ASA 5510 VPN multiple tunnels through different interfaces
Is it possible to create VPN tunnels on more than one interface to an ASA (specifically 5510 with 8.4), or I'm doing the impossible?
We have 2 public interfaces on our ASA connected to 2 different suppliers.
We must work L2L tunnels of the SAA for remote offices through the interface that is our ISP 'primary' and also used as our default gateway for internet traffic.
We are trying to install a remote office use our secondary connection for its tunnel (office of high traffic we would prefer separate away from the rest of our internet and VPN traffic).
I can create the tunnel with the ACL appropriate for traffic tunnel, card crypto, etc., put in place a static route to force ASA to use the secondary interface for traffic destined for the public of the remote gateway IP address, and when I finished, traffic initiated by the remote site will cause the tunnel to negotiate and find - I can see the tunnel in Show crypto ikev1 his as L2L answering machine MM_ACTIVE , Show ipsec his with the right destination and correct traffic local or remote identities for interesting, but the ASA local never tries to send traffic through the tunnel. If I use tracers of package, it never shows a VPN that is involved in the trafficking of the headquarters in the remote desktop, as if the SAA is not seeing this as for the corresponding VPN tunnel traffic.
If I take the exact same access and crypo card statements list and change them to use the primary ISP connection (and, of course, change the remote desktop IP connects to), then the connection works as expected.
What Miss me?
Here is a sample of the VPN configuration: (PUBLIC_B is our second ISP link, 192.168.0.0/23 is MainOffice 192.168.3.0/24 is FieldOffice)
permit access list range 192.168.0.0 PUBLIC_B_map 255.255.254.0 192.168.3.0 255.255.255.0
NAT (Inside, PUBLIC_B) static source MainOffice MainOffice static FieldOffice FieldOffice
card crypto PUBLIC_B_map 10 corresponds to the address PUBLIC_B_map
card crypto PUBLIC_B_map 10 set counterpart x.x.x.x
card crypto PUBLIC_B_map 10 set transform-set ESP-3DES-SHA ikev1
PUBLIC_B_map PUBLIC_B crypto map interface
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
IKEv1 pre-shared-key *.
Route PUBLIC_B x.x.x.32 255.255.255.224 y.y.y.y 1
If I take this same exact configuration and change it to use PUBLIC (our primary connection) instead of PUBLIC_B, remove the instruction PUBLIC_B route and change the desktop to point to the ip address of the PUBLIC, then everything works, so my access list and crypto map statements must be correct.
What I don't understand is why the ASA Head Office does not seem to recognize interesting for the tunnel traffic when the tunnel is for the second ISP connection, but works when it is intended for the main ISP. There is no problem of connectivity with the ISP Internet B - as mentioned previously, the tunnel will come and negotiate properly when traffic is started from the desktop, but the traffic of main office is never sent to the bottom of the tunnel - it's as if the ASA does not think that traffic of 192.168.0.x to 192.168.3.x should pass through the VPN.
Any ideas?
Hello
I think your problem is that there is no route for the actual remote network behind the VPN L2L through ISP B connection
You could try adding add the following configuration
card crypto PUBLIC_B_map 10 the value reverse-road
This should automatically add a static route for all remote networks that are configured in the ACL Crypto, through the interface/link-ISP B.
If this does not work, you can try to manually add a static route to the ISP B link/interface for all remote networks VPN L2L in question, and then try again.
The route to the remote VPN peer through the ISP B does not to my knowledge.
I would like to know if it works for you.
It may be useful
-Jouni
Tags: Cisco Security
Similar Questions
-
Cisco ASA 5510 VPN Site to Site with Sonicwall
I am trying to configure a tunnel between a Cisco ASA 5510 VPN (Version 8.2 (2)) and TZ200 Sonicwall. I rose tunnel and go and I am able to ping the internal IP address of Cisco ASA of the Sonicwall LAN but nothing work. When I try to ping a host behind the Cisco ASA of the Sonicwall LAN I get the following message "rules asymmetrical NAT matched for flows forward and backward; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx refused due to failure of reverse path of NAT"on the SAA
Googling the error above shows the problems with version 8.3 or later that resembled the nat commands have been changed SAA, train is still on 8.2 but I another common question does not add an exemption of NAT I have double-triple checked that I did add an exception rule of NAT of the hosts on the network from cisco for the guests of the Sonicwall network. Looks like I hit a road block so any help would be appreciated. Thank you
Here are a few excertps of the config file (10.20.2.0 behind the cisco) and 10.20.10.0 behind the sonicwall
NAT (inside) 0 access-list sheep
..
IP 10.20.2.0 allow Access-list extended sheep 255.255.255.0 10.20.10.0 255.255.255.0
access extensive list ip 10.20.2.0 outside_1_cryptomap allow 255.255.255.0 10.20.10.0 255.255.255.0
..
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set counterpart x.x.x.x
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
..
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
..
internal SiteToSitePolicy group strategy
attributes of Group Policy SiteToSitePolicy
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec
Split-tunnel-network-list no
..
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x General attributes
Group Policy - by default-SiteToSitePolicy
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
..
Added some excerpts from the configuration file
Hello Manjitriat,
Okay, detected IPSEC parody is normal, that means you are trying to send unencrypted on a line of encrypted packets.
Now, if you see on the plotter of package that traffic will hollow the VPN channel all its fine in your site.
Now the packet tracer must be something like this:
entrance to Packet-trace inside private_ip_lan destination_private_ip_lan 1025 tcp 80
Please provide us with the result of the following instructions after you run the packet tracer.
See the crypto Isakamp SA
See the crypto Ipsec SA
Kind regards
Julio
-
Hi all.
I search the internet to find a way or all first, whether it is possible to do what I want to do, but I can't find anything corresponding to what I'm looking for. Possible that I don't have the right keyword.
We change our old Pix 515e this weekend and for any new ASA 5510.
With this new facility, I want to implement Radius Authentication for the user remote vpn. Change the firewall of the company is an important factor and for the first phase, the user will keep authenticate locally but I need that in phase 2, they will be authenticated through a radius server.
Is there a way to configure both user authentication remote vpn?
For example.
All users will be authenticated locally unless the service member COMPUTER that is authenticated by the radius to the testing server.
I have remote vpn users anywhere in the world if I don't want these users are blocked by the radius authentication test. What I want is that users in Group1 will be authenticated locally on the SAA and users in group2 will be authenticated by the RADIUS. During the test will be done, all users will gradually transfer for radius authentication.
Is it possible
Thank you
Jonathan
Network administrator
Hi Jonathan,.
The best way to go about this would be that you set up another group strategy & corresponding tunnel group named Test and set up Radius Authentication for VPN group using the link below: -.
Ones you have done test and feel confident, you can change the type of authentication for the Production Group. The reverse could be implemented double authentication as RADIUS and if it does not use local but personally I'll put up a group of test and then those I am confident, that I'll change the strategy of Production Group to use the Radius Server to auth.
Manish
-
Cisco ASA 5510 VPN with PIX 515
Hello
I have VPN between Cisco ASA and Cisco PIX.
I saw in my syslog server this error that appears once a day, more or less:
Received a package encrypted with any HIS correspondent, drop
I ve seen issue in another post, but in none of then the solution.
Here are my files from the firewall configuration:
Output from the command: 'show running-config '.
: Saved
:
ASA Version 8.2 (1)
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto WAN_map2 2 corresponds to the address WAN_cryptomap_1
card crypto WAN_map2 2 set pfs
card crypto WAN_map2 2 peer 62.80.XX game. XX
map WAN_map2 2 game of transformation-ESP-DES-MD5 crypto
card crypto WAN_map2 2 defined security-association 2700 seconds life
card crypto WAN_map2 2 set nat-t-disable
card crypto WAN_map2 WAN interface
enable LAN crypto ISAKMP
ISAKMP crypto enable WAN
crypto ISAKMP policy 1
preshared authentication
the Encryption
md5 hash
Group 5
lifetime 28800
No encryption isakmp nat-traversal
tunnel-group 62.80.XX. XX type ipsec-l2l
tunnel-group 62.80.XX. IPSec-attributes of XX
pre-shared-key *.++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
8.0 (4) version PIX
!
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card encryption VPN_map2 3 corresponds to the address VPN_cryptomap_2
card encryption VPN_map2 3 set pfs
card crypto VPN_map2 3 peer 194.30.XX game. XX
VPN_map2 3 transform-set ESP-DES-MD5 crypto card game
card encryption VPN_map2 3 defined security-association life seconds 2700
card encryption VPN_map2 3 set security-association kilobytes of life 4608000
card VPN_map2 3 set nat-t-disable encryption
VPN crypto map VPN_map2 interface
crypto ISAKMP enable VPN
crypto ISAKMP allow inside
crypto ISAKMP policy 30
preshared authentication
the Encryption
md5 hash
Group 5
lifetime 28800
No encryption isakmp nat-traversal
ISAKMP crypto am - disable
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec
tunnel-group 194.30.XX. XX type ipsec-l2l
tunnel-group 194.30.XX. IPSec-attributes of XX
pre-shared-key *.If you need more information dedailed ask me questions.
Thanks in advance for your help.
Javi
Hi Javi,
Please after the release of "see broadcasting DfltGrpPolicy of any political group." See if you have the "vpn-idle-timoeout" command configured in that. If so, please change to "vpn-idle-timeout no" and see if that stops at these popping up error messages.
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/uz.html#wp1571426
Thank you and best regards,
Assia
-
ASA 5510 - possible to fill the 2 interfaces in routed mode
Cisco ASA 5510 with security more license, version 9.1 (5) running in routed mode.
I want to fill two interfaces for example: eth0/2 and 3/eth0 and configure an IP address / network while leaving the ASA 5510 in routed mode. I know that this is possible in transparent mode, but I need to keep this in routed mode. I know I could configure a single interface and connect a switch but my client does not want to do.
Otherwise, my only thought would be to configure each interface eth0/2 and eth0/3 as a network traffic and the route of subnet separate between the two.
Any help would be appreciated!
Thank you
Andrew
Andrew
That would help us answer you better if we understood more about what your client and you want to accomplish. But to answer the specific question you asked, I don't think it is possible in an ASA5510 in routed mode configuration Eth2 and Eth3 to share a single IP address.
Linking to Eth2 and linking to Eth3 Are they really the same subnet?
HTH
Rick
-
How can I dedicate a single ip address to a client on asa 5510 vpn
Hi all
My question is...
How can I dedicate a unique to a single customer VPN VPN NAT ip? I don't want this ip address used by another vpn client...
I got an ASA 5510 with a
DHCP pool.
5.0 Cisco vpn client
Thank you
You are welcome. Please note the answers and mark your question answered to increase the value of the instance.
-
ASA 5510 - VPN for DMZ with static rule?
I have a 5510 ASA with a number of virtual private networks to other sites, allowing the traffic to and from the Interior of the networks.
I need to establish a VPN rule to another site, but they have very little access to resources on my local network. Because I am not in control of the SAA on this end permanently, I need to control that access on my 5510.
(the following is not my real IP, but I use them for this example)
My network: 10.100.1.x
My DMZ: 192.168.1.x
Internal network of other sites: 172.16.1.x
I wanted to try to create a VPN between the site and the specific address of DMZ on my side and then allow access to internal addresses using static rules. I decided to use a static rule to enable http access to a specific server (for example):
static (inside, dmz) 192.168.1.200 tcp 80 10.100.1.200 80
I need allow traffic here:
access-list permits DMZ_IN tcp host 172.16.1.10 host 192.168.1.200 eq 80
Access-group interface dmz DMZ_IN
And of course, rules of access list which allow traffic that I can apply to the VPN:
toSite host 192.168.1.200 ip access list permit 172.16.1.10
And I don't want that traffic THAT NAT had between my DMZ and the other site:
nonatDMZ of the host 192.168.1.200 ip access list permit 172.16.1.10
NAT (dmz) 0-list of access nonatDMZ
NAT (dmz) 1 0.0.0.0 0.0.0.0
And, of course, the corresponding rules on their ASA must be in place, allowing traffic to 192.168.1.200, not NAT it.
Everything is in place, but 172.16.1.10 to 192.168.1.200 http traffic never reaches 10.100.1.200. I know the following:
1. the VPN is configured correctly. If I add rules allowing traffic to (and from) 172.16.1.10 and 10.100.1.200 directly, they work.
2 packet trace shows me that traffic is allowed.
3. the works of static rule: to access the 192.168.1.200:80 of another host on the same interface, DMZ, which brings me to 10.100.1.200:80
4. in the process of running a sniffer package on 10.100.1.200 shows 172.16.1.10 traffic does not reach it.
So I'm banging my head against the wall here. I'm sure it's something simple I'm missing. Anything else I need to check? Should I go about this a different way?
Thank you.
What you are trying to reach is not supported. You cannot configure NATing between the inside and the demilitarized zone interfaces while your VPN connection is from the external interface. The static NAT (inside the dmz) that you have configured will only work if the connection is initiated from the inside towards the demilitarized zone and vice versa.
I think that what you are trying to reach is only allowing access on TCP/80 to10.100.1.200 for the VPN tunnel.
You must configure your option 1:
1. the VPN is configured correctly. If I add rules allowing traffic to (and from) 172.16.1.10 and 10.100.1.200 directly, they work.
You can configure vpn-filter to limit the traffic to the only TCP/80, and he attributed to group policy that you have assigned to this particular tunnel group then.
Example:
web access list - allow permit tcp host 172.16.1.10 host 10.100.1.200 eq 80
internal group-policy-strategy web
attribute group web-strategy strategy
value of VPN-filter web - allows
global-tunnel-group attributes
Group Policy - by default-web-policy
Here is an example configuration for your reference:
Hope that helps.
-
On ASA 5510 VPN works do not but the work stations
We have an ASA 8.2 (3) running and have two VPN site to site running on it. The second VPN we just establish the other day, and of the SAA itself, it seems to work. We are able to ping remote hosts from the ASA without problem. However, on this second VPN all hosts on our local network cannot reach the remote party... Trying to understand what could happen. Applicable config below (please forgive the mistakes and formatting):
interface Ethernet0/0
nameif outside
security-level 0
address IP WAN. IP. ADDR 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.21.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
nameif intf2
security-level 0
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
no ip address
management only
!
access extensive list ip 192.168.21.0 outside_cryptomap allow 255.255.255.0 10.50.50.0 255.255.255.0
Access-group acl_out in interface outside
Crypto ipsec transform-set esp-3des esp-sha-hmac ATLAS-TS
life crypto ipsec security association seconds 28800
card crypto mymap 2 match address outside_cryptomap
card crypto mymap 2 together peer PEER. WAN. IP. DEA
card crypto mymap 2 game of transformation-ATLAS-TS
map mymap 65535-isakmp ipsec crypto dynamic dynmap
mymap outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
ISAKMP crypto 10 nat-traversal
tunnel-group of PEERS. WAN. IP. ADDR type ipsec-l2l
tunnel-group of PEERS. WAN. IP. ADDR ipsec-attributes
pre-shared key *.
Hello
Seems to me that his dynamic State PAT shot meant for Internet traffic
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside) 1 0.0.0.0 0.0.0.0
is the intellectual property inside everything outside of any
dynamic translation of hen 1 (WAN. IP. ADDR.162 [Interface PAT])
translate_hits = 6186208, untranslate_hits = 145616
Additional information:
Translation dynamic 192.168.21.100/0 to WAN. IP. ADDR.162/12936 using subnet mask 255.255.255.255
So you might miss the NAT0 configuration for this connection
Do the following
Issue the command "Display running nat" and you should see a NAT0 configuration for the 'inside' interface. Something like that
NAT (inside) - 0 access list
Next, you will need to check the ACL configuration
See the list of access running
You can add local and remote network that need to communicate through that VPN L2L connection to this ACL
So for examples sake lets assume that your ASAs directly related "inside" subnet needs to access the remote network, and then you would add
ip 192.168.21.0 access list allow 255.255.255.0 10.50.50.0 255.255.255.0
So use the above configuration format with good source and network of destination, as well as the correct name of the ACL and add the required ACL lines and then try to host LAN connections.
Hope this helps
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
ASA 5510 VPN dedicated Internet connection
I have a 5510 ASA with a second internet connection on his way. I would like to have an internet connection dedicated to my VPN Site to Site traffic and the other left to manage the public internet traffic. I know that I can do this with a static route, but today, I noticed the "tunnel" option How exactly does the tunnel option work mode and it works better for my situation?
Rob,
(Simplification) "Tunnel" option tells what to do with traffic, once it has been for example inbound VPN decapsulted.
In your case, static routes for remote tunnel endpoint + RRI points will do.
M.
Edit: I would advise yo forget about the end of the dynamics of peers (dynamic IP L2L or ezvpn) solutions on any interface that does not have a default route on this subject.
-
Cisco 1921 - how to configure VPN multiple Tunnels to AWS
I have a router VPN Cisco 1921. I managed to create tunnel VPN Site to Site with AWS VPN Tunnel 1. AWS offers 2 tunnels, so I created another card Crypto and attaches to the existing policy. But the 2nd tunnel won't come. I don't know what I'm missing... is there a special setup that needs to be done to allow multiple IPsec vpn tunnels on the same physical interface? I have attached a picture and included the configuration of my router, if it helps.
C1921 #sh run
Building configuration...Current configuration: 2720 bytes
!
! Last configuration change at 02:12:54 UTC Friday, may 6, 2016, by admin
!
version 15.5
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname C1921
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
enable secret 5 $1$ jc6L$ uHH55qNhplouO/N5793oW.
!
No aaa new-model
Ethernet lmi this
!
!
!
!
!
!
!
!
!
!
!
!
Research of IP source-interface GigabitEthernet0/1 domain
IP cef
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
license udi pid CISCO1921/K9 sn FTX1845F03F
!
!
username admin privilege 15 password 7 121A0C041104
paul privilege 0 7 password username 14141B180F0B
!
redundancy
!
!
!
!
!
!
!
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto keys secret1 address 52.35.42.787
ISAKMP crypto keys secret2 address 52.36.15.787
!
!
Crypto ipsec transform-set AWS - VPN aes - esp esp-sha-hmac
tunnel mode
!
!
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel 1 to 52.35.42.787
defined by peer 52.35.42.787
game of transformation-AWS-VPN
PFS group2 Set
match address 100
map SDM_CMAP_1 2 ipsec-isakmp crypto
Description 2 to 52.36.15.787 Tunnel
defined by peer 52.36.15.787
game of transformation-AWS-VPN
PFS group2 Set
match address 100
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
Description connection Wan WAN - ETH$
IP address 192.168.1.252 255.255.255.0
automatic duplex
automatic speed
map SDM_CMAP_1 crypto
!
interface GigabitEthernet0/1
Description of the connection to the local network
IP 192.168.0.252 255.255.255.0
automatic duplex
automatic speed
!
IP forward-Protocol ND
!
IP http server
local IP http authentication
no ip http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP route 0.0.0.0 0.0.0.0 192.168.1.254 permanent!
recording of debug trap
host 192.168.0.3 record
host 192.168.0.47 record
!
!
Note access-list 100 permit to AWS Tunnel 1
Access-list 100 CCP_ACL category = 20 note
access-list 100 permit ip 192.168.0.0 0.0.0.255 any what newspaper
Note access-list 101 permit to AWS Tunnel 2
Note access-list 101 category CCP_ACL = 4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any logexit
!
control plan
!
!
alias con exec conf t
SIB exec show int short ip alias
alias exec srb see the race | b
sri alias exec show run int
!
Line con 0
exec-timeout 0 0
Synchronous recording
line to 0
line 2
no activation-character
No exec
preferred no transport
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
privilege level 15
local connection
transport of entry all
transportation out all
!
Scheduler allocate 20000 1000
!
endThere should be no second tunnel.
I use either a peer or the other, but not both at the same time.
To display both at the same time, you need to use the Tunnel interfaces. Amazon would have you sent pretty much the exact commands to copy and paste into.
-
ASA 5505 <>ASA 5510 VPN Site to Site
Try to configure a vpn site-to site beetween an ASA 5505 and a 5510. I can't get anything thrown, there are now debugging messages or the other. I must have done something wrong, I followed this paper: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml but I can't make it work. Anyone can have a peek at my configs, maybe I forgot something.
OK, if you go ahead and add this command to all two firewalls 'inside access management' and try to one side inside the 10.21.32.10 ping always nothing passing by?
-
ASA 5510 vpn remote access - must now be added vpn site-to-site.
We currently have a configuration of remote access vpn and all this hard work.
I need to configure a vpn lan lan 2 now.
Can someone point me to the documentation on that? I used the command line to add a site to site and wrong on it and disconnected me when I applied the crypto map to the external interface. Do I need another card encryption or should I use my existing?
Shannon,
Please see the below URL for more configuration information. Even if that configuration is dynamic to static IPSEC, you can use the concept to build the Tunnel L2L with static IP.
Let me know if it helps.
Kind regards
Arul
* Please note all useful messages *.
-
Cisco's ASA 5510 VPN configuration suggestion
Hello
We have a cisco ASA5510 and our client has a device of Juniper. We already have a vpn tunnel between two locations and its working fine.
Now they have networks that are in a safer area, if we add these subnets of the current tunnel we are not able to access it.
so, what they suggest we can reconfigure the VPN to be a road based on VPN instead of policy based OR configure a second VPN tunnel.
not sure about cisco ASA supports route according to the tunnels? ... Can we create a 2nd tunnel between the same devices (asa5510 and thei Juniper device) as remainders IP that identical, only the internal remote networks will change for me. is this possible?
do I have to make changes to the current tunnel?
Thank you
Smail
Hello
Cisco ASA does not support database path tunnels.
You must add new networks to crypto ACL. They add new VPN policies.
-
ASA 5510 VPN - using a public IP address for the local network
Hello, I have a problem which is probably very simple, but I can't seem to understand.
I set up a site IPsec connection to another with a company, something I've done many times before without a problem. I use ASDM to configure this, because it is quick and painless, usually.
We have one number of other site-to-site currently configured connections and works very well on this ASA, these are configured with the "Protected network - LAN" configured with the IP private of hosts within our network, we want to make available through the separate tunnels. This includes the configuration setting on our ASA for each connection to "guests aside ASA exempt from NAT.
With this new link, however, the company asked us to use a public IP address for the host that we want to achieve through the tunnel. I don't know why, but they demand it. So I added a NAT rule for inside the host and set up the connection with the public IP address under "Local network". During the test to try to reach a host to their side, the tunnel didn't even try to open.
What is the method here? I don't see where I'm wrong. I'm guessing that the 'host side ASA exempt from NAT' does not require for this, how if the ASA would know which internal host is the public IP address.
Any ideas?
Hi Leo,
The steps are:
1. Add the policy rule NAT for the specific host.
2 - define the IP NAT as your LOCAL NETWORK address in the encryption settings.
3 make sure that there is no rule NAT exempt for this host to the specific destination.
What happens if you run a package tracer?
Thank you.
-
ASA 5510 VPN for remote access clients are asked to authenticate on box
Don't know what's the matter, but my remote access users are invited to join the ASA before connecting to the tunnel. How can I disable this? Config is attached. Thank you all -
For remote access connections, you can turn off the prompt xauth (user/pass) with the following:
Tunnel ipsec-attributes group
ISAKMP ikev1-user authentication no
-heather
Maybe you are looking for
-
How to troubleshoot the overclocking?
When I start my pc it show with red letters: ATTENTION! The previous performance of overclocking is failed, and the system is restored to the default setting.Is this a problem? What should I do about it? Thank you for your attention and your response
-
Memory replace on HP ENVY M7-K111DX
Laptop HP ENVY M7-K111DX that I intend to buy is currently sold at best buy with 12 GB of RAM. Is it possible to swap the existing 4 GB RAM with a 8 GB? the reason why I want to get it confirmed that a gentleman at the store said, it is possible and
-
HelloI can't share my media using WMP 11. When I try to do, opens a window of options asking how I want to share media files (with xbox, other users, etc.), and I select the options and click OK. Then, when I return in the sharing of multimedia fil
-
Remote - problem with full screen desktop
I use Win 7 for a few months now, and the user experience is great! Remote Desktop software update is large but with a very annoying problem that I am facing.I use this to access my PC on my home LAN. I left once his mode full screen I need a windowe
-
Compatible product for Windows Live Mail
Well, I am now taken trapped using Win7 for my beloved XP system died. OK, I can live with most of the silly quirks of Win7, but Windows Live Mail 2011 is just so much worse than Outlook Express that I really need to find something better. Before a d