ASA to Juniper VPN with policy NAT
I'm trying to configure a VPN tunnel between a remote site 66.18.106.160/27 and my network 192.168.190.0/24 client. I need NAT all traffic leaving 192.168.190.0/24 to 192.168.191.0/24.
Here is my current config:
xxxxx host name
domain xxxxx.local
enable the encrypted password xxxxx
XXXXX encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.190.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 207.98.218.26 255.255.255.248
!
interface Vlan3
prior to interface Vlan1
nameif DMZ
security-level 50
IP 192.168.100.1 address 255.255.255.0
!
interface Vlan12
description of interface vlan2 backup
nameif CharterBackup
security-level 0
IP 72.14.9.50 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passive FTP mode
DNS server-group DefaultDNS
domain xxxxx.local
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 100 permit tcp any host 207.98.218.27 eq 3389
access-list extended 100 permit tcp any host 207.98.218.28 eq 3389
access-list extended 100 permit tcp any host 207.98.218.27 eq 9000
access-list extended 100 permit tcp any host 207.98.218.27 eq 9001
access-list extended 100 permit tcp any host 207.98.218.28 eq 9000
access-list extended 100 permit tcp any host 207.98.218.28 eq 9001
access-list standard split allow 192.168.190.0 255.255.255.0
Access extensive list ip 192.168.190.0 POLICYNAT allow 255.255.255.0 66.18.106.160 255.255.255.224
extended VPN ip 192.168.191.0 access list allow 255.255.255.0 66.18.106.160 255.255.255.224
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 DMZ
MTU 1500 CharterBackup
IP local pool vpnpool 192.168.10.75 - 192.168.10.85
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global interface (CharterBackup) 1
NAT (inside) - 0 110 access list
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (DMZ) 1 0.0.0.0 0.0.0.0
public static 192.168.191.0 (inside, outside) - POLICYNAT access list
Access-group 100 in external interface
Route outside 0.0.0.0 0.0.0.0 207.98.218.25 1 track 1
Route 0.0.0.0 CharterBackup 0.0.0.0 71.14.9.49 254
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
Enable http server
http 192.168.190.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 123
type echo protocol ipIcmpEcho 4.2.2.2 outside interface
timeout of 1000
frequency 3
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set esp - esp-md5-hmac romanset
Crypto ipsec transform-set esp-aes - AES-128-SHA esp-sha-hmac
Crypto-map dynamic dynmap 10 transform-set romanset
romanmap card crypto 10 corresponds to the VPN address
peer set card crypto romanmap 10 66.18.99.68
card crypto romanmap 10 game of transformation-AES-128-SHA
map romanmap 65535-isakmp ipsec crypto dynamic dynmap
romanmap interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
sha hash
Group 2
life 86400
!
track 1 rtr 123 accessibility
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 CharterBackup
SSH timeout 5
Console timeout 0
management-access inside
dhcpd dns 8.8.8.8
dhcpd outside auto_config
!
dhcpd address 192.168.100.100 - DMZ 192.168.100.130
dhcpd enable DMZ
!
internal group xxxxx policy
attributes of the strategy group xxxxx
value of server WINS 192.168.190.3
value of server DNS 192.168.190.3
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split
tunnel-group xxxxx type ipsec-ra
tunnel-group xxxxx General attributes
address vpnpool pool
Group Policy - by default-romangroup
tunnel-group ipsec-attributes xxxxx
pre-shared-key *.
ISAKMP ikev1-user authentication no
tunnel-group 66.18.99.68 type ipsec-l2l
IPSec-attributes tunnel-group 66.18.99.68
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Currently, traffic that originates on 192.168.190.0/24 generates no traffic phase 1. However, if the traffic is coming in FRO the side remote (66.18.106.160/27) the tunnel arrives, but no traffic passes.
Although this isn't my area of expertise, it seems to me that my ASA is not 'see' interesting traffic from 192.168.190.0/24 will 66.18.106.160/27.
Any help you could provide would be GREATLY appreciated.
Just remove the 2 following lines:
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
Then 'clear xlate '.
That should solve your problem.
Tags: Cisco Security
Similar Questions
-
Hi all!
I have a question about L2L VPN and NAT.
Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.
Thank you!
Hello
You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.
This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.
For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:
access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0
Global (outside) 6 200.200.200.200
NAT (inside) 6 access-L199
Which would be NAT traffic to the public IP address only when the traffic matches the ACL.
Your ACL crypto should then be something like
cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0
That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.
I hope this helps.
Raga
-
PIX v6.3 Site-to-Site with policy NAT
Hi guys,.
I need to set up a site to site with nat because we have overlapping subnet at the other end.
They need access to both servers on our network with IP static.
Site A: 192.168.100.0/24
Site b: 192.168.200.128/25
The other site has chosen this network for NAT: 10.200.50.0/28
I need to translate
192.168.100.10 > 10.200.50.2
192.168.100.20 > 10.200.50.3
through the tunnel
That's what I've done so far, will this work? Any problem that may appear with this config?
Crypto ACL:
VPN ip 10.200.50.0 access list allow 255.255.255.240 192.168.200.128 255.255.255.128
Policy_NAT1 list of allowed access host ip of 192.168.100.10 192.168.200.128 255.255.255.128
Policy_NAT2 list of allowed access host ip 192.168.100.20 192.168.200.128 255.255.255.128
NAT (inside) 10 access-list Policy_NAT1 0 0
NAT (inside) 11 access-list Policy_NAT2 0 0
overall 10 10.200.50.2 (outside)
Overall 11 10.200.50.3 (outside)
Thanks in advance!
Hello
Your configuration looks very good.
Although I guess it's a dynamic configuration policy NAT/PAT.
Incase you want to configure static policy NAT, you need to change a bit. I mean if you wanted a NAT configuration allowing to form bidirectional connection. Both from your site to the remote site and the remote site to your side. You can always use the same ACL you have configured, but you would use the "static" configurations.
public static 10.200.50.2 (inside, outside) - Policy_NAT1 access list
public static 10.200.50.3 (inside, outside) - Policy_NAT2 access list
Review with the static NAT to politics and the dynamic policy NAT/PAT which would be if these hosts have static NAT configured at the direction of the 'outside' interface while static NAT would cancel both of these configurations.
If you use the political dynamic NAT and had also a static NAT for the host, then you would have to change from the above static NAT in a policy to override the static NAT.
And with the foregoing in mind possible existing static NAT and new static NAT of policy might have some problems as a whole. In this case the scheduling of NAT rules would determine if static NAT of the policy has been applied already. If you already had the configured static NAT then it would nullify the political new static NAT:. The solution would be to remove the static NAT and enter it again. This would move the static NAT once the static NAT to policy in the order that they appear on the CLI format configuration and, therefore, static political NAT would work for the specified destination and addresses the static NAT for all other destination addresses.
Hope I made any sense
Feel free to ask more if necessary while
-Jouni
-
ASA ASA Site2Site VPN with dynamic NAT in version 8.2
I did everything for NAT to 9.x and I don't have much at all with NAT in 8.2 and earlier with this configuration.
I have some local subnets:
172.30.1.0/24
172.30.16.0/24
172.30.3.0/24
172.30.12.0/24
172.30.7.0/24
172.30.35.0/24who will need to access a remote subnet:
10.31.255.128/25
and the requirement is to NAT the following text:
A lot of requirement much NAT.
172.30.1.0/24 NAT at 192.168.104.0/24
172.30.16.0/24 NAT at 192.168.105.0/24
172.30.3.0/24 NAT at 192.168.108.0/24
172.30.12.0/24 NAT at 192.168.106.0/24
172.30.7.0/24 NAT at 192.168.107.0/24
172.30.35.0/24 NAT at 192.168.103.0/24When you go to the 10.31.255.128/25 subnet.
Here's what I think, I need and I'm looking for confirmation and/or messages.
Config group *.
object-group, LAN using a NAT-NETWORKS
192.168.104.0 subnet 255.255.255.0
192.168.105.0 subnet 255.255.255.0
192.168.108.0 subnet 255.255.255.0
192.168.106.0 subnet 255.255.255.0
192.168.107.0 subnet 255.255.255.0
192.168.103.0 subnet 255.255.255.0Group of objects to REMOTE-network
subnet 10.31.255.128 255.255.255.128ACL for the crypto-card *.
REMOTE_cryptomap_72 list extended access permitted ip object-group LOCAL-using a NAT-NETWORKS-group of objects to REMOTE-NETWORK
Config NAT
NAT (inside) 10 172.30.1.0 255.255.255.0
NAT (inside) 20 172.30.16.0 255.255.255.0
NAT (inside) 30 172.30.3.0 255.255.255.0
NAT (inside) 40 172.30.12.0 255.255.255.0
NAT (inside) 50 172.30.7.0 255.255.255.0
NAT (inside) 60 172.30.35.0 255.255.255.0Global (outside) 10 192.168.104.0 255.255.255.0
Global (outside) 20 192.168.105.0 255.255.255.0
Global (outside) 30 192.168.108.0 255.255.255.0
Global (outside) 40 192.168.106.0 255.255.255.0
Global (outside) 50 192.168.107.0 255.255.255.0
Global (outside) 60 192.168.103.0 255.255.255.0This sets up the set of transformation which is called in the Crypto map.* *.
Crypto ipsec transform-set ikev1 REMOTE-SET esp-3des esp-sha-hmac
This sets up the Crypto map.* *.
address for correspondence card crypto outside_map 72 REMOTE_cryptomap_72
peer set card crypto outside_map 72 5.5.5.4
card crypto outside_map 72 set transform-set REMOTE-SET ikev1
outside_map card crypto 72 the value reverse-roadImplements IKE *.
IKEv1 crypto policy 72
sha hash
preshared authentication
Group 2
lifetime 28800
3des encryptionSets up the Group of tunnel (connection profile) *.
tunnel-group 5.5.5.4 type ipsec-l2l
IPSec-attributes tunnel-group 5.5.5.4
IKEv1 pre-shared-key * TBD *.Thank you
Mike
With your existing global declarations, my suggestion should meet the requirement. Here is some additional info: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/gu...
-
VPN with static nat for a whole subnet
Hey there,
For some reason, I can't do this on the router. Errrr...
I'm trying to config a static nat (many to one), which will be in effect only when traffic needs to go on our vpn tunnel to the remote location.
example:
internal LAN 192.168.0.0
remote network: 10.10.10.0 and 10.10.15.0
When traffic passes over the tunnel vpn - at the remote site, I need to translate my internal network (192.168.0.0) to an ip address 172.16.32.65 static
any ideas?
also on my crypto map ACL, which must be specified for interesting traffic? my local network or static ip address search?
Let me know your thoughts on the matter.
Kind regards
R.
NAT you describe is named PAT or overload, at least in terms of Ciscos...
What you need:
(1) a NAT - ACL when you describe your traffic which should be natted.
(2) a nat pool with your 172.16.32.65 address
(3) a statement-NAT for dynamic NAT inside based on the ACL for the pool
Here are some examples:
Your crypto ACL then referred to the NATted IP as NAT happens before encryption.
-
I have a tunnel VPN L2L on a Cisco ASA 5520 I am trying to get IPPS, to work on. On my ACL cryptomap I defined a local group object and a remote object-group, and I'm the one-to-one NAT scene on the local group. I also have a configured route map that will take the static routes and redistribute in my ACE. EIGRP two things - 1, I noticed, I don't see on my ASA static routes that point to remote subnets and 2, the ACL that I used in my definition of route map is not getting any hits on it.
Any thoughts on where I can go wrong?
Thank you
Darren
You have configured the following:
crypto set reverse-road map
If you do, can you remove and Add again and see if that fixes the problem?
-
Publish a server with NAT anchored through a tunnel VPN with ASA
Hi all
Thanks in advance for helping me out - I know somebody did, and I have trouble finding how do. I don't know that I'm missing something simple.
I have a client who wants to view a DVR device through a VPN tunnel that is published through the public firewall to collocation. Endpoint DVR is endpoint ip assigned dynamically which tunnelle the host on demand (I know that the tunnel could fall).
So I think / thought I could hairpin hair/policy nat this, but I'm not the best at this.
Let's see if I can get this
IP public 1.1.1.1\
> External interface of ASA
2.2.2.2 / private ip
My config as I know it is pertinant is as follows:
permit same-security-traffic intra-interface
list of allowed incoming access extended ip any host 168.215.x.x
Access-group interface incoming outside
public static 168.215.x.x (outside, outside) 10.10.x.xnetmask 255.255.255.255
I am running version 8.2.5 of the image of the SAA.
If you could take a look and let me know what Miss me you please.
Thank you
Hello
The problem here is of course the fact that we can not configure NAT0 without causing all traffic from the remote Internet can flow through the VPN connection.
So I wonder if another type of NAT configuration would actually work.
I would call it static political identity NAT if such a name exists yet.
Something like that
Note of DVR-POLICY-NAT-list of Direct HTTP access to VPN traffic
allow to Access-list DVR-POLICY-NAT tcp host 10.10.2.253 eq 80 a
public static 10.10.2.53 (inside, outside) access list DVR-POLICY-NAT
This should basically do what
- When the DVR is sending any traffic source TCP TCP/80 (essentially the traffic back to the connection from the main site) to ANY destination address (The Internet) then the host must translate to himself.
- If we consider that NAT is performed before the VPN rules are processed this should mean that since we have concerns address itself, it must match the VPN rule only in this particular case where the traffic is TCP/80, which could only be the result of her replying to a link any destination TCP/80)
- Which leads me to believe it shouldn't cause any problems with the Central connection on remote site (NAT0 is processed before political static NAT) or the RECORDER to Internet
- Unless the DVR must be accessible directly via the Internet connection of the remote site. (He would send his answers to these HTTP connections outside with the originating source IP address) Or maybe even completely before connecting the phase failure. I have not tested.
Hope this helps
Be sure to mark it as answered in the affirmative. And/or useful response rate.
Ask more if necessary.
EDIT: typos
-Jouni
-
Remote access VPN with ASA 5510 by using the DHCP server
Hello
Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?
I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:
!
ASA Version 8.2 (5)
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.6.0.12 255.255.254.0
!
IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)
!
Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
!
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1jeu transform-set FirstSet
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap map crypto inside interface
crypto ISAKMP allow inside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
!
VPN-addr-assign aaa
VPN-addr-assign dhcp
!
internal group testgroup strategy
testgroup group policy attributes
DHCP-network-scope 10.6.192.1
enable IPSec-udp
IPSec-udp-port 10000
!
username testlay password * encrypted
!
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
strategy-group-by default testgroup
DHCP-server 10.6.20.3
testgroup group tunnel ipsec-attributes
pre-shared key *.
!
I got following output when I test connect to the ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO
4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048)
, : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740)
, : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80
Kind regards
Lay
For the RADIUS, you need a definition of server-aaa:
Protocol AAA - NPS RADIUS server RADIUS
AAA-server RADIUS NPS (inside) host 10.10.18.12
key *.
authentication port 1812
accounting-port 1813
and tell your tunnel-group for this server:
General-attributes of VPN Tunnel-group
Group-NPS LOCAL RADIUS authentication server
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Can the NAT of ASA configuration for vpn local pool
We have a group of tunnel remote ipsec, clients address pool use 172.18.33.0/24 which setup from command "ip local pool. The remote cliens must use full ipsec tunnel.
Because of IP overlap or route number, we would like to NAT this local basin of 172.18.33.0 to 192.168.3.0 subnet when vpn users access certain servers or subnet via external interface of the ASA. I have nat mapping address command from an interface to another interface of Armi. The pool local vpn is not behind any physical interface of the ASA. My question is can ASA policy NAT configuration for vpn local pool. If so, how to set up this NAT.
Thank you
Haiying
Elijah,
NAT_VPNClients ip 172.18.33.0 access list allow 255.255.255.0 10.1.1.0 255.255.255.0
public static 192.168.33.0 (external, outside) - NAT_VPNClients access list
The above configuration will be NAT 172.18.33.0/24 to 192.168.33.0/24 when you go to 10.1.1.0/24 (assuming that 10.1.1.0/24 is your subnet of servers).
To allow the ASA to redirect rewritten traffic the same interface in which he receive, you must also order:
permit same-security-traffic intra-interface
Federico.
-
IOS VPN with NAT need help with ACL?
What I forget? I have tried other positions, studied bugs known with 12.2 (13) T1, etc. workaround solutions, but perhaps my other choice of configuration interfere with my VPN configuration.
I can connect, authenticate locally, very well. Stats of Cisco VPN client 3.6.3 show I'm Encrypting traffic on the protected networks, but I can not all traffic through internal hosts once I've connected.
I removed security tags and replaced all the public IP addresses to fake in hope that someone can point me to what is obvious!
Thank you very much.
----------
Current configuration: 5508 bytes
!
! 22:24:38 PST configuration was last modified Thursday February 20, 2003 by kevin
!
version 12.2
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
AAA new-model
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
AAA - the id of the joint session
IP subnet zero
!
IP domain name mondomaine.fr
name of the IP-server 199.13.28.12
name of the IP-server 199.13.29.12
!
IP inspect the audit trail
IP inspect high 1100 max-incomplete
IP inspect a high minute 1100
inspect the tcp IP Ethernet_0_1 name
inspect the IP udp Ethernet_0_1 name
inspect the IP name Ethernet_0_1 cuseeme
inspect the IP name Ethernet_0_1 ftp
inspect the IP h323 Ethernet_0_1 name
inspect the IP rcmd Ethernet_0_1 name
inspect the IP name Ethernet_0_1 realaudio
inspect the IP name smtp Ethernet_0_1
inspect the name Ethernet_0_1 streamworks IP
inspect the name Ethernet_0_1 vdolive IP
inspect the IP name Ethernet_0_1 sqlnet
inspect the name Ethernet_0_1 tftp IP
inspect the IP name Ethernet_0_1 http java-list 99
inspect the name Ethernet_0_1 rtsp IP
inspect the IP name Ethernet_0_1 netshow
inspect the tcp IP Ethernet_0_0 name
inspect the IP name Ethernet_0_0 ftp
inspect the IP udp Ethernet_0_0 name
audit of IP notify Journal
Max-events of po verification IP 100
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
ISAKMP crypto nat keepalive 20
!
ISAKMP crypto client configuration group vpngroup
xxxxxxxxx key
DNS 199.13.28.12 199.13.29.12
domain mydomain.com
pool vpnpool
ACL 110
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
MTA receive maximum-recipients 0
!
!
interface Ethernet0/0
Description connected to the Internet
IP 199.201.44.198 255.255.255.248
IP access-group 101 in
NAT outside IP
inspect the IP Ethernet_0_0 in
no ip route cache
no ip mroute-cache
Half duplex
clientmap card crypto
!
interface Serial0/0
no ip address
Shutdown
!
interface Ethernet0/1
Connected to the private description
IP 192.168.1.254 255.255.255.0
IP access-group 100 to
IP nat inside
inspect the IP Ethernet_0_1 in
Half duplex
!
IP local pool vpnpool 192.168.2.201 192.168.2.210
period of translation nat IP 119
!!
!! -removed the following line for VPN configuration
!! IP nat inside source list 1 interface Ethernet0/0 overload
!! -replaced by the next line...
IP nat inside source map route sheep interface Ethernet0/0 overload
IP nat inside source 192.168.1.1 static 199.201.44.197
IP classless
IP route 0.0.0.0 0.0.0.0 199.201.44.193 permanent
IP http server
7 class IP http access
local IP http authentication
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 5 permit 192.5.41.40
access-list 5 permit 192.5.41.41
access-list 5 refuse any
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 7 refuse any
access-list 99 refuse any
access-list 100 permit udp any eq rip all rip eq
access-list 100 permit tcp 192.168.1.1 host any eq www
access-list 100 permit ip 192.168.1.1 host everything
access list 100 permit tcp host 192.168.1.2 any eq www
access-list 100 permit ip 192.168.1.2 host everything
access-list 100 deny ip 192.168.1.253 host everything
access ip-list 100 permit a whole
access-list 101 deny host ip 199.201.44.197 all
access-list 101 permit tcp any host 199.201.44.197 eq 22
access-list 101 permit tcp any host 199.201.44.197 eq www
access-list 101 permit tcp any host 199.201.44.197 eq 115
access-list 101 permit icmp any host 199.201.44.197
access list 101 ip allow any host 199.201.44.198
access-list 101 permit tcp any host 199.201.44.197 eq 8000
access-list 101 permit tcp any host 199.201.44.197 eq 8080
access-list 101 permit tcp any host 199.201.44.197 eq 9090
access-list 101 permit udp any host 199.201.44.197 eq 7070
access-list 101 permit udp any host 199.201.44.197 eq 554
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 115 permit ip 192.168.1.0 0.0.0.255 any
!
sheep allowed 10 route map
corresponds to the IP 115
!
Line con 0
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXX
line to 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXX
!
NTP-period clock 17208655
source NTP Ethernet0/0
peer NTP access-Group 5
NTP 7 use only group-access
NTP master 3
NTP 192.5.41.41 Server
NTP 192.5.41.40 Server
!
end
----------
Config looks OK, you should be able to get for each internal host EXCEPT 192.168.1.1 with this configuration. If you do a ' sho cry ipsec his 'you see Pkts Decaps increment, indicating that you see the traffic of the remote client? " Do you not see Pkts Encaps increment, indicating that you send a response réécrirait the client to the internal host.
For what is 192.168.1.1, because you have this:
> ip nat inside source 192.168.1.1 static 199.201.44.197
It substitutes for this:
> ip nat inside source map route sheep interface Ethernet0/0 overload
for this host traffic only and therefore back for just this host is always NAT would have even if you don't want it to be. To work around to send traffic to this host through an interface of closure with no NAT enabled on it, that it is NAT would have stops and allows you to connect via VPN. You can see http://www.cisco.com/warp/public/707/static.html for a detailed explanation, but basically, we must add this:
loopback interface 0
IP 1.1.1.1 255.255.255.0
interface ethernet0/1
Static IP policy route map
permissible static route map 10
match address 120
set ip next-hop 1.1.1.2
access-list 120 allow host ip 192.168.1.1 192.168.2.0 0.0.0.255
-
Hello
I am trying to set up a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.
I created the VPN with crypto card and the VPN is successfully registered.
The problem I encounter is that with NAT is enabled, internet access is working but I can ping through the VPN.
If I disable NAT, VPN works perfectly, but then him VLAN cannot access the internet.
What should I do differently?
Here is the config:
Feature: 2911 with security package
Local network: 10.10.104.0/24
Remote network: 192.168.1.0/24
Public beach: 65.49.46.68/28
crypto ISAKMP policy 104
BA 3des
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key REDACTED address 75.76.102.50
Crypto ipsec transform-set esp-3des esp-sha-hmac strongsha
OFFICE 104 ipsec-isakmp crypto map
defined by peer 75.76.102.50
Set transform-set strongsha
match address 104
interface GigabitEthernet0/0
IP 65.49.46.68 255.255.255.240
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
full duplex
Speed 100
standby mode 0 ip 65.49.46.70
0 6 2 sleep timers
standby 0 preempt
card crypto OFFICE WAN redundancy
interface GigabitEthernet0/2.104
encapsulation dot1Q 104
IP 10.10.104.254 255.255.255.0
IP nat pool wan_access 65.49.46.70 65.49.46.70 prefix length 28
overload of IP nat inside source list 99 pool wan_access
access-list 99 permit 10.10.104.0 0.0.0.255
access-list 104. allow ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104. allow ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
access-list 104 allow icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 allow icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
ISAKMP crypto #sh her
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
65.49.46.70 75.76.102.50 QM_IDLE 1299 ACTIVE
Hello!
Please, make these changes:
extended Internet-NAT IP access list
deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 10.10.104.0 allow 0.0.0.255 any
IP nat inside source list Internet-NAT pool access-wan overload
* Please do not remove the old NAT instance until you add that above.
Please hold me.
Thank you!
Sent by Cisco Support technique Android app
-
Cisco ASA Site to Site VPN IPSEC and NAT question
Hi people,
I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses
Just an example:
N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)
The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)
It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)
Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.
Grateful if someone can shed some light on this subject.
Hello
OK so went with the old format of NAT configuration
It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
- access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
- Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
- the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
- NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
- ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.
Please rate if this was helpful
-Jouni
- Configure the ASA1 with static NAT strategy
-
2 one-Site VPN Cisco 2801 and with crossing NAT
Hi guys,.
I would like to configure two Cisco 2801 using IPSEC/IKE. Both routers are connected to the internet through DSL lines. The DSL line have RFC1918 address side LAN where routers connected to the internet face. I can do NAT on DSL modems.
Cisco IOS 2801 routers allow to configure site-2-site VPN with NAT crossing?
Here is a model of physics/IP configuration:
LAN<->2801 Modem DSL<-Internet->DSL modem<-Priv ip-=""> 2801<-Priv ip-=""><-> LAN
Thank you
Gonçalo
Yes, you're good to go only if one or both of the sites has an IP address which is natted with private IP address statically. The implementation of IPSec on SRI NAT support in most crosses so that shouldn't be a concern
->-Priv>-Priv>-Internet->-> -
ASA vpn with a public ip address different addresses
Hello world. I can not find someone who can give me an answer 'for sure' of this thing. I want to connect via vpn ASA5505, called 2A and b. inside one we have net 10.0.0.0/24 and 10.0.1.0/24 net b. now, we can have 2 outside for one ip addresses (e.g. 215.18.18.10 and 222.26.12.12) because we have 2 providers to connect to the internet. the asa can follow 2 VPN - with the same cryptomap for the destination inside) so that if a grave he will switch to the other vpn by itself?
This thing can be done with other cisco devices (for example, a 2800 series router?)
Thank you very much
Who are you looking to
1. If the failure of the connection to B then A will use secondary WAN connection to try to raise the tunnel.
I would use the backup ISP for this function.
2. If the connection to A failed then B will try to set up the tunnel with secondary address peer.
You can set several counterparts by using cryptographic cards to provide redundancy
-
concentrator 3000 2 lan lan VPN with NAT
I need to configure a vpn lan-2lan between 2 3030 concentrators (separate companies) on the Internet. My company assigns a small subnet for hosts sitting on the client network. The customer wants to use their own IP subnet and assign IP addresses within their range. So, they do static NAT on their hub. Is this possible? Or have they NAT s pc before arriving to the hub? Any help much appreciated.
Hello
Concentrator VPN supports the NAT.
HTH
Kind regards
GE.
Maybe you are looking for
-
Hello I am user of Yosemite, 10.10.5 OS and the newcomer in the Apple script, I would like to control the brightness of my screen and create actionable easy gradation (from 0% to 100%). Y at - it a script existing for the keyboard / touch of brightne
-
Satellite L855 makes a noise and hangs expecially in games
Hello. I just bought a SATELLITE L855 - 10 p (http://pt.computers.toshiba-europe.com/innovation/jsp/supportMyProduct.do?service=PT), with last Wednesday ATI graphics card, but my computer came with one problem (which I will try to explain, because al
-
My BR65X900A does not have any bluetooth device I have at home as: cell phones, Ipads, headphones, laptops, etc.
-
I use a Powershot SX50HS. I have already download my photos through CameraWindow DC without any problem. Recently, I tried to transfer pictures through CameraWindowDC and it fails to import whenever I have it try. It will not import any function I ch
-
How to create our own logon screen?
How do we create our own beautifully designed logon screen?