firewall server-> identity Options results GOOD group

-The 'Test' of Agent of Active Directory on Windows-> identity Options GOOD results

-The rules we applied on the inside Firewall identity-based Interface are no "respected".

The environment:

-We have two ASA 5520 to failover.

-There are four contexts in this pair of ASA.

-Now we are activating the firewall of identity in a context.

-Of course, the AD are in one of the inside of this context, networks.

On the Configuration Guide of the identity of Firewall, to

http://www.Cisco.com/en/us/docs/security/ASA/asa84/asdm64/configuration_guide/access_idfw.html#wp1349541

We have seen that there are a lot of features that are not supported:

...

The following features of ASA do not support the use of the object based on the identity and the FULL domain name:

Route-map

-Crypto card

-WCCP

-NAT

-Group (except filter VPN) policy

-DAP

...

When using NAT does not, just remove NAT.

How to configure this feature? Identity with NAT work?

This is the reason why you have not any user ip in ASA mappings.

Domain configured in ASA name must be the netbios domain name and it must be matched with one that you see 'adacfg dc list' output, otherwise ASA will drop all user agent AD ip report.

You can have a try with the following new configs.

field of the identity of the user TEST4 aaa-Server AD-TEST4

identity of the user by default-field TEST4

inside_access_in list extended access deny the user ip TEST4\rodrigo a whole

Application of VPN S2S (with NAT)

Similar Questions

Maybe you are looking for