ASA VPN Site to Site (WITH the NAT) ICMP problem

Similar Questions

• ASA, VPN Site-to-Site

  Hello

  I would like to VPN site-to-site using ASA 5520 and I have some question if you don't mind:

  Site A:

  Peer IP address: aaa.aaa.aaa.aaa/32

  Local network: bbb.bbb.bbb.bbb/32

  Site b:

  Peer IP address: xxx.xxx.xxx.xxx/32

  Local network: yyy.yyy.yyy.yyy/32

  on the site to site vpn Wizard (site B), the network of peers should be site A and the LAN must be site B and remote network must be the site one right?

  the IP address of the local network should be not be used right by other devices on the right? I can use use a unique IP address instead of the beach of network on the LAN and remotely? from the client on site give me a unique IP address?

  can I allow on site A browse only a single IP address on my site B and allowing only ports 80 and 443, please can you give me example I prefer ASDM.

  Thank you and waiting for your help.

  Hello

  I can only really give an example of this using the CLI (or I rather do as I do not use ASDM almost at all)

  You have all already existing L2L / Site to Site VPN connections on the SAA?

  Could you share your current configuration (delete all sensitive information) so we can take into account all existing configurations you have

  Did you agree on what will be the settings phase 1 VPN L2L and Phase2 with the other sites technical contact who will set up their side of the L2L VPN?

  -Jouni

• If we have 2 remote sites with the same shared storage, can we mount a drive shared on remote site?

  Dear Experts,

  If we have 2 remote sites with the same shared storage, can mount us a drive on remote site?

  • Assume that the oracle database is on the shared disk (for example HP 3PAR)
  • Primary Oracle server with storage as a common drive (storage shared on sites geographical apart) have all the files database.
  • failure, it is possible to mount the drive even at the remote site and mount the database oracle it?

  There must be no effect on the as it should the same disk that has dismantled master site.

  Thank you and best regards,

  IVW

  Thanks a lot mseberg

  Is it a design valid ?

  • We have remote sites and want to set up DR. As we only SE pare data is therefore no choice.
  • We think of the SAN replication option.

  Have you ever seen / configured such architecture or design?

  Can you please throw some light on this. Thanks in advance for your ideas.

  Thank you best regards &,.

  IVW

• It is a nightmare. Absolute total nightmare. Like a fool, I went to San Luis Obispo staples and bought Adobe Photoshop elements Adobe Premiere elements 14 and 14. I have logged on to your Web site with the code redemption and received your series num

  It is a nightmare. Absolute total nightmare. Like a fool, I went to San Luis Obispo staples and bought Adobe Photoshop elements Adobe Premiere elements 14 and 14. I logged on to your Web site with the redemption code and received your serial number. Of course, he did not.  Any of you have ideas.

  What is the error message?

  It is unacceptable to permit http://helpx.adobe.com/creative-suite/kb/error-serial-number-valid-product.html

• Tabs Panel: How can I designate a default tab? The site with the tab wanted to selected download does not work for me.

  I created a tab panel and applied some styles to tabs. (Drop shadow and change the stacking order so that each tab casts a shadow on that below.) Now everytime the page loads, it will default to the lower tab. The only suggestion that I've seen is to save and load the site with the desired tab is selected and 'active'. This does not seem to solve the problem.

  Hmmm, have you looked into this widget from MuseGrid? It looks like roughly what it takes for this?

  News a new star | Adobe Muse Widget | museGrid.com

• Cisco ASA VPN Site to Site WITH NAT inside

  Hello!

  I have 2 ASA 5505 related to IPSEC Tunnel VPN Site to Site.

  A 192.168.1.0/24 'remotely' inside the network and a local "192.168.200.0/24' inside the network (you can see the diagram)

  The local host have 192.168.200.254 as default gateway.

  I can't add static route to all army and I can't add static route to 192.168.200.254.

  NAT the VPN entering as 192.168.200.1 or a 192.168.200.x free to connect my host correcly?

  If my host sends packet to exit to the default gateway.

  Thank you for your support

  Best regards

  Marco

  The configuration must be applied on the SAA with the 192.168.200.0 subnet it is inside, there must be something like this:

  permit 192.168.1.0 ip access list VPN_NAT 255.255.255.0 192.168.200.0 255.255.255.0

  NAT (outside) X VPN_NAT outside access list

  Global (inside) X Y.Y.Y.Y (where the Y.Y.Y.Y) is the ip address

  If you have other traffic on the vpn through the tunnel that requires no nat, then you must add external nat exemption rules since these lines above obliges all traffic through the asa to have a nat statement.

  See if it works for you, else post your config nat here.

• VPN site to Site with the IP address range internal Natting?

  This is our real internal LAN address: 10.40.120.0/26 (internal range) and I want to translate to

  Translated the address: 10.254.9.64.255.255.255.192 (Internal)

  Our remote local address is: 10.254.5.64 site 255.255.255.192(Remote adresse Ip interne ajouter plage)

  Based on the above parameters I did this configuration

  outside_cryptomap ip 10.254.9.64 access list allow 255.255.255.192 10.254.5.64 255.255.255.192
  policy-nat of ip 10.40.120.0 access list allow 255.255.255.192 10.254.5.64 255.255.255.192
  public static 10.254.9.64 (inside, outside) - list of access policy-nat

  I had all the phase 1 and Phase 2 required parameters and add public ip peer.

  I had set up vpn by using ASDM before but this scenario is new for me, all I was wondering is there anything I need to properly configure Setup VPN

  If you see TX increases but not RX which means that traffic is sent to the remote end however there is no response.

  I suggest that you check with the remote end of VPN to see where is the problem. It is very probably the remote side.

• Cisco Asa vpn site-to-site with nat

  Hi all

  I need help
  I want to make a site from the site with nat vpn
  Site A = 10.0.0.0/24
  Site B = 10.1.252.0/24

  I want when site A to site B, either by ip 172.26.0.0/24

  Here is my configuration

  inside_nat_outbound to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0

  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group ipsec-attributes x.x.x.x
  pre-shared-key!

  ISAKMP retry threshold 10 keepalive 2

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  card crypto outside_map 2 match address inside_nat_outbound

  card crypto outside_map 2 pfs set group5
  card crypto outside_map 2 peers set x.x.x.x

  card crypto outside_map 2 game of transformation-ESP-AES-256-SHA

  NAT (inside) 10 inside_nat_outbound

  Global 172.26.0.1 - 172.26.0.254 10 (outside)

  but do not work.

  Can you help me?

  Concerning

  Frédéric

  You must ensure that there is no NAT 0 ACL statement because it will take precedence over the static NAT.

  You don't need:

  Global 172.26.0.1 - 172.26.0.254 10 (outside)

  NAT (inside) 10 access-list nattoyr

  Because it will be replaced by the static NAT.

  In a Word is enough:

  nattoyr to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0

  access extensive list ip 172.26.0.0 vpntoyr allow 255.255.255.0 10.1.252.0 255.255.255.0

  public static 172.26.0.0 (inside, outside) - nattoyr access list

  card crypto outside_map 2 match address vpntoyr

  card crypto outside_map 2 pfs set group5

  card crypto outside_map 2 defined peer "public ip".

  card crypto outside_map 2 game of transformation-ESP-AES-256-SHA

  outside_map interface card crypto outside

  tunnel-group "public ip" type ipsec-l2l

  tunnel-group "public ip" ipsec-attributes

  pre-shared key *.

  -Make sure that it not there no NAT ACL 0 including the above statements and check if NAT happening (sh xlate) and the

  traffic is being encryption (sh cry ips its)

  Federico.

• Cisco ASA vpn site to site with access internet, error

  Hello

  I have two offises, Central and removed, with the external IP addresses. They are connected to the site to site vpn, LAN works fine, then NAT is disable, but then there is no internet access, then I Internet in NAT is working well, but then there is no access to the local network.
  Where would be the problem?

  There's config:

  ASA Version 8.4(4)1
!
hostname SalSK-ASA
domain-name ld.lt
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 81.X.X.X 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.204.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EET 2
dns server-group DefaultDNS
 domain-name lietuvosdujos.lt
object network LAN
 subnet 192.168.204.0 255.255.255.0
 description Local Area Network
object network LD_Lanai
 subnet 192.168.0.0 255.255.0.0
 description LD lanai
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list vpn extended permit ip any 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 any
access-list vpn extended permit ip object LD_Lanai 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 object LD_Lanai
access-list outside_cryptomap_1 extended permit ip object LAN any
access-list outside extended permit ip any any
pager lines 24
logging enable
logging list VPN_events level informational class auth
logging list VPN_events level informational class vpdn
logging list VPN_events level informational class vpn
logging list VPN_events level informational class vpnc
logging list VPN_events_ID message 713120
logging list VPN_events_ID message 713167
logging list VPN_events_ID message 602303
logging list VPN_events_ID message 713228
logging list VPN_events_ID message 113012
logging list VPN_events_ID message 113015
logging list VPN_events_ID message 713184
logging list VPN_events_ID message 713119
logging list VPN_events_ID message 602304
logging monitor debugging
logging buffered debugging
logging trap VPN_events_ID
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic LAN interface inactive
access-group outside in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 81.7.77.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ISE protocol radius
aaa-server ISE (inside) host 192.168.200.48
 key *****
user-identity default-domain LOCAL
aaa authentication enable console ISE LOCAL
aaa authentication http console ISE LOCAL
aaa authentication serial console ISE LOCAL
aaa authentication ssh console ISE LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set tripledes esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 213.X.X.X
crypto map outside_map 1 set ikev1 transform-set tripledes
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.201.200 source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy SalGP internal
group-policy SalGP attributes
 vpn-filter value vpn
 vpn-tunnel-protocol ikev1 l2tp-ipsec
username Admin password LVPpyc4ATztEAWtq encrypted privilege 15
tunnel-group 213.X.X.X type ipsec-l2l
tunnel-group 213.X.X.X general-attributes
 default-group-policy SalGP
tunnel-group 213.X.X.X ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
 class class-default
  user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]/* */
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d8c29755eff807b1530e38b9ead9edd5
: end

  Two things are here according to you needs.

  First you encrypt all the traffic on the network 192.168.204.0/24... do you intend to send all traffic on that subnet via the VPN? If this isn't the case, specify the remote subnet instead of using all the crypto ACL.

  object network LAN
 subnet 192.168.204.0 255.255.255.0access-list outside_cryptomap_1 extended permit ip object LAN any

  Second, you have not an exempt statement NAT so that encrypted traffic should not be translated.  This statement would look like the following:
  the object of the LAN network
  192.168.204.0 subnet 255.255.255.0

  being REMOTE-LAN network
  255.255.255.0 subnet 192.168.100.0

  Static NAT LAN LAN (inside, outside) destination static REMOTE - LAN LAN

  --

  Please do not forget to choose a good response and the rate

• VPN site to Site with the possibility to dial Back-Up

  Hello

  Our network currently uses a lot of Frame-Relay links, for these connections, we use the Cisco 1720 with dial back-up on analog line in case the fials Frame-Relay.

  I am looking for a way to site to site VPN connection and have always the possibility to dial emergency failure of the ISP. We currently have a Cisco Pix 515E who would host connections, what would be my best option on the side of Management Office? Firewalls PIX or Cisco 1720 with modules of VPN, perhaps a combination of the two? Which would be safer?

  Thank you in advance for any help you provide.

  Mauro

  Mauro,

  Do you want to replace EN with VPN links and then save the VPN with ISDN, or keep the FR, retreating to VPN, then falling back to ISDN?

  Whatever it is, the way to go is to use a dynamic routing on the EN and the VPN Protocol, so when a link fails the IP routing protocol address reconverges. This way you can always trigger the ISDN with a static route floating.

  EIGRP (or any other dynamic routing protocol) to via the VPN to allow multicasting neighbourgh through a GRE tunnel.

• ASA ASA VPN Site to Site

  Have a 9.1 2 5510 ASA and ASA 5505 9.1 2

  The 5510 is located in the main office and the 5505 is located in a remote installation.  I want to create a tunnel that will allow the main office to access subnets remote installation while allowing devices to remote installation access devices to corporate headquarters.  Example below.

  5510

  10.2.0.0/16

  /\

  ||

  \/

  5505

  172.16.0.0/16

  10.166.0.0/16

  Currently, I have one of the interfaces on the configured 5510 to a VLAN for our wifi.  Another interface is configured for our backup ISP.  The installation works fantastic.  When I run the wizard from site to site vpn according to this video "https://supportforums.cisco.com/videos/5933" but I'm confused with a couple of parameters.

  Activate nat exempt?  Can I do this on both devices or just one and if so who?

  Do I need to configure static routes to access these different subnets?

  There is a router involved, but it is for the ISP.  There value transmit all packets intended for installation remotely for 5510 2 subnets.  Thus, packages do get sent but seem to die once they hit the 5510.

  Hello

  Okay, so here should be the changes you need.

  What we essentially on two of the units, it is remove some configurations which are not necessary or are wrong.

  ASA could give some notifications of deleting a "crypto map" command but you need not worry about this. He complains probably input incomplete "crypto map" or something in that direction.

  Seems to me that the ACL of VPN L2L is wrong on both units and also the NAT. The ASA5510 also seems to have a double for the same VPN L2L configuration that I suggest to remove below.

  ASA5510

  LOCAL: 10.2.0.0/16

  DISTANCE: 10.166.0.0/16

  DELETE CONFIGURATIONS

  No crypto tw_map 3 game card address tw_cryptomap_1

  no card crypto tw_map 3 peers set 69.x.x.x

  no card crypto tw_map 3 set ikev1 transform-set ESP ESP-3DES-MD5 ESP - AES - 128 - SHA ESP - AES - 128 - MD5 ESP - AES - 192 - SHA ESP - AES - 192 - MD5 ESP - AES - 256 - SHA ESP - AES - 256 - MD5 ESP - 3DES - SHA - OF - SHA ESP - THE - MD5

  no card crypto tw_map 3 set ikev2 AES AES192 AES256 3DES ipsec-proposal

  No crypto tw_map 1 game card address tw_cryptomap

  No tw_cryptomap extensive list 10.2.0.0 ip access do not allow 255.255.0.0 any4

  No tw_cryptomap_1 extensive list 10.2.0.0 ip access do not allow 255.255.0.0 any4

  no nat (private, tw) static source NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 non-proxy-arp-search to itinerary

  ADD CONFIGURATIONS

  ------------------

  Note to access VPN L2L encryption field L2LVPN-ACL-list

  access-list ACL L2LVPN 255.255.0.0 allow 10.2.0.0 ip 10.166.0.0 255.255.0.0

  address for correspondence card crypto tw_map 1 L2LVPN-ACL

  the object of the LAN network

  10.2.0.0 subnet 255.255.0.0

  being REMOTE-LAN network

  10.166.0.0 subnet 255.255.0.0

  LAN LAN static NAT (private, tw) static source destination REMOTE - LAN LAN

  ASA5505

  LOCAL: 10.166.0.0/16

  DISTANCE: 10.2.0.0/16

  DELETE CONFIGURATIONS

  No crypto outside_map 1 game card address outside_cryptomap

  No outside_cryptomap extensive list ip 10.166.0.0 access allow to 255.255.0.0 any4

  no nat (outside, outside) static source NETWORK_OBJ_10.166.0.0_16 NETWORK_OBJ_10.166.0.0_16 non-proxy-arp-search to itinerary

  ADD CONFIGURATIONS

  Note to access VPN L2L encryption field L2LVPN-ACL-list

  IP 10.166.0.0 allow to Access-list L2LVPN-ACL 255.255.0.0 10.2.0.0 255.255.0.0

  address for correspondence outside_map 1 rypto map L2LVPN-ACL

  the object of the LAN network

  10.166.0.0 subnet 255.255.0.0

  being REMOTE-LAN network

  10.2.0.0 subnet 255.255.0.0

  Static NAT LAN LAN (inside, outside) destination static REMOTE - LAN LAN

  I would like to know if it works for you. It may be useful

  Remember to mark a reply as the answer if it answered your question.

  If there are still problems after these configurations then allows to observe the situation again.

  -Jouni

• Site to Site with the subnets overlap

  Hi all

  Search for comfirmation on what is / is not possible. In short, we have a requirement of site but our local LAN varies from conflict. I am aware of how this get up and running with the help of a pool of IP addresses that is a basic ASA/IOS device can NAT behind but I wonder if it is possible to NAT behind a single IP address. NAT is also in place for the general internet traffic, but I hope that the image attached best describes our scenario.

  Any help / advice appreciated.

  Kind regards

  Martyn

  Hello

  You will need to do NAT on both ends to get the installation work.

  With these types of configurations, I more often just a 24 natted network to 24 another network on both sites.

  You can configure one of the sites use a PAT address towards the other end, but the other end must have protected by some sort of NAT static between the hosts unique or equal to 24 networks.

  If you would happen to configure both sites with a PAT translation, you couldn't really initiate connections between the site because no real host on networks 192.168.1.0/24 would have their own specific NAT IP to connect to.

  So in short

  • Both sites need NAT network
  • Use 1:1 NAT static is between host addresses or complete networks on both sites
    • The two sites could start the connection to any host on the remote end every single host has its own IP NAT staticly assigned address
  • Use of PAT for site and other NAT static 1:1 with the addresses of host or complete networks on the other site
    • Site with unique PAT IP address can connect to all hosts of remote sites, since they have staticly NAT IP addresses assigned.
    • Homepage is not able to connect to any host at his remote site that the remote site has only a PAT address facing their way.

  If you had 2 ASAs with 8.2 or UNDER software your static NAT configurations could be e.g.

  Basic information

  • Site1: 192.168.1.0/24
  • Site1 NAT: 10.10.1.0/24
  • Site2: 192.168.1.0/24
  • Site2 NAT: 10.10.2.0/24

  Static configuration NAT of policy site1

  permit L2L-VPN-POLICYNAT from the list of access ip 192.168.1.0 255.255.255.0 10.10.2.0 255.255.255.0

  public static (inside, outside) 10.10.1.0 - L2L-VPN-POLICYNAT access list

  Static configuration NAT of policy site2

  permit L2L-VPN-POLICYNAT from the list of access ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

  public static (inside, outside) 10.10.2.0 - L2L-VPN-POLICYNAT access list

  PAT configuration at each end

  permit L2L-VPN-POLICYPAT from the list of access ip 192.168.1.0 255.255.255.0 10.10.x.0 255.255.255.0

  Global 10.10.x.1 of xxx (outside)

  NAT (inside) xxx access-list L2L-VPN-POLICYPAT

  If you had 2 ASAs with 8.3 or above software your static NAT configurations could be for example (same information base)

  Static configuration NAT of policy site1
  

  the object of the LAN network

  subnet 192.168.1.0 255.255.255.0

  network of the LAN - NAT object

  10.10.1.0 subnet 255.255.255.0

  network of the REMOTE object

  255.255.255.0 subnet 10.10.2.0

  static (inside, outside) 1 static source LAN LAN - NAT static destination REMOTE

  Static configuration NAT of policy site2

  the object of the LAN network

  subnet 192.168.1.0 255.255.255.0

  network of the LAN - NAT object

  255.255.255.0 subnet 10.10.2.0

  network of the REMOTE object

  10.10.1.0 subnet 255.255.255.0

  static (inside, outside) 1 static source LAN LAN - NAT static destination REMOTE

  PAT configuration at each end

  the object of the LAN network

  subnet 192.168.1.0 255.255.255.0

  network of the LAN-PAT object

  Home 10.10.x.1

  network of the REMOTE object

  10.10.x.0 subnet 255.255.255.0

  static (inside, outside) 1 dynamic source LAN LAN-PAT destination static REMOTE

  -Jouni

• Issue of ASA vpn site to site isakmp

  Hello

  He has been asked to configure on ASA a new vpn site-to-site. For that vpn should I put:

  crypto isakmp identity address
  crypto ISAKMP allow outside

  .. the configuration of my identity crypto isakmp is automatic and isakmp crypto is not enabled on any interface. I love vpn with ike enabled on the external interface. My question is: why should I enable isakmp on the external interface and especially can create disturbances to ike vpn that are already in place?

  By elsewhere-group or tunnel-group strategy, it was me asked to set up, the two do not have indication of ike. Never seen this kind of configuration before vpn, something new.

  Thank you

  Hi, Giuseppe.

  The crypto isakmp command activate outside changed ikev1 crypto Enable outside in the new ASA versions you need not enable this.

  There is also no need configure isakmp crypto identity address such that it is set to auto.

  This command indicates that the tunnel would be negotiated on the basis of the IP address but since it is set to auto it on it own will therefore not need to specify this command.

  Yes, you can create a new group policy group for this new tunnel and tunnel and there should be no impact on other tunnels of work.

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• PIX v6.3 Site-to-Site with policy NAT

  Hi guys,.

  I need to set up a site to site with nat because we have overlapping subnet at the other end.

  They need access to both servers on our network with IP static.

  Site A: 192.168.100.0/24

  Site b: 192.168.200.128/25

  The other site has chosen this network for NAT: 10.200.50.0/28

  I need to translate

  192.168.100.10 > 10.200.50.2

  192.168.100.20 > 10.200.50.3

  through the tunnel

  That's what I've done so far, will this work? Any problem that may appear with this config?

  Crypto ACL:

  VPN ip 10.200.50.0 access list allow 255.255.255.240 192.168.200.128 255.255.255.128

  Policy_NAT1 list of allowed access host ip of 192.168.100.10 192.168.200.128 255.255.255.128

  Policy_NAT2 list of allowed access host ip 192.168.100.20 192.168.200.128 255.255.255.128

  NAT (inside) 10 access-list Policy_NAT1 0 0

  NAT (inside) 11 access-list Policy_NAT2 0 0

  overall 10 10.200.50.2 (outside)

  Overall 11 10.200.50.3 (outside)

  Thanks in advance!

  Hello

  Your configuration looks very good.

  Although I guess it's a dynamic configuration policy NAT/PAT.

  Incase you want to configure static policy NAT, you need to change a bit. I mean if you wanted a NAT configuration allowing to form bidirectional connection. Both from your site to the remote site and the remote site to your side. You can always use the same ACL you have configured, but you would use the "static" configurations.

  public static 10.200.50.2 (inside, outside) - Policy_NAT1 access list

  public static 10.200.50.3 (inside, outside) - Policy_NAT2 access list

  Review with the static NAT to politics and the dynamic policy NAT/PAT which would be if these hosts have static NAT configured at the direction of the 'outside' interface while static NAT would cancel both of these configurations.

  If you use the political dynamic NAT and had also a static NAT for the host, then you would have to change from the above static NAT in a policy to override the static NAT.

  And with the foregoing in mind possible existing static NAT and new static NAT of policy might have some problems as a whole. In this case the scheduling of NAT rules would determine if static NAT of the policy has been applied already. If you already had the configured static NAT then it would nullify the political new static NAT:. The solution would be to remove the static NAT and enter it again. This would move the static NAT once the static NAT to policy in the order that they appear on the CLI format configuration and, therefore, static political NAT would work for the specified destination and addresses the static NAT for all other destination addresses.

  Hope I made any sense

  Feel free to ask more if necessary while

  -Jouni

• ASA VPN Site to site: mesh DMVPN or full?

  Hi all

  I'm a new man in the cisco environment, please help me

  Currently I am working on a project that requires to set up the VPN for security at the site of mutiple with diffirent ISP (no decided static or dynamic IP yet)

  I can also ask router Cisco for L3 routing devices and ASA appliance

  My goal is: all sites can communicate with each other.

  Now I am considering all DMVPN or Full mesh topology

  If you guys please answer my questions:

  1. static IP from ISP is straight? Can I use a dynamic IP? (I know ASA have a kind of dynamic - static VPN)

  2 DMVPN:

  + ASA can't, but I've heard that, somehow, ASA can config like speaks of talking about VPN. Is - this match my target?

  + Please refer me documents to set it up if you have

  3 - full mesh VPN:

  + How to set up, am I have to config VPN L2L each of the sites for the rest?

  4 - DMVPN vs Full Mesh - what is the best? which is less config work, less administration tasks?

  5 - the last of them: Please consult me the device necessary for my target

  Thanks to you all!

  You are right that an ASA will not support DMVPN. It should be that configure you individual VPN LAN-to-LAN tunnels at each site (total n x (n - 1) tunnels).

  FlexVPN with ISR G2 routers would be the least amount of configuration work and more flexible setting for your requirements. It has the advantages of EZVPN and DMVPN together.

  There are a number of examples of configuration of FlexVPN here.