ASA 8.4 (3) - applying NAT breaks my tunnel from site to site - "Routing failed.
So I'm a few 5510 preconfiguration is before shipment to the site. I have my tunnel VPN from Site to Site and can ping of internal subnets between the sites. However, as soon as I configure NAT on my interface my pings die outside. I checked a guide very full config posted by TAC and I think the answer is to set up two times-NAT, which I believe I did. I don't always get no package in the tunnel.
A hint, I found, is that I get the journaled message when NAT is applied & affecting routing "ASA-6-110003: routing could not locate the next hop for ICMP from Outside:10.56.8.4/512 to Internal:172.16.60.253/0.
Output sh run object / run object-group sh / sh run nat / show the two ASA nat: -.
SITE 1
= sh run object
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the BH-Asterisk object
host x.x.x.x
BG Hill Asterisk description
network of the BH-Exchange object
host x.x.x.x
BG Hill Exchange Server description
the DH - AV object network
10.56.20.0 subnet 255.255.255.0
Description AV DH
the DH-Asterisk object network
host x.x.x.x
DH Asterisk description
the object-Diffie-Hellman exchange network
Home 10.56.1.253
Description Exchange Diffie-Hellman
the DH-guests object network
10.56.8.0 subnet 255.255.255.0
DH customers description
the object DH ME network
10.56.24.0 subnet 255.255.255.0
DH ME description
the DH-phones object network
10.56.16.0 subnet 255.255.255.0
Description phones DH
network of the DH-security object
10.56.32.0 subnet 255.255.255.0
Description safety DH
DH-internal object network
10.56.1.0 subnet 255.255.255.0
Description internal DH
network object internally-BH
10.60.1.0 subnet 255.255.255.0
Description internal BH
network of the BH-phones object
10.60.16.0 subnet 255.255.255.0
Description BH phones
network of the BH-security object
10.60.32.0 subnet 255.255.255.0
BH Security description
network of the BH - AV object
10.60.20.0 subnet 255.255.255.0
Description AV BH
network of the BH-guests object
10.60.8.0 subnet 255.255.255.0
BH invited description
network of the BH - ASA object
host 1.1.1.1
the DH - ASA object network
host 1.1.1.2
network of the BH-RAS object
10.60.99.0 subnet 255.255.255.0
the DH-RAS object network
10.56.99.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.56.99.0_26 object
255.255.255.192 subnet 10.56.99.0
network of the BH-UC560 object
Home 172.16.60.253
network of the DH-UC560 object
Home 172.16.56.253
= RJ5510-DOHA # sh run object-group
the BGHill object-group network
Description of subnets in BGHill
BH-internal network-object
network-object BH-phones
network-object BH - AV
network-object BH-security
network-object BH-guests
network-object BH-RAS
BH-UC560 network-object
object-group network DH
Description of subnets in DH
network-object DH - AV
network-object DH-guests
network-object DH ME
network-object DH-phones
network-object DH-security
DH-internal network-object
network-object DH-RAS
network object-DH-UC560
= RJ5510-DH # sh run nat
NAT (AV, outdoors) static source DH DH static destination BGHill BGHill
NAT (comments, outdoors) static source DH DH static destination BGHill BGHill
NAT (inside, outside) static source DH DH static destination BGHill BGHill
NAT (phones, outdoors) static source DH DH static destination BGHill BGHill
NAT (safety, outdoors) static source DH DH static destination BGHill BGHill
NAT (ME out) static source DH DH static destination BGHill BGHill
!
the DH - AV object network
dynamic NAT interface (AV, outdoors)
the object-Diffie-Hellman exchange network
x.x.x.x static NAT (indoor, outdoor)
the DH-guests object network
dynamic NAT interface (comments, outdoors)
the object DH ME network
dynamic NAT interface (ME, outdoor)
the DH-phones object network
dynamic NAT interface (phones, outdoors)
network of the DH-security object
dynamic NAT interface (safety, outdoors)
DH-internal object network
dynamic NAT interface (indoor, outdoor)
= HD-RJ5510 # see nat
Manual NAT policies (Section 1)
1 (f) (outdoor) static source DH DH destination static BGHill BGHill
translate_hits = 0, untranslate_hits = 386
2 (guest) (outdoor) static source DH DH destination static BGHill BGHill
translate_hits = 180, untranslate_hits = 0
3 (inside) (outside) static source DH DH destination static BGHill BGHill
translate_hits = 0, untranslate_hits = 0
4 (phones) (outdoor) static source DH DH destination static BGHill BGHill
translate_hits = 0, untranslate_hits = 0
5 (security) (outdoor) static source DH DH destination static BGHill BGHill
translate_hits = 0, untranslate_hits = 0
6 (ME) (outdoor) static source DH DH destination static BGHill BGHill
translate_hits = 0, untranslate_hits = 0
Auto NAT policies (Section 2)
1 (outdoor) source static-Exchange Diffie-Hellman x.x.x.x (internal)
translate_hits = 0, untranslate_hits = 0
2 (internal) interface of DH-internal dynamics of the source (outdoor)
translate_hits = 0, untranslate_hits = 0
3 (comments) interface (outside) dynamic source DH-guests
translate_hits = 2, untranslate_hits = 0
4 (phones) to the dynamic interface of DH-phones of the source (outside)
translate_hits = 0, untranslate_hits = 0
5 (AV) to dynamic source DH - AV interface (outside)
translate_hits = 0, untranslate_hits = 0
6 (I) dynamic source DH-ME interface (outside)
translate_hits = 0, untranslate_hits = 0
7 (security) to DH-security dynamic interface of the source (outside)
translate_hits = 0, untranslate_hits = 0
SITE 2: -.
= object # executed sh
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the BH-Asterisk object
host x.x.x.x
BH Hill Asterisk description
network of the BH-Exchange object
Home 10.60.1.253
BH Hill Exchange Server description
the DH - AV object network
10.56.20.0 subnet 255.255.255.0
Description AV DH
the DH-Asterisk object network
host x.x.x.x
DH Asterisk description
the object-Diffie-Hellman exchange network
host x.x.x.x
Description Exchange Diffie-Hellman
the DH-guests object network
10.56.8.0 subnet 255.255.255.0
DH customers description
the object DH ME network
10.56.24.0 subnet 255.255.255.0
DH ME description
the DH-phones object network
10.56.16.0 subnet 255.255.255.0
Description phones DH
network of the DH-security object
10.56.32.0 subnet 255.255.255.0
Description safety DH
DH-internal object network
10.56.1.0 subnet 255.255.255.0
Description internal DH
network object internally-BH
10.60.1.0 subnet 255.255.255.0
Description internal BH
network of the BH-phones object
10.60.16.0 subnet 255.255.255.0
Description BH phones
network of the BH-security object
10.60.32.0 subnet 255.255.255.0
BH Security description
network of the BH - AV object
10.60.20.0 subnet 255.255.255.0
Description AV BH
network of the BH-guests object
10.60.8.0 subnet 255.255.255.0
BH invited description
network of the BH - ASA object
host 1.1.1.1
the DH - ASA object network
host 1.1.1.2
network of the NETWORK_OBJ_10.60.99.0_26 object
255.255.255.192 subnet 10.60.99.0
network of the BH-RAS object
10.60.99.0 subnet 255.255.255.0
the DH-RAS object network
10.56.99.0 subnet 255.255.255.0
network of the BH-UC560 object
Home 172.16.60.253
network of the DH-UC560 object
Home 172.16.56.253
= # sh run object-group
the BHHill object-group network
Description of subnets in BH Hill
BH-internal network-object
network-object BH-phones
network-object BH - AV
network-object BH-security
network-object BH-guests
network-object BH-RAS
BH-UC560 network-object
object-group network DH
Description of subnets in DH
network-object DH - AV
network-object DH-guests
network-object DH ME
network-object DH-phones
network-object DH-security
DH-internal network-object
network-object DH-RAS
network object-DH-UC560
= # sh run nat
NAT (inside, outside) static source BHHill BHHill static destination DH DH
NAT (AV, outdoors) static source BHHill BHHill static destination DH DH
NAT (comments, outdoors) static source BHHill BHHill static destination DH DH
NAT (phones, outdoors) static source BHHill BHHill static destination DH DH
NAT (safety, outdoors) static source BHHill BHHill static destination DH DH
!
network of the BH-Exchange object
x.x.x.x static NAT (indoor, outdoor)
network object internally-BH
dynamic NAT interface (indoor, outdoor)
network of the BH-phones object
dynamic NAT interface (phones, outdoors)
network of the BH-security object
dynamic NAT interface (safety, outdoors)
network of the BH - AV object
dynamic NAT interface (AV, outdoors)
network of the BH-guests object
dynamic NAT interface (comments, outdoors)
= # sh nat
Manual NAT policies (Section 1)
1 (inside) (outside) static source BHHill BHHill static destination DH DH
translate_hits = 421, untranslate_hits = 178
2 (AV) to (outside) static source BHHill BHHill static destination DH DH
translate_hits = 0, untranslate_hits = 0
3 (guest) (outdoor) static source BHHill BHHill static destination DH DH
translate_hits = 0, untranslate_hits = 0
4 (phones) (outdoor) static source BHHill BHHill static destination DH DH
translate_hits = 0, untranslate_hits = 0
5 (security) (outdoor) static source BHHill BHHill static destination DH DH
translate_hits = 0, untranslate_hits = 0
Auto NAT policies (Section 2)
1 (outdoor) static source BH-Exchange x.x.x.x (internal)
translate_hits = 0, untranslate_hits = 0
2 (internal) interface of BH-internal dynamics of the source (outdoor)
translate_hits = 0, untranslate_hits = 0
3 (comments) interface (outside) dynamic source BH-guests
translate_hits = 0, untranslate_hits = 0
4 (phones) to the dynamic interface of BH-phones of the source (outside)
translate_hits = 0, untranslate_hits = 0
5 (AV) to dynamic source BH - AV interface (outside)
translate_hits = 0, untranslate_hits = 0
6 (security) at the interface of BH-security dynamic of the source (outdoor)
translate_hits = 0, untranslate_hits = 0
RJ5510-BH #.
I admit that I am scoobied with this one, but I hope that someone will find the capture?
Thank you
In fact, the problem is with the NAT because because you use the same object on different States of NAT attached to different interfaces.
The SAA can go crazy with it...
I must leave now.
As soon as I get back I'll explain this a little further.
Kind regards
Julio
Note all useful posts
Tags: Cisco Security
Similar Questions
-
tunnel from site to site between router IOS and ASA
I've combed through the configs on both sides of this tunnel 4 x now and the look of policies as they match. I applied the http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml note
My crypto lsits access are good and my nat on the side of IOS are provided with a map of the route and look good. On the SAA traffic side on the side of the remote tunnel ASA is exempt from NAT. Each side already has a site to another tunnel configuration, so I added the appropriate lines to the existing cryptographic cards which include peers, transform set and match address 'access-list. The polcies crypto isakmp on both ends are compatible. I have attached some configs and debugs (from router IOS), but essentially the newspaper on the SAA starts with the phase 1 is complete and then routing not received notification message, no proposal chosen readings and then it goes to IKE lost the connection to a remote peer, connection, drop table correlator counterpart has failed, no match, the deletion and finally disconnected session reason lost service.
Their other tunnel stay standing as well as the configuration of remote access vpn connection is good.
I found a note that recommends checking any access security-list, so I removed the, but no luck, and a Cisco associated with a hub, but had a healthy logic
Is displayed normally with the
Cisco VPN 3000 correspondent
message hub: no proposal
Chosen (14). This is a result of the
being host-to-host connections.
The configuration of the router has the
IPSec proposals ordered so that the
proposal selected for the router
with the access list, but not the
peer. The access list has a larger
network including the host that
a cutting traffic.
Make the router for this proposal
hub to router connection
first in line, so that it corresponds to the
specific to the host first.
but that didn't work either.
Thank you
Bill
Bill,
Take a look at this
000610: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): need XAUTH
000611: * 10:42:15.094 PCTime sep 27: ISAKMP: node set 920927400 to CONF_XAUTH
000612: * 27 sep 10:42:15.094 PCTime: ISAKMP/xauth: application XAUTH_USER_NAME_V2 attribute
000613: * 27 sep 10:42:15.094 PCTime: ISAKMP/xauth: application XAUTH_USER_PASSWORD_V2 attribute
000614: * 27 sep 10:42:15.094 PCTime: ISAKMP: (2039): launch peer 74.92.97.166 config. ID = 920927400
000615: * 27 sep 10:42:15.094 PCTime: ISAKMP: (2039): lot of 74.92.97.166 sending peer_port my_port 4500 4500 (R) CONF_XAUTH
-Other - 000616: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000617: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): former State = new State IKE_P1_COMPLETE = IKE_XAUTH_REQ_SENT
It should not go to extend the authentication. Since you have the client and the L2L on the same router and clients are configured for Extended authentication, the router will ask for XAUTH unless you configure the "No.-xauth" command after the pre-shared key
Please implement the command:
ISAKMP crypto keys in clear text address 74.92.97.166 No.-xauth
Thank you
Gilbert
-
Tunnel from site to site ASA with U turn to config
Hello
I have a VPN tunnel site race between ASA 5510 (8.2) and Cisco PIX506 (remote site). I need allow remote users to surf the net. I was looking for in the documentation here and circulation activated to enter/exit the same interface on the ASA (same-security-traffic intra-interface permit), however it still something lack. I don't know how to fix this...
ASA is configured for NAT inside customers to a single public IP address (VPN tunnel ends also at this interface)
ASA:
Global 1 208.x.x.x (outside)
NAT (inside) - 0 no.-Nat-VPN access list
NAT (inside) 1 0.0.0.0 0.0.0.0So when packets Internet comes through the tunnel, there need be sent on the same interface and NATted (but for the tunnel at work I had to exempt intrested NAT traffic). What is the cause of a problem?
Hello
NAT rules should be like this:
Global 1 208.x.x.x (outside)
NAT (outside) 1 mask x.x.x.x--> pool VPNWith the foregoing, you are from the VPN clients out to the Internet.
You can always leave the SHEEP ACL for the VPN itself traffic.
Federico.
-
ASA between tunnel from site to site
Hello
I have a site to tunnel between 2 ASAs. An ASA is behind the University and another in our data center. Unversity offers Internet services and they have the ASA that controls incoming traffic. We used to have problems of tunnel where the stale SAs were inactive and deleted in the center of data due to timeout or other unknown reasons. Subsequently discovered that ASA9.1.5 behind the University had the bug do not remove obsolete entries. After decommissioning of the code to 8.4.6 version we don't see any problems. And not work as usual. Unversity guy said that he added some ACL on the external interface to allow our Datacenter IP to forward VPN traffic.
https://Quickview.cloudapps.Cisco.com/QuickView/bug/CSCup37416
My Question even before adding these tunnels ACLs works but was not remove obsolete entries. I think that, after upgrade, it became stable. Unversity guys said after the addition of the ACL, it may have stabilized the question.
Can anyone can highlight here what's happening?
Thanks in advance.
Hi Vishnu,
Adding the ACL on the external interface doesn't have any report with the entries in table ASP for VPN traffic.
ASP duplicate entries are caused from crypto ACL and interesting traffic.
ASP table displayed duplicate entries ASP and traffic hit an entry ASP.
that is out of date and the traffic on ITS special is blackholed which led to the interruption of the VPN traffic.It has no connection with the ACL interface.
Hope it meets your request.
Kind regards
Aditya
Please evaluate the useful messages.
-
How to end a vpn connection from site to site on ASA 5510
Hi guys,.
I would like to know if there is a command that I can use to break a connection from site to site and restart it whenever I want.
I don't want to use the close command since I use the specific interface as an exit point on the internet.
In this case, you can configure just one incomplete crypto map entry, for example: just keep 'peers set' not configured until you establish the vpn tunnel, and then add the command "set by the peers.
If you disable the tunnel, just remove the 'set by the peers' command for this particular VPN tunnel.
-
ASA 8.4 (1) source-nat over vpn site-to-site
I'm setting up a tunnel vpn site-to-site and require nat for the local and remote side. The remote side will be nat to
10.2.255.128/25 on their face before they reach our network, so I have to only source-nat our servers via the tunnel to them. Should I just do the static NAT, then let the whole subnet through the acl of valuable traffic as the config below? I don't think I should use twice a nat because I'm not trying to make the destination nat on the firewall. Servers with us will 10.2.255.128/25 and I would like to preserve it through the ASA.
network of the ServerA object
host 10.1.0.1
NAT 10.2.255.1 static (inside, outside)
network of the object server b
host 10.1.0.2
NAT 10.2.255.2 static (inside, outside)
the object server c network
host 10.1.0.3
NAT 10.2.255.3 static (inside, outside)
the LOCAL_SUBNET object-group network
object-network 10.2.255.0 255.255.255.128
the REMOTE_SUBNET object-group network
object-network 10.2.255.128 255.255.255.128
VPN_ACL list extended access permitted ip object-group LOCAL_SUBNET-group of objects REMOTE_SUBNET
Thank you
Your configuration is correct, but I have a few comments. Remember that NAT occurs before the delivery of your servers will be translated into 10.2.255.2 and 10.2.255.3 and then sent through the tunnel, so your encryption field is correct.
Is your internet firewall as well? What your servers out of the internet? They will be translated to 10.2.255.2 and 10.2.255.3 and who will fail in internet routing is. If these servers access the internet through the firewall, I would recommend a configuration like this for each of your servers:
network of the ServerA_NAT object
Home 10.2.255.1
NAT static ServerA ServerA_NAT destination (indoor, outdoor) static source REMOTE_SUBNET REMOTE_SUBNET
This will use destination basic NAT for traffic VPN and NAT everything to a public IP address for the internet traffic. Of course, if this is not your internet connection firewall can do abstraction.
-
ASA (v9.1) VPN from Site to Site with IKEv2 and certificates CEP/NDE MS
Hi all
I am currently a problem with VPN Site to Site with IKEv2 and certifiactes as an authentication method.
Here is the configuration:
We have three locations with an any to any layer 2 connection. I created each ASA (ASA5510 worm 9.1) to establish one VPN of Site connection to the other for the other two places. Setting this up with pre shared keys and certificates that are signed by the CA MS administrator manually work correctly.
But when we try to enroll these certificates through the Protocol, CEP/NDE his does not work.
Here are my steps:
1 configure the CA Turstpoint to apply to the certification authority
2. request that the CA through the SCEP protocol works fine
3. set up a Trustpoint and a pair of keys for the S2S - VPN connection
4. registration form identity certificate CA via the SCEP Protocol with a one time password works fine
5. set the trustpoint created as for the S2S - VPN IKEv2 authentication method.
Now I did it also for the other site of the VPN Tunnel. But when I ping on a host that is on a different location to make appear the Tunnel VPN - the VPN session is not established. In the debugs I see that there are a few problems during authentication of the remote peer.
On the MS that I see that the certifactes of identity for both ASAs are communicated and not revoked or pending state. The certificate based on the model of the "IPSec (Offline).
When the CA-Admin and a certificate me manually based on a copy of the model of "Domaincontroller" connection is successfully established.
So I would like to know which is the correct certificate for IP-Sec peers template to use for the Protocol, CEP and MS Enterprise CA (its server 2008R2 of Microsoft Enterprise)?
Anyone done this before?
ASA requires that the local and Remote certificate contains EKU IP Security Tunnel Endpoint (1.3.6.1.5.5.7.3.6) (aka IP Security Tunnel termination). You can create a Microsoft CA model to add.
If you absolutely must go with the 'bad' cert, there is a command
ignore-ipsec-keyusage
but it is obsolete and not recommended.
Meanwhile at the IETF:
RFC 4809
3.1.6.3 extended Key use
Extended Key Usage (EKU) indications are not required. The presence
or lack of an EKU MUST NOT cause an implementation to fail an IKE
connection.
-
ASA ASA from Site to Site VPN IPSec Tunnel
Any help would be greatly appreciated...
I have two devices Cisco ASA with a Site for the configuration of the tunnel VPN IPSec Site as follows: -.
Site #1 - Cisco ASA running version 8.2 (1) with an internal range of 10.0.0.x/24
Site #2 - Cisco ASA running version 8.2 (1) with an internal range of 10.1.1.x/24
Site #1 is simple and has a dynamic NAT rule which translates all of the inside and the outside (public IP) of the SAA.
Internet access works very well in all workstations of this site. A static route is configured to redirect all traffic to a public router upstream.
Site #2 is slightly more complicated; the Cisco ASA is configured with 10.1.1.254/24 as its interior IP address and 10.1.2.254/24 as its external IP address. A dynamic NAT rule is configured to translate everything inside as the 10.1.2.254 (outside) address of the ASA. A default static route is then configured to redirect all traffic to a Draytek device on 10.1.2.253. This device then performs its own private Public NAT. Again the Internet works fine all hosts inside the Cisco ASA (10.1.1.x)
The IPSec tunnel is created with the networks local and remote endpoint as above (10.0.0.x/24) and (10.1.1.x/24). The Draytek at the Site #2 device is configured with a form of DMZ that allows essentially ALL traffic toward the front directly on the external interface of the ASA (10.1.2.254). The Phase 1 and Phase 2 negotiation of the tunnel ends correctly, and the tunnel is formed without any problem. However, all traffic passing on networks ICMP does not end and the Syslog reports the following-
Site #1-
6 January 19, 2011 15:27:21 302020 ZEFF-SB-01_LAN 1 10.1.1.51 0 Built of outbound ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1 6 January 19, 2011 15:27:23 302021 10.1.1.51 0 ZEFF-SB-01_LAN 1 Connection of ICMP disassembly for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1 Site #2-
6 January 19, 2011 15:24:47 302020 10.1.1.51 0 10.0.0.30 1 Built of outbound ICMP connection for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 6 January 19, 2011 15:24:49 302021 10.0.0.30 1 10.1.1.51 0 Connection of disassembly for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 ICMP It's the same for any form of traffic passing over the tunnel. The ACL is configured to allow segments of LAN out to any destination. At this point, I left scratching my head, as my original theory was to blame the Draytek, but after reading the documentation given to the DMZ host configuration, it appears this parameter is configured all traffic is simply forwarded to the IP address (in this case, the Cisco ASA interface outside).
Anyone can shed light on a possible cause of this problem?
Thank you
Nick
did you bypass the vpn traffic between 10.0.0 and 10.1.1 to be NAT - ed on the two ASA?
Please provide the following information
-set up the tunnel
-show the isa cry his
-show the ipsec cry his
-ping of the site 1 site 2 via tunnel
-capture "crypto ipsec to show his" once again
-ping from site 2 to 1 by the tunnel of the site
-capture "crypto ipsec to show his" once again
-two ASA configuration.
-
IPSEC VPN from Site to Site - NAT problem with address management
Hi all
I have two Cisco ASA 5505 performing of IPSEC Site to Site VPN. All traffic inside each firewall through the VPN tunnel and I have full connectivity. From site A, I can connect to the inside address of the ASA at the site B and launch of the ASDM or SSH, etc.
The problem I have is when I'm logged on the ASA site B management traffic is given the external address. I created this as interesting traffic to get it to go through the VPN but I need to use the inside address of ASA B. The following is possible:
- If I can make the ASA Site B to use inside interface as its address management (I already have management access to the inside Interface)
- I have NAT can address external interfaces to Site B before moving through the VPN tunnel management traffic so that it appears to come from Site B inside the address
- I can NAT VPN traffic as it appears in the Site A for management traffic to Site B on the right address.
The problem is that my PRACTICE Please also come from this address and I need the application before being on an internal address to even if my CA.
Thanks for any help.
Ian
Thanks, I understand what you are trying to achieve now.
However, I think that I don't have good news for you. Unfortunately PEIE request can be initiated of the SAA within the interface, as there is no option to start the query from the inside interface. With other features of management such as AAA, logging, you have an option to specify what ASA desired originally to demand from interface, but CEP doesn't have this option.
Here's how you can configure under the trustpoint crypto, but unfortunately by specifying the interface doesn't not part of option:
http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/C5.html#wp2262210
-
Why Ai CC 2014, when I use a pathfinder on two objects tool, their anchor points break a bit from where they were? I search in all the nod to under VIEW options & could not find the culprit. Help, please!
It looks like "snap to grid of pixels" just once more.
Uncheck the box "align new objects to the pixel grid" in the menu of the transformation Panel.
Select the objects and uncheck "snap to grid of pixels" in the transformation Panel.
-
ASA ASA Site2Site VPN with dynamic NAT in version 8.2
I did everything for NAT to 9.x and I don't have much at all with NAT in 8.2 and earlier with this configuration.
I have some local subnets:
172.30.1.0/24
172.30.16.0/24
172.30.3.0/24
172.30.12.0/24
172.30.7.0/24
172.30.35.0/24who will need to access a remote subnet:
10.31.255.128/25
and the requirement is to NAT the following text:
A lot of requirement much NAT.
172.30.1.0/24 NAT at 192.168.104.0/24
172.30.16.0/24 NAT at 192.168.105.0/24
172.30.3.0/24 NAT at 192.168.108.0/24
172.30.12.0/24 NAT at 192.168.106.0/24
172.30.7.0/24 NAT at 192.168.107.0/24
172.30.35.0/24 NAT at 192.168.103.0/24When you go to the 10.31.255.128/25 subnet.
Here's what I think, I need and I'm looking for confirmation and/or messages.
Config group *.
object-group, LAN using a NAT-NETWORKS
192.168.104.0 subnet 255.255.255.0
192.168.105.0 subnet 255.255.255.0
192.168.108.0 subnet 255.255.255.0
192.168.106.0 subnet 255.255.255.0
192.168.107.0 subnet 255.255.255.0
192.168.103.0 subnet 255.255.255.0Group of objects to REMOTE-network
subnet 10.31.255.128 255.255.255.128ACL for the crypto-card *.
REMOTE_cryptomap_72 list extended access permitted ip object-group LOCAL-using a NAT-NETWORKS-group of objects to REMOTE-NETWORK
Config NAT
NAT (inside) 10 172.30.1.0 255.255.255.0
NAT (inside) 20 172.30.16.0 255.255.255.0
NAT (inside) 30 172.30.3.0 255.255.255.0
NAT (inside) 40 172.30.12.0 255.255.255.0
NAT (inside) 50 172.30.7.0 255.255.255.0
NAT (inside) 60 172.30.35.0 255.255.255.0Global (outside) 10 192.168.104.0 255.255.255.0
Global (outside) 20 192.168.105.0 255.255.255.0
Global (outside) 30 192.168.108.0 255.255.255.0
Global (outside) 40 192.168.106.0 255.255.255.0
Global (outside) 50 192.168.107.0 255.255.255.0
Global (outside) 60 192.168.103.0 255.255.255.0This sets up the set of transformation which is called in the Crypto map.* *.
Crypto ipsec transform-set ikev1 REMOTE-SET esp-3des esp-sha-hmac
This sets up the Crypto map.* *.
address for correspondence card crypto outside_map 72 REMOTE_cryptomap_72
peer set card crypto outside_map 72 5.5.5.4
card crypto outside_map 72 set transform-set REMOTE-SET ikev1
outside_map card crypto 72 the value reverse-roadImplements IKE *.
IKEv1 crypto policy 72
sha hash
preshared authentication
Group 2
lifetime 28800
3des encryptionSets up the Group of tunnel (connection profile) *.
tunnel-group 5.5.5.4 type ipsec-l2l
IPSec-attributes tunnel-group 5.5.5.4
IKEv1 pre-shared-key * TBD *.Thank you
Mike
With your existing global declarations, my suggestion should meet the requirement. Here is some additional info: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/gu...
-
ASA 8.3 - SSL VPN - NAT problem
Need help to find how to configure anyconnect VPN with VPN client using a NAT networking internal.
There are many items on the side - how to disable NAT for vpn pool.
I need to create the gateway VPN to the complex international lnetwork, vpnpool is out of range of regular subnet of that network, so it's going to be questions witout NAT routing.
I so need to vpn clients connected to
be PATed to . The problem is that there is also a dynamic to PAT rule for the ordinary acccess Iternet which translates as 'rules NAT asymmetry... "error. Create two times different NAT rules and moving them on up/down makes no difference. There are also some hidden rules of vpn setup :-(that could not be seen.
V8.3 seems is destroying trust in Cisco firewall...
Thank you.
Stan,
Something like this works for me.
192.168.0.0/24---routeur--172.16.0.0/24 ASA-= cloud = host. (the tunnel he get IP address of 'over' pool, which is also connected to the inside)
BSNs-ASA5520-10 (config) # clear xlate
INFO: 762 xlates deleted
BSNs-ASA5520-10 (config) # sh run nat
NAT (inside, outside) static all of a destination SHARED SHARED static
!
NAT source auto after (indoor, outdoor) dynamic one interface
BSNs-ASA5520-10 (config) # sh run object network
network of the LOCAL_NETWORK object
192.168.0.0 subnet 255.255.255.0
The SHARED object network
172.16.0.0 subnet 255.255.255.0
BSNs-ASA5520-10 (config) # sh run ip local pool
IP local pool ALL 10.0.0.100 - 10.0.0.200
local IP ON 172.16.0.100 pool - 172.16.0.155
BSNs-ASA5520-10 (config) # sh run tunne
BSNs-ASA5520-10 (config) # sh run tunnel-group
attributes global-tunnel-group DefaultWEBVPNGroup
address pool ONIf I get your drift... bypass inside and outside is not really necessary on Cisco equipment as it should work straight out of the box via the proxy arp, but I'm not face or solution providers for remote access.
Marcin
-
ASA 8.4. (1) Nat ignored rules
Hi all!
I'm having some problems with NAT, the packet does not match the nat rule (which I believe it should be) and is not choose the right output interface. So card crypto never started
This is the relevant config:
Interface Port - channel2.4
Description Public TESA ADSL internet connection
VLAN 7
nameif PublicTESA
security-level 5
address IP PUBLIC_IP1 255.255.255.128
Interface Port - channel2.1
BT internet connection, used for (VPN) platforms description
VLAN 4
nameif PublicBT
security-level 5
address IP PUBLIC_IP2 255.255.255.252
Interface Port - channel1.1
Description user VLAN
VLAN 100
nameif users
security-level 70
IP 172.16.30.10 255.255.255.0
network of the net users object
172.16.30.0 subnet 255.255.255.0
NET description users
object EXTERNAL_COMPANY_NAME-remote control-net-1 network
Home 172.21.250.206
Tunel l2l net remote 1 description
object EXTERNAL_COMPANY_NAME-remote control-net-2 network
172.21.248.0 subnet 255.255.255.0
Tunel l2l description remote control 2 net
object-group network EXTERNAL_COMPANY_NAME-Local-networking-group
LANs Description L2L EXTERNAL_COMPANY_NAME
users-net network object
object-group network EXTERNAL_COMPANY_NAME-remote control-nets-group
remote networks Description L2L EXTERNAL_COMPANY_NAME
network-object POLCIA-remote control-net-1
network-object POLICIA-remote control-net-2
destination of EXTERNAL_COMPANY_NAME-Local-networks-EXTERNAL_COMPANY_NAME Local-networking-group static NAT (PublicBT everything) static source EXTERNAL_COMPANY_NAME-remote control-nets-group EXTERNAL_COMPANY_NAME-remote control-nets-group
NAT (all, PublicTESA) dynamic source any description of the Nat interface to the internet at the PublicTESA interface
RESULT:
If I send a package from User Interface using 172.16.30.41 to 172.21.250.206, he was sent to PubicTESA do NAT with
PUBLIC_IP1
I recommend that you open a TAC case, then it can get properly studied.
-
We have a 11r2 primary and standby running on RHEL 5. Lost primary network for a time and locked up VMWare connectivity. The administrator of the virtual computer restarted the primary VM (it was a hard-boot). All this happened while I was gone and when I'm at work, the primary database seems to work. I decided to dig deeper and discover the day before.
On implementing standby...
SQL> select * from v$archive_gap; Thread#: 1 low_sequence: 123120 high_sequence: 123120
DGMGRL> show configuration Configuration - prodDB Protection Mode: MaxPerformance Databases: prodDB - Primary database prodDB2 - Physical standby database Fast-Start Failover: DISABLED Configuration Status: SUCCESS
SQL> select count(*) from v$archived_log where applied='NO'; Count(*): 107
SQL> select process, client_process, thread#, sequence#, block#, status from v$managed_standby where process='MRP0' or client_process='LGWR'; Process: MRP0 Client_Process: N/A Thread#: 1 Sequence#: 123120 Block#: 0 Status: WAIT_FOR_LOG Process: RFS Client_Process: LGWR Thread#: 1 Sequence#: 128315 Block#: 4686 Status: IDLE
DGMGRL> show database prodDB2; Role: PHYSICAL STANDBY Intended State: APPLY-ON Transport Lag: 2 days 3 minutes 53 seconds Apply Lag: 2 days 3 minutes 53 seconds Real Time Query: OFF Instance(s): prodDB
It seems that all is well (just very far behind), but when I run the last block of code (see the prodDB2 database ;) once again...
DGMGRL> show database prodDB2; Role: PHYSICAL STANDBY Intended State: APPLY-ON Transport Lag: 2 days 1 hour(s) 42 minutes 37 seconds Apply Lag: 2 days 1 hour(s) 42 minutes 37 seconds Real Time Query: OFF Instance(s): prodDB
.. .He looks if the massive rear just increases. How can I make sure that everything is everything? I'm still learning Data Guard.
Thank you
Hello again;
One thing you can try if you notice the use ASM and STANDBY_FILE_MANAGEMENT = AUTO on both is to create a tiny new tablespace and then do a log switch. If the new data file is displayed
you got false information from Oracle. Also if you do not have ASM verify the physical location of the log. You can have transport work and not apply, or both not work or work by the way.
Newspapers to alert on both sides are an excellent source of information. Side ensures says usually "waiting for journal...» "This compares to that of the last log on the primary side.
Best regards
mseberg
-
Hi-
We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).Networks:
Local: 192.168.1.0 (answering machine)
Distance: 192.168.54.0 (initiator)See details below on our config:
SH run card cry
card crypto outside_map 2 match address outside_cryptomap_ibfw
card crypto outside_map 2 pfs set group5
outside_map 2 peer XX crypto card game. XX.XXX.XXX
card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
crypto map outside_map 2 set ikev2 AES256 ipsec-proposaloutside_map interface card crypto outside
Note:
Getting to hit numbers below on rules/ACL...SH-access list. I have 54.0
permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671SH run | I have access-group
Access-group outside_access_out outside interfaceNOTE:
WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...HS cry his ikev1
IKEv1 SAs:
HIS active: 2
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 21 peer IKE: XX. XX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
2 IKE peers: XXX.XXX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVESH run tunnel-group XX. XX.XXX.XXX
tunnel-group XX. XX.XXX.XXX type ipsec-l2l
tunnel-group XX. XX.XXX.XXX General-attributes
Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
tunnel-group XX. XX.XXX.XXX ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.SH run | I have political ikev1
ikev1 160 crypto policy
preshared authentication
aes-256 encryption
Group 5
life 86400SH run | I Dynamics
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
NAT source auto after (indoor, outdoor) dynamic one interfaceNOTE:
To from 5512 at 5505-, we can ping a host on the remote network of ASA local# ping inside the 192.168.54.20
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 msDetermination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?
The IPSEC tunnel check - seems OK?
SH crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXXoutside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
current_peer: XX. XX.XXX.XXX#pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
#pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
#send errors: 0, #recv errors: 0local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
PMTU time remaining: 0, political of DF: copy / df
Validation of ICMP error: disabled, TFC packets: disabled
current outbound SPI: CDC99C9F
current inbound SPI: 06821CBBSAS of the esp on arrival:
SPI: 0x06821CBB (109190331)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914789/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xCDC99C9F (3452542111)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3913553/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001--> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...
SH cap CAP
34 packets captured
1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply--> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)
SH cap A2
42 packets captured
1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request--> Package trace on 5512 does no problem... but we cannot ping from host to host?
entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map default class
match any
Policy-map global_policy
class class by default
Decrement-ttl connection set
global service-policy global_policy
Additional information:
Direct flow from returns search rule:
ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
Additional information:
Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
Direct flow from returns search rule:
ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc...
Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 7422689 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_statInformation for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_statResult:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow--> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?
Destination - initiator:
entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
...
Phase: 4
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.1.79/0 to 192.168.1.79/0
...Summary:
We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).Please let us know what other details we can provide to help solve, thanks for any help in advance.
-SP
Well, I think it is a NAT ordering the issue.
Basically as static and this NAT rule-
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.
To check just run a 'sh nat"and this will show you what order everthing is in.
The ASA is working its way through the sections.
You also have this-
NAT source auto after (indoor, outdoor) dynamic one interface
which does the same thing as first statement but is in section 3, it is never used.
If you do one of two things-
(1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line
or
(2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.
There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.
It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.
The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).
Then you can simply try to rearrange so your static NAT is above it just to see if it works.
Just in case you want to see the document here is the link-
Jon
Maybe you are looking for
-
One of my users has an iPad for the trip, so he is using data. Looks almost whenever it connects to the airport or hotel WiFi that emails simply put back to 2 years ago, then continue to load everything up to the current date. I can't wrap my head ar
-
What is * address email is removed from the privacy * password?
can I change my password because all my password combinations are not accepted?
-
Smart Wi - Fi cannot connect to the router
I can't access my router remotely. It is said that my router has no internet connectivity, but I can access the Internet fine when I am connected to the router locally. Somewhere that my modem is using the bridge to do this, I met and so I tried to f
-
Post-mortem debugging - dumper utility
Hello BB10 document mentions on post-mortem debugging using a dumper utility. But when I SSH to BB10 and try to issue the command "dumper", it is said that the command does not exist. Can anyone help? My application crashes intermittently, so I wish
-
Group residential with old computer as a server, want to set up the new homegroup
I had a group residential, put in place with an old computer is no longer used. How can I do die so I can put in place a new homegroup with another computer as a server/administrator?