Bi-Directional policy NAT
There's a possible two-way NATs based on strategies? I can find plenty of examples to manage a simple two-way NAT but the Cisco documentation I've read indicates that based on local addresses only translated strategies. However, I have read conflicting Cisco documentation where it says any NAT (in addition to the NAT exemption) can be configured for policy NAT I spent many hours of research a configuration that could handle this, but came up empty. I guess that I'm not the first person to run in this Cisco documentation is just not clear to me.
Site A end VPN Site B and Site C of an ASA 5520 L2L. Site A has no administrative control over B or C. Site B and C choose to expose their same private address space that overlap.
I'm not expert but forced to it by the unexpected release of our network engineer. Can anyone provide assistance?
I know I need to:
1. Enter the address to be translated
2 specify the way inside global translation
I think I do this with:
- public static 172.17.1.1 (exterior, Interior) 10.128.0.0 netmask 255.128.0.0
- access-list 101 permit ip 10.128.0.0 255.128.0.0
- Access-group 101 inside the interface outside
I think I'm going to need to create for this route and directions:
- Route outside 10.128.0.0 255.128.0.0 12.126.x.x
This satifies a VPN, but what about the Site C? Can I use policy NAT to map this client 10.128.0.0/9 to say 172.17.2.2? I know that the address space that I am mapping to does not support the 9 being exposed to me, but I will never exceed the range that I'm mapping. Once I know exactly how IP will come via the VPN, I will actually create a 1:1 translation as governed by our security policy.
I hope I am on the right track here and explained this way that is not too complicated. Any help? I do not know if a bidirectional NAT policy-based device is possible based on the Cisco documentation by what I read. Help!
-(12.126.x.x) Site B (10.128.0.0/9)
Site A - WWW Cloud
(ASA 5520)-(209.128.y.y) Site C (10.128.0.0/9)
I agree with you 100% unfortunately documentation sucks!
If you give to ASA a different public IP address on a different interface and terminate the tunnel there, you can always
Use policy NAT in Site configuration, and it should work.
Try it and tell us if you need assistance.
Federico.
Tags: Cisco Security
Similar Questions
-
PIX v6.3 Site-to-Site with policy NAT
Hi guys,.
I need to set up a site to site with nat because we have overlapping subnet at the other end.
They need access to both servers on our network with IP static.
Site A: 192.168.100.0/24
Site b: 192.168.200.128/25
The other site has chosen this network for NAT: 10.200.50.0/28
I need to translate
192.168.100.10 > 10.200.50.2
192.168.100.20 > 10.200.50.3
through the tunnel
That's what I've done so far, will this work? Any problem that may appear with this config?
Crypto ACL:
VPN ip 10.200.50.0 access list allow 255.255.255.240 192.168.200.128 255.255.255.128
Policy_NAT1 list of allowed access host ip of 192.168.100.10 192.168.200.128 255.255.255.128
Policy_NAT2 list of allowed access host ip 192.168.100.20 192.168.200.128 255.255.255.128
NAT (inside) 10 access-list Policy_NAT1 0 0
NAT (inside) 11 access-list Policy_NAT2 0 0
overall 10 10.200.50.2 (outside)
Overall 11 10.200.50.3 (outside)
Thanks in advance!
Hello
Your configuration looks very good.
Although I guess it's a dynamic configuration policy NAT/PAT.
Incase you want to configure static policy NAT, you need to change a bit. I mean if you wanted a NAT configuration allowing to form bidirectional connection. Both from your site to the remote site and the remote site to your side. You can always use the same ACL you have configured, but you would use the "static" configurations.
public static 10.200.50.2 (inside, outside) - Policy_NAT1 access list
public static 10.200.50.3 (inside, outside) - Policy_NAT2 access list
Review with the static NAT to politics and the dynamic policy NAT/PAT which would be if these hosts have static NAT configured at the direction of the 'outside' interface while static NAT would cancel both of these configurations.
If you use the political dynamic NAT and had also a static NAT for the host, then you would have to change from the above static NAT in a policy to override the static NAT.
And with the foregoing in mind possible existing static NAT and new static NAT of policy might have some problems as a whole. In this case the scheduling of NAT rules would determine if static NAT of the policy has been applied already. If you already had the configured static NAT then it would nullify the political new static NAT:. The solution would be to remove the static NAT and enter it again. This would move the static NAT once the static NAT to policy in the order that they appear on the CLI format configuration and, therefore, static political NAT would work for the specified destination and addresses the static NAT for all other destination addresses.
Hope I made any sense
Feel free to ask more if necessary while
-Jouni
-
Policy nat for L2L and external access
Hello
I'm running into an interesting question with a 506th PIX 6.3 (4)
I created a VPN with our central location and implemented a policy nat on the 506th NAT their local 192.168.1.0/24 IPs to 10.200.25.0/24. This NATing works very well except for servers that also provide a static external IP address. I made a few captures of packets and traffic is crossing the VPN as expected and what actually at the remote end, but the answers are nat would be on the 'outside' ip of the host instead of the NAT. political I can ping other hosts on the remote network very well from the central location, not just those who have a static external IP address.
Example:
10.10.7.1 is my central site and try to ping a server with an IP address of 10.200.25.11 through the VPN. The traffic leaves the site central, is encrypted and delivered the firewall remotely. The firewall remotely translated 10.200.25.11-> 192.168.1.11 (the REAL Server IP) and delivers the package and the server responds, but answers are nat would be its public ip address of 75.X.X.X instead of 10.200.25.11.
Any thoughs on how I can work around this problem?
Here are the relevant config:
permit for line of policy-nat access-list 1 ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
allowed for access policy-nat-list line 2 ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
allowed for line of policy-nat to access list 3 ip 192.168.1.0 255.255.255.0 10.10.7.0 255.255.255.0
list of access vpn-sheep allowed ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
list of access vpn-sheep allowed ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0
list of access vpn-sheep allowed ip 192.168.1.0 255.255.255.0 10.100.11.0 255.255.255.0
NAT (inside) 0-list of access vpn-sheep
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Global 1 interface (outside)
public static 75.x.x.x (indoor, outdoor) 192.168.1.11 netmask 255.255.255.255 0 0
public static 10.200.25.0 (inside, outside) - list of access policy-nat 0 0
Try to rearrange your static rules:
Do the static strategy, the first to be read by the pix
public static 10.200.25.0 (inside, outside) - list of access policy-nat 0 0
public static 75.x.x.x (indoor, outdoor) 192.168.1.11 netmask 255.255.255.255 0 0
See how it goes
-
Public and private IPs on the same Interface by using NAT Exemption/policy NAT
I'm looking for some feedback on whether my thoughts on the installation program will run.
Equipment: PIX 515E 6.2 (2)
Scenario:
The inside interface of the PIX will host 3 blocks of addresses IP - 24 public 2 blocks and 1 private/16 block. (All IP addresses have been replaced by dummy blocks.)
Blocks of audiences:
* 192.168.10.0/24
* 192.168.20.0/24
Block of private:
* 10.50.0.0/16
Traffic from the public 2/24 blocks should go through the firewall without address translation.
The two blocs of the public will be able to receive connections initiated from the Internet.
Public blocks will need to be able to send and receive traffic on a static VPN tunnel to our headquarters without subject to address translation
Traffic leaving the sector private/16 block should be subjected to PAT before passing through the firewall.
Private/block 16 will not receive incoming traffic from the Internet (other than responses to outbound connections initiated from within the private block).
However, the private block will also have to be able to send and receive traffic on a static VPN tunnel to our headquarters * without * subject to address translation (i.e. hosts on our corporate network must be able to initiate connections to the private block and vice versa).
The inside interface of the PIX will be connected to a Catalyst 3xxx series layer 3 switch, which will be responsible for routing all internal (so the PIX will never be routing of traffic on the interface, it was received).
My ideas on how to implement are:
* Use the exemption of NAT to exempt public address translation blocks. This will allow incoming and outgoing connections through the firewall.
* Use the exemption of NAT to exempt the block private NAT when connecting to our head office on the VPN tunnel.
* Use policy NAT w / PAT to translate the block private connecting to all other hosts.
I have translated these thoughts in the following configuration snippet.
Because the NAT exemption is processed before policy NAT in the evaluation of the NAT rules, I believe that this should allow the public IP blocks treat incoming/outgoing traffic without translation, while submitting the private translation block (except during handling of incoming/outgoing connections to our network of corporate office).
Can someone confirm my assumptions about this?
# ----------------------------------------------------------------------
traffic of # which should be exempted from translation
permit ip 192.168.10.0 access list nat_exempt 255.255.255.0 any
nat_exempt 192.168.20.0 ip access list allow 255.255.255.0 any
nat_exempt ip 10.50.0.0 access list allow 255.255.0.0 10.100.0.0/16
traffic of # which should be the subject of translation
policy_nat ip 10.50.0.0 access list allow 255.255.0.0 any
# Suppose 192.168.5.1 is the address to use for PAT
Global (outside) 1 192.168.5.1
NAT (inside) 0-list of access nat_exempt
NAT (inside) 1 access-list policy_nat
# assumes that 192.168.10.7 is the IP address of the inside layer 3 switch
Route inside 192.168.10.0 255.255.255.0 192.168.10.7 1
Route inside 192.168.20.0 255.255.255.0 192.168.10.7 1
Route inside 10.50.0.0 255.255.0.0 192.168.10.7 1
#assume the following configuration sections appear elsewhere: static tunnel VPN, ACL, ifconfig, etc..
# ----------------------------------------------------------------------
Yes, this will work, even if you don't need political NAT for the 10.50.0.0 network. For PAT the 10.50.0.0 network when to anywhere (except via VPN) just do:
Global 1 192.168.15.1 (outside)
NAT (inside) 1 10.50.0.0 255.255.0.0
As I said, you have works perfectly, the above is just an easier way to do it.
-
Summary:
We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.
My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.
Here is the config:
# #List of OUR guests
the OURHosts object-group network
network-host 192.168.x.y object
# Hosts PARTNER #List
the PARTNERHosts object-group network
network-host 10.2.a.b object
###ACL for NAT
# Many - to - many outgoing
access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts
# One - to - many incoming
VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group
# #NAT
NAT (INSIDE) 2-list of access NAT2
NAT (OUTSIDE) 2 172.20.n.0
NAT (INSIDE) 3 access-list VIH3
NAT (OUTSIDE) 3 172.20.n.1
# #ACL for VPN
access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group
access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list
# #Tunnel
tunnel-group
type ipsec-l2l card
<#>crypto is the VPN address card crypto
<#>the value transform-set VPN #>card
<#>crypto defined peer #> #>I realize that the ACL for the VPN should read:
access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list
access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list
.. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.
What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?
Thanks in advance.
Patrick
Here is the order of operations for NAT on the firewall:
1 nat 0-list of access (free from nat)
2. match the existing xlates
3. match the static controls
a. static NAT with no access list
b. static PAT with no access list
4. match orders nat
a. nat [id] access-list (first match)
b. nat [id] [address] [mask] (best match)
i. If the ID is 0, create an xlate identity
II. use global pool for dynamic NAT
III. use global dynamic pool for PAT
If you can try
(1) a static NAT with an access list that will have priority on instruction of dynamic NAT
(2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.
I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.
Jon
-
ASA to Juniper VPN with policy NAT
I'm trying to configure a VPN tunnel between a remote site 66.18.106.160/27 and my network 192.168.190.0/24 client. I need NAT all traffic leaving 192.168.190.0/24 to 192.168.191.0/24.
Here is my current config:
xxxxx host name
domain xxxxx.local
enable the encrypted password xxxxx
XXXXX encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.190.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 207.98.218.26 255.255.255.248
!
interface Vlan3
prior to interface Vlan1
nameif DMZ
security-level 50
IP 192.168.100.1 address 255.255.255.0
!
interface Vlan12
description of interface vlan2 backup
nameif CharterBackup
security-level 0
IP 72.14.9.50 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passive FTP mode
DNS server-group DefaultDNS
domain xxxxx.local
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 100 permit tcp any host 207.98.218.27 eq 3389
access-list extended 100 permit tcp any host 207.98.218.28 eq 3389
access-list extended 100 permit tcp any host 207.98.218.27 eq 9000
access-list extended 100 permit tcp any host 207.98.218.27 eq 9001
access-list extended 100 permit tcp any host 207.98.218.28 eq 9000
access-list extended 100 permit tcp any host 207.98.218.28 eq 9001
access-list standard split allow 192.168.190.0 255.255.255.0
Access extensive list ip 192.168.190.0 POLICYNAT allow 255.255.255.0 66.18.106.160 255.255.255.224
extended VPN ip 192.168.191.0 access list allow 255.255.255.0 66.18.106.160 255.255.255.224
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 DMZ
MTU 1500 CharterBackup
IP local pool vpnpool 192.168.10.75 - 192.168.10.85
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global interface (CharterBackup) 1
NAT (inside) - 0 110 access list
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (DMZ) 1 0.0.0.0 0.0.0.0
public static 192.168.191.0 (inside, outside) - POLICYNAT access list
Access-group 100 in external interface
Route outside 0.0.0.0 0.0.0.0 207.98.218.25 1 track 1
Route 0.0.0.0 CharterBackup 0.0.0.0 71.14.9.49 254
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
Enable http server
http 192.168.190.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 123
type echo protocol ipIcmpEcho 4.2.2.2 outside interface
timeout of 1000
frequency 3
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set esp - esp-md5-hmac romanset
Crypto ipsec transform-set esp-aes - AES-128-SHA esp-sha-hmac
Crypto-map dynamic dynmap 10 transform-set romanset
romanmap card crypto 10 corresponds to the VPN address
peer set card crypto romanmap 10 66.18.99.68
card crypto romanmap 10 game of transformation-AES-128-SHA
map romanmap 65535-isakmp ipsec crypto dynamic dynmap
romanmap interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
sha hash
Group 2
life 86400
!
track 1 rtr 123 accessibility
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 CharterBackup
SSH timeout 5
Console timeout 0
management-access inside
dhcpd dns 8.8.8.8
dhcpd outside auto_config
!
dhcpd address 192.168.100.100 - DMZ 192.168.100.130
dhcpd enable DMZ
!internal group xxxxx policy
attributes of the strategy group xxxxx
value of server WINS 192.168.190.3
value of server DNS 192.168.190.3
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split
tunnel-group xxxxx type ipsec-ra
tunnel-group xxxxx General attributes
address vpnpool pool
Group Policy - by default-romangroup
tunnel-group ipsec-attributes xxxxx
pre-shared-key *.
ISAKMP ikev1-user authentication no
tunnel-group 66.18.99.68 type ipsec-l2l
IPSec-attributes tunnel-group 66.18.99.68
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostnameCurrently, traffic that originates on 192.168.190.0/24 generates no traffic phase 1. However, if the traffic is coming in FRO the side remote (66.18.106.160/27) the tunnel arrives, but no traffic passes.
Although this isn't my area of expertise, it seems to me that my ASA is not 'see' interesting traffic from 192.168.190.0/24 will 66.18.106.160/27.
Any help you could provide would be GREATLY appreciated.
Just remove the 2 following lines:
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
Then 'clear xlate '.
That should solve your problem.
-
Hello
I have a Cisco IOS router and you want to configure an IPSec tunnel between myself and the client. Unfortunately, we have two overlapping of 10 network IP addresses.
Is it possible for me to just Nat addresses IP on my side or should the customer Nat as well?
I have configured NAT on the inside of the interface for 10.134.206.1 to 192.168.156.6 so that Nat happens before that packages are encrypted in the tunnel, however tunnel is not coming. The client uses a sonic firewall and allowed their 10.91.0.0/16 network 192.168.156.0/24.
See attachment
Kind regards
They are wrong to installation. Remote local networks are not 10.134.206.0 and 10.134.206/42. It is simply your public IP address.
-
8.2 policy-nat VPN port (5) ASA5510 of ASA5515 8.6 (1)
I have this existing config (which works) on ASA5510 v8.2 (5)
Need this port above ASA5515 v8.6 (1) running
ASA5510 inside the net: 192.168.1.0/24
On the remote VPN peer network: 172.16.21.192/28
!
InsideGlobal-2-OutsideNetwork to the list of allowed access host ip 10.0.200.211 172.16.21.192 255.255.255.240
InsideGlobal-2-OutsideNetwork to the list of allowed access host ip 10.0.202.39 172.16.21.192 255.255.255.240
!
InsideLocal.1 - 2-OutsideNetwork from the list of allowed access host ip 192.168.1.1 172.16.21.192 255.255.255.240
InsideLocal.191 - 2-OutsideNetwork to the list of allowed access host ip 192.168.1.191 172.16.21.192 255.255.255.240
!
public static 10.0.200.211 (inside, outside) access-list InsideLocal.1 - 2-OutsideNetwork
public static 10.0.202.39 (inside, outside) access-list InsideLocal.191 - 2-OutsideNetwork
!
correspondence address 1 card crypto outside_map InsideGlobal-2-OutsideNetwork
!I think what I need is the following:
!
network of the OBJ_172.16.21.192_28 object
subnet 172.16.21.192 255.255.255.240
!
network of the OBJ_10.0.200.211_32 object
Home 10.0.200.211
!
network of the OBJ_10.0.202.39_32 object
Home 10.0.202.39
!
network of the OBJ_192.168.1.1_32 object
host 192.168.1.1
!
network of the OBJ_192.168.1.191_32 object
Home 192.168.1.191
!
InsideGlobal-2-OutsideNetwork of the ip object OBJ_10.0.200.211_32 object OBJ_172.16.21.192_28 allowed extended access list
InsideGlobal-2-OutsideNetwork of the ip object OBJ_10.0.202.39_32 object OBJ_172.16.21.192_28 allowed extended access list
!
NAT (inside, outside) static source OBJ_192.168.1.1_32 OBJ_10.0.200.211_32 OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 non-proxy-arp-search of route static destination
NAT (inside, outside) static source OBJ_192.168.1.191_32 OBJ_10.0.200.39_32 OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 non-proxy-arp-search of route static destination
!
correspondence address 1 card crypto outside_map InsideGlobal-2-OutsideNetworkTHX - Phil
Hi Phil,
The converted 8.6.x 8.2.x configuration is correct. Go with him.
Vishnu
-
Hello community,
I'm going nuts here. We try to configure a NAT policy through a site to site VPN tunnel, but can't seem to turn it on. Here is our configuration:
access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list extended sheep allowed host ip 10.23.1.5 192.168.12.0 255.255.255.0
inside_nat_static list extended access allowed host ip 192.168.1.5 192.168.12.0 255.255.255.0
inside_nat_static2 list extended access permit ip host 192.168.1.5 everything
NAT (inside) 0 access-list sheep
NAT (inside) 2 192.168.1.0 255.255.255.0
public static 10.23.1.5 (inside, outside) - inside_nat_static access list
public static 63.123.4.56 (inside, outside) - inside_nat_static2 access list
The VPN part I omitted because it is correct. When we initiate a ping the tunnel arrives. The problem we have is on our side with policy NAT I think. With a ping from the remote desktop on our ASA, we see all incoming traffic, but our server does not transfer out.
Appreciate any input...
-Tom
Tom,
Sorry for the delay, I forgot you, I've just been very busy
Here's what you'll need:
First remove this (intentionally want NAT traffic not to 'sheep')
access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list extended sheep allowed host ip 10.23.1.5 192.168.12.0 255.255.255.0
Then add this to translate your outgoing traffic
access-list 199 permit host ip 192.168.1.5 192.168.12.0 255.255.255.0
public static 10.23.1.5 (inside, outside) access-list 199
Translate your inbound traffic also:
public static 192.168.12.0 (exterior, Interior) net of 192.168.1.0 255.255.255.0
Describe your crypto since translated ACL localhost translated to the remote subnet.
cryptomap list of allowed access host ip 10.23.1.5 192.168.12.0 255.255.255.0
You can remove the other line of the ACL.
Your host should access the 192.168.12.x which is translated remote network.
Try it and let me know how it goes.
Raga
-
Problem with website Source NAT Site policy
Dear all,
IAM facing issue with source based nat in Site-toSite VPN configuration.
We want to access the remote site server 10.67.1.5 from my main server 192.168.210.224, my 192.168.210.224 server need nat with 10.66.102.178 to go to the outside of the remote site. We have done below the configuration and VPN pahse1 and phase 2 sets up very well, but we are not able to access the remote server 10.67.1.5. Phase 2 set up and only the packages are not wrapping decapsulating. Remote site is seen VPN ending the router and the phase 1 and phase 2 implements.
There is no configured nat exemption. Appreciate urgent help to identify the problem...
We have tunnels from site to site much operational f... but not the tunnels with policy NAT
config
--------
access list acl - OR line 1 permit extended ip 192.168.210.224 host 10.67.1.5 (hitcnt = 0)
allowed to access list acl - NOR line extended to 2 ip host 10.66.102.178 10.67.1.5 (hitcnt = 2)NAT (inside) 2 192.168.210.224 255.255.255.255
Global 2 10.66.102.178 (outside)Crypto ipsec transform-set OR esp-3des esp-sha-hmac
card crypto ENOCMAP 22 matches the acl address - OR
card crypto ENOCMAP 22 set counterpart x.x.x.x
card crypto ENOCMAP 22 set transform-set
card crypto ENOCMAP 22 defined security-association life seconds 3600
card crypto ENOCMAP 22 set reverse-road
ENOCMAP interface card crypto outsidetunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.======================================================================
12 peer IKE: x.x.x.x
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEENOCDC-FW03 # sh crypto ipsec his counterpart x.x.x.x
peer address: x.x.x.x
Tag crypto map: ENOCMAP, seq num: 22, local addr: x.x.x.xaccess list acl - OR extended permit ip host 10.66.102.178 10.67.1.5
local ident (addr, mask, prot, port): (10.66.102.178/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (10.67.1.5/255.255.255.255/0/0)
current_peer: x.x.x.x#pkts program: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 2, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0endpt local crypto. : x.x.x.x, remote Start crypto. : x.x.x.x
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 89BAF49F
current inbound SPI: DB36C4B6Hello
Please try this nat statement below:
policynat list extended access allowed host ip 192.168.210.224 10.67.1.5
public static 10.66.102.178 (inside, outside) - policynat access list
Here is some reference material for policy nat - http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419
Thank you
Tarik Admani
* Please note the useful messages *. -
Config NAT policy in version 8.3
Hi guys
I need help some of you to spend a (site to site) config VPN following ASA 8.2 a ASA v8.3
ASA 8.2
the interface Vlan x
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
Overall 176 172.28.176.10 (outside)
NAT (inside) 176-list of access policy_nat
!
policy_nat to access ip 192.168.1.0 scope list allow 255.255.255.0 10.190.0.0 255.255.0.0
I started to create a group object for the local and remote network, but just/still missing a "policy-nat" config...
ASA v8.3
local network object
subnet 192.168.1.0 255.255.255.0
!
remote network object
10.190.0.0 subnet 255.255.0.0
!
network policy-nat-vpn-range object
172.28.180.0 subnet 255.255.255.0
!
network policy-nat-WAN-IP object
Home 172.28.180.1
.....
BR,
/ S
You can go (and use your existing object):
network object obj - 172.28.176.10
Home 172.28.176.10
NAT (inside, outside) dynamic source local-network obj - 172.28.176.10 destination static remote-remote network
-
NAT overlapping with remote VPN access
Hi all
My client has an ASA 5510 at the main location. We're shooting for their remote access VPN SSL needs. 30 or so remote users.
The problem is that the main site has a number of network 192.168.1.0/24. The number of Linksys routers bought on shelf at any store of default.
Obviously, by default, it does not work. When users connect to the VPN from home, it connects but network resources are not available.
I read about overlapping NAT with tunnels of site to another, but that all remote access? Is it possible as well?
Any help to point me in the right direction would be much appreciated.
Thank you!
Look at the PIX / ASA 7.x and later: VPN Site to Site (L2L) with the example of setting up IPsec policy NAT (overlapping of private networks) for more information
-
Try to find what happened. I had the remote end raise the tunnel, as they can ping resources on my side. I am unable to ping 10.90.238.148 through this tunnel. I used to be able to until the interface of K_Inc has been added. The network behind this interface is 10/8.
I asked a question earlier in another post and advises him to play opposite road of Cryptography. And who did it. I was able to ping 10.90.238.148 of 192.168.141.10, with the config below.
I am at a loss to why I can't all of a sudden. A bit of history, given routes have not changed. By adding the command set opposite road to cryptography, I find myself with a static entry for the 10.90.238.0 network is what fixed it initially so I don't think it's a problem of route. The remote end had an overlap with the 192.168.141.0/24 that is why my side is natted on the 10.40.27.0. None of the nats have changed so if adding the reverse route worked for a day, it should still work. Any thoughts?
interface GigabitEthernet0/3.10
VLAN 10
nameif K_Inc
security-level 100
IP address 192.168.10.254 255.255.255.0
interface GigabitEthernet0/3.141
VLAN 141
cold nameif
security-level 100
IP 192.168.141.254 255.255.255.0
(Cold) NAT 0 access-list sheep
NAT (cold) 1 192.168.141.0 255.255.255.0
Access extensive list ip 192.168.141.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0
Access extensive list ip 10.40.27.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0
Access extensive list ip 192.168.141.0 CSVPNNAT allow 255.255.255.0 10.90.238.0 255.255.255.0
IP 10.40.27.0 allow Access-list extended sheep 255.255.255.0 10.90.238.0 255.255.255.0
static 10.40.27.0 (cold, outside) - CSVPNNAT access list
card crypto Outside_map 5 corresponds to the address CSVPNOFFSITE
card crypto Outside_map 5 the value reverse-road
card crypto Outside_map 5 set pfs
card crypto Outside_map 5 set peer 20.x.x.3
Outside_map 5 transform-set ESP-3DES-MD5 crypto card game
card crypto Outside_map 5 defined security-association life seconds 28800
card crypto Outside_map 5 set security-association kilobytes of life 4608000
tunnel-group 20.x.x.3 type ipsec-l2l
20.x.x.3 Group of tunnel ipsec-attributes
pre-shared-key *.
Route outside 0.0.0.0 0.0.0.0 7.x.x.1 1
Route 10.0.0.0 K_Inc 255.192.0.0 192.168.10.252 1
Route K_Inc 10.64.0.0 255.224.0.0 192.168.10.252 1
Route K_Inc 10.100.100.0 255.255.255.0 192.168.10.252 1
Route K_Inc 10.128.0.0 255.128.0.0 192.168.10.252 1
Tunnel is up:
14 peer IKE: 20.x.x.243
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
EDIT:
I just noticed when tracer packet i run I don't get a phase VPN or encrypt:
Packet-trace entry cold tcp 192.168.141.10 80 80 10.90.238.148 det
Phase: 1
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.90.238.0 255.255.255.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xad048d08, priority = 0, sector = option-ip-enabled, deny = true
hits = 2954624, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 4
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xb2ed4b80, priority = 72, domain = qos by class, deny = false
hits = 2954687, user_data = 0xb2ed49d8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 5
Type: FOVER
Subtype: Eve-updated
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xad090180, priority = 20, area = read, deny = false
hits = 618776, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0, Protocol = 6
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (ColdSpring, external) 74.x.x.50 192.168.141.10 netmask 255.255.255.255
match ip host 192.168.141.10 ColdSpring outside of any
static translation at 74.x.x.50
translate_hits = 610710, untranslate_hits = 188039
Additional information:
Definition of static 192.168.141.10/0 to 74.112.122.50/0 using subnet mask 255.255.255.255
Direct flow from returns search rule:
ID = 0xac541e50, priority = 5, area = nat, deny = false
hits = 610742, user_data = 0xac541c08, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
SRC ip = 192.168.141.10, mask is 255.255.255.255, port = 0
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (ColdSpring, dmz) 192.168.141.0 192.168.141.0 netmask 255.255.255.0
match ip ColdSpring 192.168.141.0 255.255.255.0 dmz all
static translation at 192.168.141.0
translate_hits = 4194, untranslate_hits = 20032
Additional information:
Direct flow from returns search rule:
ID = 0xace2c1a0, priority = 5, area = host, deny = false
hits = 2954683, user_data = 0xace2ce68, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 192.168.141.0, mask is 255.255.255.0, port = 0
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xaacbcb90, priority = 0, sector = option-ip-enabled, deny = true
hits = 282827537, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xb2ed5c78, priority = 72, domain = qos by class, deny = false
hits = 4749562, user_data = 0xb2ed5ad0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 10
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 339487904 id, package sent to the next module
Information module for forward flow...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Information for reverse flow...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 11
Type:-ROUTE SEARCH
Subtype: output and contiguity
Result: ALLOW
Config:
Additional information:
found 7.x.x.1 of next hop using ifc of evacuation outside
contiguity Active
0007.B400.1402 address of stretch following mac typo 51982146
Result:
input interface: cold
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
What version are you running to ASA?
My guess is that your two static NAT is configured above policy nat you have configured for the VPN? If this is the case, move your above these static NAT NAT policy and you should see the traffic start to flow properly.
--
Please note all useful posts
-
Publish a server with NAT anchored through a tunnel VPN with ASA
Hi all
Thanks in advance for helping me out - I know somebody did, and I have trouble finding how do. I don't know that I'm missing something simple.
I have a client who wants to view a DVR device through a VPN tunnel that is published through the public firewall to collocation. Endpoint DVR is endpoint ip assigned dynamically which tunnelle the host on demand (I know that the tunnel could fall).
So I think / thought I could hairpin hair/policy nat this, but I'm not the best at this.
Let's see if I can get this
IP public 1.1.1.1\
> External interface of ASA
2.2.2.2 / private ip
My config as I know it is pertinant is as follows:
permit same-security-traffic intra-interface
list of allowed incoming access extended ip any host 168.215.x.x
Access-group interface incoming outside
public static 168.215.x.x (outside, outside) 10.10.x.xnetmask 255.255.255.255
I am running version 8.2.5 of the image of the SAA.
If you could take a look and let me know what Miss me you please.
Thank you
Hello
The problem here is of course the fact that we can not configure NAT0 without causing all traffic from the remote Internet can flow through the VPN connection.
So I wonder if another type of NAT configuration would actually work.
I would call it static political identity NAT if such a name exists yet.
Something like that
Note of DVR-POLICY-NAT-list of Direct HTTP access to VPN traffic
allow to Access-list DVR-POLICY-NAT tcp host 10.10.2.253 eq 80 a
public static 10.10.2.53 (inside, outside) access list DVR-POLICY-NAT
This should basically do what
- When the DVR is sending any traffic source TCP TCP/80 (essentially the traffic back to the connection from the main site) to ANY destination address (The Internet) then the host must translate to himself.
- If we consider that NAT is performed before the VPN rules are processed this should mean that since we have concerns address itself, it must match the VPN rule only in this particular case where the traffic is TCP/80, which could only be the result of her replying to a link any destination TCP/80)
- Which leads me to believe it shouldn't cause any problems with the Central connection on remote site (NAT0 is processed before political static NAT) or the RECORDER to Internet
- Unless the DVR must be accessible directly via the Internet connection of the remote site. (He would send his answers to these HTTP connections outside with the originating source IP address) Or maybe even completely before connecting the phase failure. I have not tested.
Hope this helps
Be sure to mark it as answered in the affirmative. And/or useful response rate.
Ask more if necessary.
EDIT: typos
-Jouni
-
NAT, ASA, 2 neworks and a VPN tunnel
Hello. I have a following question. I am trying to establish a VPN tunnel to a remote network used to be connected to our via a VPN tunnel. The problem is that the previous tunnel their share has been created for the x.x.x.x our coast network which will serve no more time a month, but is currently still active and used. As I'm trying to get this VPN tunnel as soon as possible without going through all the paperwork on the other side (political, don't ask) is it possible to make NAT of the new network in the network x.x.x.x for traffic through the VPN tunnel.
Something like this:
new network-> policy NAT in old x.x.x.x fork on ASA-> VPN tunnel to the remote network using x.x.x.x addresses
It is possible to add the new policy, but sometimes it can conflict with the former.
Maybe you are looking for
-
Portege M300 to start the external hard drive?
It is possible to start the computer laptop while using an external usb HDD? How do they do that? I want to use the operating system win2000 to start.Thanks adavance
-
22 - 3125na AIO: AIO compared to AIO 22-3025na 22-3125na
Hi, I'm trying to compare the 22-3125 with the 22-3015 AIO AIO. The material appears to be identical and software differences seem to be minor. Then, the 3125 is simply a version of Windows 10 in the 3025? Any help is appreciated! Kind regards.
-
I have an auto change typedef that breaks my code
I'm a big fan of the typedefs, to use whenever I say something or even think that I could possibly repeat something. I have a typedef that I used for years and all of a sudden it began to change its contents without discernible reason. The typedef is
-
Hello. I am running Windows XP Pro 32-bit. I just had a problem that I had never met before. I have inserted a CD in my CD-RW/DVD Philips player (for laptop Dell Inspiron 6000, circa 2006) and icky blue screen came up with the error: "ArCCD.sys drive
-
Acer Aspire One ZG5 - Wifi limited connectivity sudden
It's an old netbook, but it worked great for years talk WPA/WPA2-PSK to various Dlink routers. Now it suddenly does not connect, but it will connect if I set the wireless to a network open without password. Otherwise, there will always need to acqire