ASA to Juniper VPN with policy NAT

Similar Questions

• L2l VPN with IPSEC NAT

  Hi all!

  I have a question about L2L VPN and NAT.

  Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.

  Thank you!

  Hello

  You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.

  This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.

  For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:

  access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0

  Global (outside) 6 200.200.200.200

  NAT (inside) 6 access-L199

  Which would be NAT traffic to the public IP address only when the traffic matches the ACL.

  Your ACL crypto should then be something like

  cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0

  That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.

  I hope this helps.

  Raga

• PIX v6.3 Site-to-Site with policy NAT

  Hi guys,.

  I need to set up a site to site with nat because we have overlapping subnet at the other end.

  They need access to both servers on our network with IP static.

  Site A: 192.168.100.0/24

  Site b: 192.168.200.128/25

  The other site has chosen this network for NAT: 10.200.50.0/28

  I need to translate

  192.168.100.10 > 10.200.50.2

  192.168.100.20 > 10.200.50.3

  through the tunnel

  That's what I've done so far, will this work? Any problem that may appear with this config?

  Crypto ACL:

  VPN ip 10.200.50.0 access list allow 255.255.255.240 192.168.200.128 255.255.255.128

  Policy_NAT1 list of allowed access host ip of 192.168.100.10 192.168.200.128 255.255.255.128

  Policy_NAT2 list of allowed access host ip 192.168.100.20 192.168.200.128 255.255.255.128

  NAT (inside) 10 access-list Policy_NAT1 0 0

  NAT (inside) 11 access-list Policy_NAT2 0 0

  overall 10 10.200.50.2 (outside)

  Overall 11 10.200.50.3 (outside)

  Thanks in advance!

  Hello

  Your configuration looks very good.

  Although I guess it's a dynamic configuration policy NAT/PAT.

  Incase you want to configure static policy NAT, you need to change a bit. I mean if you wanted a NAT configuration allowing to form bidirectional connection. Both from your site to the remote site and the remote site to your side. You can always use the same ACL you have configured, but you would use the "static" configurations.

  public static 10.200.50.2 (inside, outside) - Policy_NAT1 access list

  public static 10.200.50.3 (inside, outside) - Policy_NAT2 access list

  Review with the static NAT to politics and the dynamic policy NAT/PAT which would be if these hosts have static NAT configured at the direction of the 'outside' interface while static NAT would cancel both of these configurations.

  If you use the political dynamic NAT and had also a static NAT for the host, then you would have to change from the above static NAT in a policy to override the static NAT.

  And with the foregoing in mind possible existing static NAT and new static NAT of policy might have some problems as a whole. In this case the scheduling of NAT rules would determine if static NAT of the policy has been applied already. If you already had the configured static NAT then it would nullify the political new static NAT:. The solution would be to remove the static NAT and enter it again. This would move the static NAT once the static NAT to policy in the order that they appear on the CLI format configuration and, therefore, static political NAT would work for the specified destination and addresses the static NAT for all other destination addresses.

  Hope I made any sense

  Feel free to ask more if necessary while

  -Jouni

• ASA ASA Site2Site VPN with dynamic NAT in version 8.2

  I did everything for NAT to 9.x and I don't have much at all with NAT in 8.2 and earlier with this configuration.

  I have some local subnets:

  172.30.1.0/24
  172.30.16.0/24
  172.30.3.0/24
  172.30.12.0/24
  172.30.7.0/24
  172.30.35.0/24

  who will need to access a remote subnet:

  10.31.255.128/25

  and the requirement is to NAT the following text:

  A lot of requirement much NAT.
  172.30.1.0/24 NAT at 192.168.104.0/24
  172.30.16.0/24 NAT at 192.168.105.0/24
  172.30.3.0/24 NAT at 192.168.108.0/24
  172.30.12.0/24 NAT at 192.168.106.0/24
  172.30.7.0/24 NAT at 192.168.107.0/24
  172.30.35.0/24 NAT at 192.168.103.0/24

  When you go to the 10.31.255.128/25 subnet.

  Here's what I think, I need and I'm looking for confirmation and/or messages.

  Config group *.

  object-group, LAN using a NAT-NETWORKS
  192.168.104.0 subnet 255.255.255.0
  192.168.105.0 subnet 255.255.255.0
  192.168.108.0 subnet 255.255.255.0
  192.168.106.0 subnet 255.255.255.0
  192.168.107.0 subnet 255.255.255.0
  192.168.103.0 subnet 255.255.255.0

  Group of objects to REMOTE-network
  subnet 10.31.255.128 255.255.255.128

  ACL for the crypto-card *.

  REMOTE_cryptomap_72 list extended access permitted ip object-group LOCAL-using a NAT-NETWORKS-group of objects to REMOTE-NETWORK

  Config NAT

  NAT (inside) 10 172.30.1.0 255.255.255.0
  NAT (inside) 20 172.30.16.0 255.255.255.0
  NAT (inside) 30 172.30.3.0 255.255.255.0
  NAT (inside) 40 172.30.12.0 255.255.255.0
  NAT (inside) 50 172.30.7.0 255.255.255.0
  NAT (inside) 60 172.30.35.0 255.255.255.0

  Global (outside) 10 192.168.104.0 255.255.255.0
  Global (outside) 20 192.168.105.0 255.255.255.0
  Global (outside) 30 192.168.108.0 255.255.255.0
  Global (outside) 40 192.168.106.0 255.255.255.0
  Global (outside) 50 192.168.107.0 255.255.255.0
  Global (outside) 60 192.168.103.0 255.255.255.0

  This sets up the set of transformation which is called in the Crypto map.* *.

  Crypto ipsec transform-set ikev1 REMOTE-SET esp-3des esp-sha-hmac

  This sets up the Crypto map.* *.

  address for correspondence card crypto outside_map 72 REMOTE_cryptomap_72
  peer set card crypto outside_map 72 5.5.5.4
  card crypto outside_map 72 set transform-set REMOTE-SET ikev1
  outside_map card crypto 72 the value reverse-road

  Implements IKE *.

  IKEv1 crypto policy 72
  sha hash
  preshared authentication
  Group 2
  lifetime 28800
  3des encryption

  Sets up the Group of tunnel (connection profile) *.

  tunnel-group 5.5.5.4 type ipsec-l2l
  IPSec-attributes tunnel-group 5.5.5.4
  IKEv1 pre-shared-key * TBD *.

  Thank you

  Mike

  With your existing global declarations, my suggestion should meet the requirement. Here is some additional info: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/gu...

• VPN with static nat for a whole subnet

  Hey there,

  For some reason, I can't do this on the router. Errrr...

  I'm trying to config a static nat (many to one), which will be in effect only when traffic needs to go on our vpn tunnel to the remote location.

  example:

  internal LAN 192.168.0.0

  remote network: 10.10.10.0 and 10.10.15.0

  When traffic passes over the tunnel vpn - at the remote site, I need to translate my internal network (192.168.0.0) to an ip address 172.16.32.65 static

  any ideas?

  also on my crypto map ACL, which must be specified for interesting traffic? my local network or static ip address search?

  Let me know your thoughts on the matter.

  Kind regards

  R.

  NAT you describe is named PAT or overload, at least in terms of Ciscos...

  What you need:

  (1) a NAT - ACL when you describe your traffic which should be natted.

  (2) a nat pool with your 172.16.32.65 address

  (3) a statement-NAT for dynamic NAT inside based on the ACL for the pool

  Here are some examples:

  http://www.Cisco.com/en/us/docs/iOS/ipaddr/configuration/guide/iadnat_addr_consv_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1073436

  Your crypto ACL then referred to the NATted IP as NAT happens before encryption.

• ASA IPP on VPN L2L w/NAT

  I have a tunnel VPN L2L on a Cisco ASA 5520 I am trying to get IPPS, to work on. On my ACL cryptomap I defined a local group object and a remote object-group, and I'm the one-to-one NAT scene on the local group. I also have a configured route map that will take the static routes and redistribute in my ACE. EIGRP two things - 1, I noticed, I don't see on my ASA static routes that point to remote subnets and 2, the ACL that I used in my definition of route map is not getting any hits on it.

  Any thoughts on where I can go wrong?

  Thank you

  Darren

  You have configured the following:

  crypto set reverse-road map

  If you do, can you remove and Add again and see if that fixes the problem?

• Publish a server with NAT anchored through a tunnel VPN with ASA

  Hi all

  Thanks in advance for helping me out - I know somebody did, and I have trouble finding how do.  I don't know that I'm missing something simple.

  I have a client who wants to view a DVR device through a VPN tunnel that is published through the public firewall to collocation.  Endpoint DVR is endpoint ip assigned dynamically which tunnelle the host on demand (I know that the tunnel could fall).

  So I think / thought I could hairpin hair/policy nat this, but I'm not the best at this.

  Let's see if I can get this

  IP public 1.1.1.1\

  > External interface of ASA

  2.2.2.2 / private ip

  My config as I know it is pertinant is as follows:

  permit same-security-traffic intra-interface

  list of allowed incoming access extended ip any host 168.215.x.x

  Access-group interface incoming outside

  public static 168.215.x.x (outside, outside) 10.10.x.xnetmask 255.255.255.255

  I am running version 8.2.5 of the image of the SAA.

  If you could take a look and let me know what Miss me you please.

  Thank you

  Hello

  The problem here is of course the fact that we can not configure NAT0 without causing all traffic from the remote Internet can flow through the VPN connection.

  So I wonder if another type of NAT configuration would actually work.

  I would call it static political identity NAT if such a name exists yet.

  Something like that

  Note of DVR-POLICY-NAT-list of Direct HTTP access to VPN traffic

  allow to Access-list DVR-POLICY-NAT tcp host 10.10.2.253 eq 80 a

  public static 10.10.2.53 (inside, outside) access list DVR-POLICY-NAT

  This should basically do what

  • When the DVR is sending any traffic source TCP TCP/80 (essentially the traffic back to the connection from the main site) to ANY destination address (The Internet) then the host must translate to himself.
  • If we consider that NAT is performed before the VPN rules are processed this should mean that since we have concerns address itself, it must match the VPN rule only in this particular case where the traffic is TCP/80, which could only be the result of her replying to a link any destination TCP/80)
  • Which leads me to believe it shouldn't cause any problems with the Central connection on remote site (NAT0 is processed before political static NAT) or the RECORDER to Internet
  • Unless the DVR must be accessible directly via the Internet connection of the remote site. (He would send his answers to these HTTP connections outside with the originating source IP address) Or maybe even completely before connecting the phase failure. I have not tested.

  Hope this helps

  Be sure to mark it as answered in the affirmative. And/or useful response rate.

  Ask more if necessary.

  EDIT: typos

  -Jouni

• Remote access VPN with ASA 5510 by using the DHCP server

  Hello

  Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?

  I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:

  !

  ASA Version 8.2 (5)

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 10.6.0.12 255.255.254.0

  !

  IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)

  !

  Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1

  !

  Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Crypto-map dynamic dyn1 1jeu transform-set FirstSet

  dynamic mymap 1 dyn1 ipsec-isakmp crypto map

  mymap map crypto inside interface

  crypto ISAKMP allow inside

  crypto ISAKMP policy 1

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 43200

  !

  VPN-addr-assign aaa

  VPN-addr-assign dhcp

  !

  internal group testgroup strategy

  testgroup group policy attributes

  DHCP-network-scope 10.6.192.1

  enable IPSec-udp

  IPSec-udp-port 10000

  !

  username testlay password * encrypted

  !

  tunnel-group testgroup type remote access

  tunnel-group testgroup General attributes

  strategy-group-by default testgroup

  DHCP-server 10.6.20.3

  testgroup group tunnel ipsec-attributes

  pre-shared key *.

  !

  I got following output when I test connect to the ASA with Cisco VPN client 5.0

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO

  4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID

  Jan 16 15:39:21 [IKEv1]: Group = testgroup, I

  [OK]

  KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72

  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable

  Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm

  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64

  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes

  Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.

  Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.

  Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!

  Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets.  No last packet retransmit.

  Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84

  Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload

  Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload

  Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets.  No last packet retransmit.

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address

  Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048) , : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740) , : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm

  Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80

  Kind regards

  Lay

  For the RADIUS, you need a definition of server-aaa:

  Protocol AAA - NPS RADIUS server RADIUS

  AAA-server RADIUS NPS (inside) host 10.10.18.12

  key *.

  authentication port 1812

  accounting-port 1813

  and tell your tunnel-group for this server:

  General-attributes of VPN Tunnel-group

  Group-NPS LOCAL RADIUS authentication server

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• Can the NAT of ASA configuration for vpn local pool

  We have a group of tunnel remote ipsec, clients address pool use 172.18.33.0/24 which setup from command "ip local pool. The remote cliens must use full ipsec tunnel.

  Because of IP overlap or route number, we would like to NAT this local basin of 172.18.33.0 to 192.168.3.0 subnet when vpn users access certain servers or subnet via external interface of the ASA.  I have nat mapping address command from an interface to another interface of Armi. The pool local vpn is not behind any physical interface of the ASA. My question is can ASA policy NAT configuration for vpn local pool.  If so, how to set up this NAT.

  Thank you

  Haiying

  Elijah,

  NAT_VPNClients ip 172.18.33.0 access list allow 255.255.255.0 10.1.1.0 255.255.255.0

  public static 192.168.33.0 (external, outside) - NAT_VPNClients access list

  The above configuration will be NAT 172.18.33.0/24 to 192.168.33.0/24 when you go to 10.1.1.0/24 (assuming that 10.1.1.0/24 is your subnet of servers).

  To allow the ASA to redirect rewritten traffic the same interface in which he receive, you must also order:

  permit same-security-traffic intra-interface

  Federico.

• IOS VPN with NAT need help with ACL?

  What I forget? I have tried other positions, studied bugs known with 12.2 (13) T1, etc. workaround solutions, but perhaps my other choice of configuration interfere with my VPN configuration.

  I can connect, authenticate locally, very well. Stats of Cisco VPN client 3.6.3 show I'm Encrypting traffic on the protected networks, but I can not all traffic through internal hosts once I've connected.

  I removed security tags and replaced all the public IP addresses to fake in hope that someone can point me to what is obvious!

  Thank you very much.

  ----------

  Current configuration: 5508 bytes

  !

  ! 22:24:38 PST configuration was last modified Thursday February 20, 2003 by kevin

  !

  version 12.2

  horodateurs service debug uptime

  Log service timestamps uptime

  encryption password service

  !

  AAA new-model

  !

  AAA authentication login userauthen local

  AAA authorization groupauthor LAN

  AAA - the id of the joint session

  IP subnet zero

  !

  IP domain name mondomaine.fr

  name of the IP-server 199.13.28.12

  name of the IP-server 199.13.29.12

  !

  IP inspect the audit trail

  IP inspect high 1100 max-incomplete

  IP inspect a high minute 1100

  inspect the tcp IP Ethernet_0_1 name

  inspect the IP udp Ethernet_0_1 name

  inspect the IP name Ethernet_0_1 cuseeme

  inspect the IP name Ethernet_0_1 ftp

  inspect the IP h323 Ethernet_0_1 name

  inspect the IP rcmd Ethernet_0_1 name

  inspect the IP name Ethernet_0_1 realaudio

  inspect the IP name smtp Ethernet_0_1

  inspect the name Ethernet_0_1 streamworks IP

  inspect the name Ethernet_0_1 vdolive IP

  inspect the IP name Ethernet_0_1 sqlnet

  inspect the name Ethernet_0_1 tftp IP

  inspect the IP name Ethernet_0_1 http java-list 99

  inspect the name Ethernet_0_1 rtsp IP

  inspect the IP name Ethernet_0_1 netshow

  inspect the tcp IP Ethernet_0_0 name

  inspect the IP name Ethernet_0_0 ftp

  inspect the IP udp Ethernet_0_0 name

  audit of IP notify Journal

  Max-events of po verification IP 100

  !

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto nat keepalive 20

  !

  ISAKMP crypto client configuration group vpngroup

  xxxxxxxxx key

  DNS 199.13.28.12 199.13.29.12

  domain mydomain.com

  pool vpnpool

  ACL 110

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  !

  !

  map clientmap client to authenticate crypto list userauthen

  card crypto clientmap isakmp authorization list groupauthor

  client configuration address map clientmap crypto answer

  10 ipsec-isakmp crypto map clientmap Dynamics dynmap

  !

  MTA receive maximum-recipients 0

  !

  !

  interface Ethernet0/0

  Description connected to the Internet

  IP 199.201.44.198 255.255.255.248

  IP access-group 101 in

  NAT outside IP

  inspect the IP Ethernet_0_0 in

  no ip route cache

  no ip mroute-cache

  Half duplex

  clientmap card crypto

  !

  interface Serial0/0

  no ip address

  Shutdown

  !

  interface Ethernet0/1

  Connected to the private description

  IP 192.168.1.254 255.255.255.0

  IP access-group 100 to

  IP nat inside

  inspect the IP Ethernet_0_1 in

  Half duplex

  !

  IP local pool vpnpool 192.168.2.201 192.168.2.210

  period of translation nat IP 119

  !!

  !! -removed the following line for VPN configuration

  !! IP nat inside source list 1 interface Ethernet0/0 overload

  !! -replaced by the next line...

  IP nat inside source map route sheep interface Ethernet0/0 overload

  IP nat inside source 192.168.1.1 static 199.201.44.197

  IP classless

  IP route 0.0.0.0 0.0.0.0 199.201.44.193 permanent

  IP http server

  7 class IP http access

  local IP http authentication

  !

  access-list 1 permit 192.168.1.0 0.0.0.255

  access-list 5 permit 192.5.41.40

  access-list 5 permit 192.5.41.41

  access-list 5 refuse any

  access-list 7 permit 192.168.1.0 0.0.0.255

  access-list 7 refuse any

  access-list 99 refuse any

  access-list 100 permit udp any eq rip all rip eq

  access-list 100 permit tcp 192.168.1.1 host any eq www

  access-list 100 permit ip 192.168.1.1 host everything

  access list 100 permit tcp host 192.168.1.2 any eq www

  access-list 100 permit ip 192.168.1.2 host everything

  access-list 100 deny ip 192.168.1.253 host everything

  access ip-list 100 permit a whole

  access-list 101 deny host ip 199.201.44.197 all

  access-list 101 permit tcp any host 199.201.44.197 eq 22

  access-list 101 permit tcp any host 199.201.44.197 eq www

  access-list 101 permit tcp any host 199.201.44.197 eq 115

  access-list 101 permit icmp any host 199.201.44.197

  access list 101 ip allow any host 199.201.44.198

  access-list 101 permit tcp any host 199.201.44.197 eq 8000

  access-list 101 permit tcp any host 199.201.44.197 eq 8080

  access-list 101 permit tcp any host 199.201.44.197 eq 9090

  access-list 101 permit udp any host 199.201.44.197 eq 7070

  access-list 101 permit udp any host 199.201.44.197 eq 554

  access-list 110 permit ip 192.168.1.0 0.0.0.255 any

  access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

  access-list 115 permit ip 192.168.1.0 0.0.0.255 any

  !

  sheep allowed 10 route map

  corresponds to the IP 115

  !

  Line con 0

  exec-timeout 0 0

  password 7 XXXXXXXXXXXXXXX

  line to 0

  line vty 0 4

  password 7 XXXXXXXXXXXXXXXX

  !

  NTP-period clock 17208655

  source NTP Ethernet0/0

  peer NTP access-Group 5

  NTP 7 use only group-access

  NTP master 3

  NTP 192.5.41.41 Server

  NTP 192.5.41.40 Server

  !

  end

  ----------

  Config looks OK, you should be able to get for each internal host EXCEPT 192.168.1.1 with this configuration. If you do a ' sho cry ipsec his 'you see Pkts Decaps increment, indicating that you see the traffic of the remote client? " Do you not see Pkts Encaps increment, indicating that you send a response réécrirait the client to the internal host.

  For what is 192.168.1.1, because you have this:

  > ip nat inside source 192.168.1.1 static 199.201.44.197

  It substitutes for this:

  > ip nat inside source map route sheep interface Ethernet0/0 overload

  for this host traffic only and therefore back for just this host is always NAT would have even if you don't want it to be. To work around to send traffic to this host through an interface of closure with no NAT enabled on it, that it is NAT would have stops and allows you to connect via VPN. You can see http://www.cisco.com/warp/public/707/static.html for a detailed explanation, but basically, we must add this:

  loopback interface 0

  IP 1.1.1.1 255.255.255.0

  interface ethernet0/1

  Static IP policy route map

  permissible static route map 10

  match address 120

  set ip next-hop 1.1.1.2

  access-list 120 allow host ip 192.168.1.1 192.168.2.0 0.0.0.255

• VPN with NAT Interface

  Hello

  I am trying to set up a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.

  I created the VPN with crypto card and the VPN is successfully registered.

  The problem I encounter is that with NAT is enabled, internet access is working but I can ping through the VPN.

  If I disable NAT, VPN works perfectly, but then him VLAN cannot access the internet.

  What should I do differently?

  Here is the config:

  Feature: 2911 with security package

  Local network: 10.10.104.0/24

  Remote network: 192.168.1.0/24

  Public beach: 65.49.46.68/28

  crypto ISAKMP policy 104

  BA 3des

  preshared authentication

  Group 2

  lifetime 28800

  ISAKMP crypto key REDACTED address 75.76.102.50

  Crypto ipsec transform-set esp-3des esp-sha-hmac strongsha

  OFFICE 104 ipsec-isakmp crypto map

  defined by peer 75.76.102.50

  Set transform-set strongsha

  match address 104

  interface GigabitEthernet0/0

  IP 65.49.46.68 255.255.255.240

  penetration of the IP stream

  NAT outside IP

  IP virtual-reassembly

  full duplex

  Speed 100

  standby mode 0 ip 65.49.46.70

  0 6 2 sleep timers

  standby 0 preempt

  card crypto OFFICE WAN redundancy

  interface GigabitEthernet0/2.104

  encapsulation dot1Q 104

  IP 10.10.104.254 255.255.255.0

  IP nat pool wan_access 65.49.46.70 65.49.46.70 prefix length 28

  overload of IP nat inside source list 99 pool wan_access

  access-list 99 permit 10.10.104.0 0.0.0.255

  access-list 104. allow ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 104. allow ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255

  access-list 104 allow icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 104 allow icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255

  ISAKMP crypto #sh her

  IPv4 Crypto ISAKMP Security Association

  DST CBC conn-State id

  65.49.46.70 75.76.102.50 QM_IDLE 1299 ACTIVE

  Hello!

  Please, make these changes:

  extended Internet-NAT IP access list

  deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

  IP 10.10.104.0 allow 0.0.0.255 any

  IP nat inside source list Internet-NAT pool access-wan overload

  * Please do not remove the old NAT instance until you add that above.

  Please hold me.

  Thank you!

  Sent by Cisco Support technique Android app

• Cisco ASA Site to Site VPN IPSEC and NAT question

  Hi people,

  I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

  ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

  Just an example:

  N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

  The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

  It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

  Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

  Grateful if someone can shed some light on this subject.

  Hello

  OK so went with the old format of NAT configuration

  It seems to me that you could do the following:

  • Configure the ASA1 with static NAT strategy
    • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
  • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
  • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
  • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
    • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
    • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
    • NAT (inside) 0-list of access to the INTERIOR-SHEEP
  • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
    • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

  I could test this configuration to work tomorrow but I would like to know if it works.

  Please rate if this was helpful

  -Jouni

• 2 one-Site VPN Cisco 2801 and with crossing NAT

  Hi guys,.

  I would like to configure two Cisco 2801 using IPSEC/IKE. Both routers are connected to the internet through DSL lines. The DSL line have RFC1918 address side LAN where routers connected to the internet face. I can do NAT on DSL modems.

  Cisco IOS 2801 routers allow to configure site-2-site VPN with NAT crossing?

  Here is a model of physics/IP configuration:

  LAN<->2801 Modem DSL<-Internet->DSL modem<-Priv ip-=""> 2801<-Priv ip-=""><-> LAN

  Thank you

  Gonçalo

  Yes, you're good to go only if one or both of the sites has an IP address which is natted with private IP address statically. The implementation of IPSec on SRI NAT support in most crosses so that shouldn't be a concern

• ASA vpn with a public ip address different addresses

  Hello world. I can not find someone who can give me an answer 'for sure' of this thing. I want to connect via vpn ASA5505, called 2A and b. inside one we have net 10.0.0.0/24 and 10.0.1.0/24 net b. now, we can have 2 outside for one ip addresses (e.g. 215.18.18.10 and 222.26.12.12) because we have 2 providers to connect to the internet. the asa can follow 2 VPN - with the same cryptomap for the destination inside) so that if a grave he will switch to the other vpn by itself?

  This thing can be done with other cisco devices (for example, a 2800 series router?)

  Thank you very much

  Who are you looking to

  1. If the failure of the connection to B then A will use secondary WAN connection to try to raise the tunnel.

  I would use the backup ISP for this function.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

  2. If the connection to A failed then B will try to set up the tunnel with secondary address peer.

  You can set several counterparts by using cryptographic cards to provide redundancy

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a0080450b73.html#wp1042941

• concentrator 3000 2 lan lan VPN with NAT

  I need to configure a vpn lan-2lan between 2 3030 concentrators (separate companies) on the Internet. My company assigns a small subnet for hosts sitting on the client network. The customer wants to use their own IP subnet and assign IP addresses within their range. So, they do static NAT on their hub. Is this possible? Or have they NAT s pc before arriving to the hub? Any help much appreciated.

  Hello

  Concentrator VPN supports the NAT.

  http://Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml

  HTH

  Kind regards

  GE.