Bizzare vShield Edge-NAT/VPN problem Post - 5.1 upgrade
Hoping someone can shed some light on this issue for us - the TLDR is that NAT rules seem to be causing unexpected behavior on the VPN traffic after a vCloud 1.5 to 5.1 upgrade.
Background: We work with a hosting provider to manage our vCloud environment. Quite simple - 2 ESXi hosts, a few NFS data stores. They have recently updated us of 1.5 and 5.1. For most of our committees, we have just one network of vSE/Routed that connects a subnet to a network of "WAN" and pulls a public IP address from a pool. Send us (NAT network address) and leave (firewall) ports (for example port 3389 for RDP) to the virtual machines selected. Most of these networks also have a VPN tunnel from site to site with a physical Firewall through the internet. After the upgrade, we went and converted our rules to match the period of initial and active INVESTIGATION "multiple interfaces" - effectively subtracts to compatibility mode. Everything was going well (even for devices of vSE always in compatibility mode)
Question: We first noticed this, when a customer reported that they are unable to access a virtual machine via RDP using it is internal (protected VSE) IP through a VPN tunnel but could access the virtual machine via RDP using its public hostname/IP address. Allow us all traffic between the VPN (firewall has a whole: a rule for VPN traffic). When we connected to troubleshoot (just thinking that the VPN was down), we found that we could connect to any port on the computer through the VPN tunnel except 3389remote virtual. I can ping from the local subnet to the VM troubled on the VAPP network without problem. I was able to connect to other ports that have been opened on the remote virtual machine without problem. I couldn't connect to 3389 through the VPN.
We thought he could be isolated, but found the question on each VSE we have: If there were a the DNAT rule to translate the inbound for a particular port, this port would be insensitive when traffic through the VPN tunnel that is meant to be the target of the DNAT rule.
Someone has an idea what could be the cause?
Looks like it is a problem experienced during the upgrade. These hidden firewall rules will not disappear until the firewall configuration is updated in some way. So go as - upgrade
(1) upgrade VCD
(2) update VSM
(3) to redeploy the entry door to upgrade the edge of the gateway to version 5.1
(4) convert the firewall rules to the new format (where firewall rules have no management interface or traffic)
(5) to change the properties of the bridge and the multiple interface mode
(6) change the specification of the firewall somehow, that is to add a dummy firewall and remove it, turn off, then turn on the firewall, etc..
Which should cause the deny rule go away
Tags: VMware
Similar Questions
-
Addition of vShield Edge NAT rules from a CSV using PowerCLI
I recently read Alan great post on adding NAT here rules: http://www.virtu-al.net/2014/07/24/working-vcd-edge-gateway-rules-powercli/
I used it successfully for simple rules in a lab environment, but hundreds of rules I need to do in Production.
Although I managed to hack together an Excel spreadsheet that concatenated all these parameters to create each order, I was wondering if there was a faster way to do it.
My plan was to modify the script to Alan to import a CSV file, and then loop through each line and generate the XML file in a single pass.
However, I am very rusty on my scripting skills, so I thought I would first ask if this has already been done by someone else.
Anyone know if there is a way to update the rules of NAT edge vShield from a CSV file?
Adam,
I was an associate of the original request for this feature. Alan made us most of the way with a function to create a single rule, but as in your use case, we also had a lot of rules to build everything at once.
Our solution was rather minor tweaks and the creation of 3 functions rather than 2.
* Feature: New DNATRuleXML and new SNATRuleXML. We have created these two functions to build the string XML (one for the SNAT) and one for the DNAT, their results are stored in a global variable.
* Function: New-NATXMLExecute. It is a function execute to execute the creation of the great XML string created in the above functions.
You should change/use power rule XML functions to interface with one worksheet, and then you should be far away. It will be useful.
Example of code is below:
===============================================
Function (new-NATXMLExecute
$EdgeGateway,
$NATXML,
$FirewallEnable) {}
Write-Host "' no nExecuting add it NAT function"-ForegroundColor Cyan
Write-Host "-----------------------------------------------------"
Write-Host "EdgeGateway: 't' t$ EdgeGateway '.
#Write - Host "' tNATXML: 't' t$ NATXML '.
Write-Host "activate the firewall?: 't' t$ FirewallEnable '.
Write-Host "-----------------------------------------------------"
$Edgeview = search clouds QueryType - EdgeGateway-name $EdgeGateway | Get-CIView
If (! $Edgeview) {}
Write-Warning 'edge Gateway with $Edgeview name not found. "
Output
}
$URI = ($edgeview. Href + ' / action/configureServices ")
$wc = new-Object System.Net.WebClient
# Add Authorization headers
$wc. Headers.Add ("x-vcloud-authorization", $Edgeview.Client.SessionKey)
$wc. Headers.Add ("Content-Type", "application/vnd.vmware.admin.edgeGatewayServiceConfiguration+xml")
$wc. Headers.Add ("Accept", "application / * + xml;") version = 5.1 ")
$webclient = New-Object system.net.webclient
$webclient. Headers.Add("x-vcloud-authorization",$Edgeview.Client.SessionKey)
$webclient. Headers.Add ("accept", $EdgeView.Type + ";") version = 5.1 ")
[xml] $EGWConfXML is $webclient. DownloadString($EdgeView.href)
[xml] $OriginalXML = $EGWConfXML.EdgeGateway.Configuration.EdgegatewayServiceConfiguration.NatService.outerxml
#Check if the firewall is turned on
$FirewallStatus = $EGWConfXML.EdgeGateway.Configuration.EdgegatewayServiceConfiguration.FirewallService.IsEnabled
Write-Host "active current firewall status: $FirewallStatus.» "This will be changed to: $FirewallEnable.
LogWrite "active current firewall status: $FirewallStatus.» "This will be changed to: $FirewallEnable.
If (($NATXML) - or ($FirewallStatus - not $FirewallEnable)) {}
$GoXML = '
http://www.VMware.com/vCloud/v1.5"> "' + $FirewallEnable +" drop fake true '$OriginalXML.NatService.NatRule | {Foreach}
$GoXML += $_. OuterXML
}
$GoXML += $NATXML
$GoXML += '
'
$script: NATXMLExecute = $GoXML
[byte []] $byteArray = [System.Text.Encoding]: ASCII. GetBytes ($GoXML)
$UploadData = $wc. UploadData ("POST", $URI, $bytearray)
$EdGWStatus = EdgeGatewayStatus - EdgeGateway $EdgeGateway
Write-Host - NoNewline "Waiting for EdgeGateway configure...". »
LogWrite "Waiting for EdgeGateway configure...". »
While ($EdGWStatus - no "ready")
{
Start-Sleep - seconds 3
Write-Host - NoNewline ". »
$EdGWStatus = EdgeGatewayStatus - EdgeGateway $EdgeGateway
If ($EdGWStatus - eq "Error") {}
Write-Host "Error Has occurred...". Check the EdgeGateway"- ForegroundColor Red
LogWrite "Error Has occurred...". Check the EdgeGateway.
breaking
}
}
Write-Host - NoNewline ".» EdgeGateway Ready.
Write-Host "' nNAT complete building.» ForegroundColor - Green
LogWrite "NAT complete building."
}
else {}
Write-Host "no change necessary." No changes have been made to the EdgeGateway"- ForegroundColor yellow
LogWrite "no modification required...". No change was made.
}
}
Function (new-DNATRuleXML
$EdgeGateway,
$ExternalNetwork,
$OriginalIP,
$OriginalPort,
$TranslatedIP,
$TranslatedPort,
$Protocol) {}
Write-Host "Building DNAT rule XML" - ForegroundColor yellow
Write-Host "' tEdgeGateway: 't' t$ EdgeGateway '.
Write-Host "' tExternalNetwork: ' t$ ExternalNetwork '.
Write-Host "' tOriginal IP: 't' t$ OriginalIP '.
Write-Host "' tOriginalPort: 't' t$ OriginalPort '.
Write-Host "' tTranslatedIP: 't' t$ TranslatedIP '.
Write-Host "' tTranslatedPort: 't' t$ TranslatedPort '.
Write-Host "' tProtocol: 't' t$ Protocol.
$Edgeview = search clouds QueryType - EdgeGateway-name $EdgeGateway | Get-CIView
If (! $Edgeview) {}
Write-Warning 'edge Gateway with $Edgeview name not found. "
Output
}
$URI = ($edgeview. Href + ' / action/configureServices ")
$wc = new-Object System.Net.WebClient
# Add Authorization headers
$wc. Headers.Add ("x-vcloud-authorization", $Edgeview.Client.SessionKey)
$wc. Headers.Add ("Content-Type", "application/vnd.vmware.admin.edgeGatewayServiceConfiguration+xml")
$wc. Headers.Add ("Accept", "application / * + xml;") version = 5.1 ")
$webclient = New-Object system.net.webclient
$webclient. Headers.Add("x-vcloud-authorization",$Edgeview.Client.SessionKey)
$webclient. Headers.Add ("accept", $EdgeView.Type + ";") version = 5.1 ")
[xml] $EGWConfXML is $webclient. DownloadString($EdgeView.href)
[xml] $OriginalXML = $EGWConfXML.EdgeGateway.Configuration.EdgegatewayServiceConfiguration.NatService.outerxml
If {($Script:NewID)}
$Script: NewID += 1
$NewID = $Script: NewID
}
else {}
$NewID = [int]($OriginalXML.NatService.natrule |) Sort identifier. (Select the Id - Last 1) user.user + 1
If {($NewID-éq. 1)}
#If NoID was found, set the correct ID of departure
$NewID = 65537
}
$Script: NewID = $NewID
}
$strXML = '
DNAT true ' + $NewID + ' "' + $OriginalIP +" "' + $OriginalPort +" "' + $TranslatedIP +" "' + $TranslatedPort +" ' + $Protocol + ' $script: DNATXML = $StrXML
}
Function (new-SNATRuleXML
$EdgeGateway,
$ExternalNetwork,
$OriginalIP,
$TranslatedIP
) {
Write-Host "Building SNAT rule XML" - ForegroundColor yellow
Write-Host "' tEdgeGateway: 't' t$ EdgeGateway '.
Write-Host "' tExternalNetwork: ' t$ ExternalNetwork '.
Write-Host "' tOriginal IP: 't' t$ OriginalIP '.
Write-Host "' tTranslatedIP: 't' t$ TranslatedIP '.
$Edgeview = search clouds QueryType - EdgeGateway-name $EdgeGateway | Get-CIView
If (! $Edgeview) {}
Write-Warning 'edge Gateway with $Edgeview name not found. "
Output
}
$URI = ($edgeview. Href + ' / action/configureServices ")
$wc = new-Object System.Net.WebClient
# Add Authorization headers
$wc. Headers.Add ("x-vcloud-authorization", $Edgeview.Client.SessionKey)
$wc. Headers.Add ("Content-Type", "application/vnd.vmware.admin.edgeGatewayServiceConfiguration+xml")
$wc. Headers.Add ("Accept", "application / * + xml;") version = 5.1 ")
$webclient = New-Object system.net.webclient
$webclient. Headers.Add("x-vcloud-authorization",$Edgeview.Client.SessionKey)
$webclient. Headers.Add ("accept", $EdgeView.Type + ";") version = 5.1 ")
[xml] $EGWConfXML is $webclient. DownloadString($EdgeView.href)
[xml] $OriginalXML = $EGWConfXML.EdgeGateway.Configuration.EdgegatewayServiceConfiguration.NatService.outerxml
If {($Script:NewID)}
$Script: NewID += 1
$NewID = $Script: NewID
}
else {}
$NewID = [int]($OriginalXML.NatService.natrule |) Sort identifier. (Select the Id - Last 1) user.user + 1
If {($NewID-éq. 1)}
#If NoID was found, set the correct ID of departure
$NewID = 65537
}
$Script: NewID = $NewID
}
$strXML = '
SNAT true ' + $NewID + ' "' + $OriginalIP +" "' + $TranslatedIP +" $script: SNATXML = $StrXML
}
===============================================
-
Hello people, I had a lot of trouble trying to solve this problem, but hoping someone here can enlighten me.
I have a remote site that hosts a number of services that we manage remotely with an IPSec VPN connection. When connecting to the site connect us very well and can make most of the actions like RDP and connect to servers for maintenance, but a service fails to connect unless I have add a NAT rule exempt to the configuration of the router (ASA 5505).
Once this rule in place service work, but other services that initially worked work stoppage. In short, this rule must be in place while doing a single task, but then contracted for other tasks. I hope that there is some sort of rule or behavior, I can add to the ASDM configuration makes it so I don't have to manually add this rule whenever I connect.
Here are the details of the rule:
access-list 1 permit line outside_nat0_outbound extended ip 192.168.15.192 255.255.255.192 192.168.15.0 255.255.255.0
NAT (outside) 0 outside_nat0_outbound list access outside tcp udp 0 0 0
When the connection is established without the rule in place the ASDM syslog shows these warnings:
Deny tcp src inside: outside:10.100.32.203/135 dst
61745 by access-group "inside_access_in" [0x0, 0x0] The strange thing is 10.100.32.203 is IP internal my host computer. This is not yet the external IP address of the network I connect from.
Is it possible a problem with the VPN pool using a subset of the subnet of the VIRTUAL LAN inside? Inside VLAN is 192.168.15.0/24 and the VPN is 192.168.15.200 - 250. I am ready to reconfigure the VPN address pool but need to do remotely, and am unaware of how to do this reconfiguration safely without losing my remote access, since physical access to the router itself is currently very difficult.
If more details are needed, I am happy to give them.
Hi GrahamB,
Yes, the problem with too much running in subnet.
There are a lot of private-address available, so please create a new group policy and tunnel-group and fill
pool separate to value ip address and remote with it, when the new cluster to solve your problem, can safely remove the old one.
I hope this helps.
Thank you
Rizwan Muhammed.
-
Problem assigning vShield edge licenses
We have a cluster running vCenter 5.1 standard with 3 hosts ESXi 4.1 under license with vSphere 4 Enterprise Plus keys. Recently, I've deployed a vCloud Director 5.1 with a Manager Server 5.1.2 Server vShield. I was able to successfully add the vCenter vCloud and vShield Manager. Then when I try to add our license of vShield edge in vCenter as the installation guide document, I can't find the CIS or POSSIBLE asset in vCenter section "permit". Is it because we lack of vSphere 4 license?
The problem is now resolved. Recently, we are improving our vCenter 4.1 to 5.1. The appliance Manager vShield was installed before the upgrade. After the upgrade, I didn't perform a reboot of the vCenter server. Once I restarted the server vCenter, he was able to found the vShield active Edge of the appliance Manager vShield.
-
Hello
I recently installed vshield Edge:
There are two device that have been added to the inventory...
I set up an internal IP address as my private subnet AND an uplink to have a public IP... and I configured the default Gateway to match my public by default Gateway...
now I have a machine virtual on my private network that I change the gateway is the IP address assigned to the internal interface of vshield Edge... But it is still not Internet ping!
Am I missing or wrong configured something?
Help, please
Thank you
Hello
The reason for two devices could be that you may have installed Edge in HA mode.
Coming to your network problem, check the following.
- Check if you have applied the SNAT rule on the external network. In this, the initial INVESTIGATION period should be your private IP network and the translated IP must be one (or) range of your public IP addresses. You must allocate under the IP translated before using NAT.
- Check if the firewall is disabled (or) added with one exception.
-
vShield Edge balancer to load within vCloud Director?
Hi all
I had a long week, installation and configuration vCloud Director. So far, it looks great.
However, I wanted to create a paralytic with 2 web servers and a LoadBalancer (vShield Edge device) in front of them. I just don't seem to be able to find anything about how I activate on the web site of vCloud Director. I can do the NAT and firewall, but balancing is missing ... I'm sure it's there somewhere, I'm just not see it!
Can someone point me to the right direction?
Bgrds,
Finnzi
This requires the additional license for vShield edge and configure vShield to vCenter PLugin. There is no user interface in vCD interface to configure the load balaning VSE again. 1.5 introduces the possibility to configure VPN (if authorized), through vCD, but not the LB function again.
-
Can connect, I see not all network resources.
The Vpn Client, worm: 5.0.01, is running on an xp machine.
It connects to the network is behind a 6.3 (5) pix501-worm.
When the connection is established the remote client gets an address assigned to the pool 192.168.2.10 vpn - 192.168.2.25:
The vpn client log shows:
Line: 45 18:07:27.898 12/08/09 Sev = Info/4 CM / 0 x 63100034
The virtual card has been activated:
IP=192.168.2.10/255.255.255.0
DNS = 0.0.0.0 0.0.0.0
WINS = 0.0.0.0 0.0.0.0
Area =
Split = DNS names
It is followed by these lines:
46 18:07:27.968 12/08/09 Sev = WARNING/2 CVPND/0xE3400013
AddRoute cannot add a route: code 87
Destination 192.168.1.255
Subnet mask 255.255.255.255
Gateway 192.168.2.1
Interface 192.168.2.10
47 18:07:27.968 12/08/09 Sev = WARNING/2 CM/0xA3100024
Failed to add the route. Network: c0a801ff, subnet mask: ffffffff, Interface: c0a8020a Gateway: c0a80201.
48 18:07:28.178 12/08/09 Sev = Info/4 CM / 0 x 63100038
Were saved successfully road to file changes.
49 18:07:28.198 12/08/09 Sev = Info/6 CM / 0 x 63100036
The routing table has been updated for the virtual card
50 18:07:29.760 12/08/09 Sev = Info/4 CM/0x6310001A
A secure connection established
* ...
I can ping the remote client, on an inside ip behind the same pix
When I get the 'route add failure' above, but I cannot ping the computer name.
I activated traversal of NAT using the PDM, but when I connect with this option, I get the error that the "remote endpoint is NOT behind a NAT device this end is behind a NAT device" and ping fails.
Behind the pix are a few computers with no central server, so I'm failed a WINS server for remote clients.
I created the vpn with the wizard.
The configuration file is attached.
Any suggestion would be appreciated.
Kind regards
Hugh
Hugh, sure you can classify based on the whole conversation, but you don't have to do but be certainly provide assessments.
To sum up the shrinking global problems, the main objective was to ensure configuration VPN RA on the PIX501 has been corrected.
1. we have enabled NAT - T on the firewall - even if it wasn't the question, but need it either it should you RA other places - travseral NAT VPN sensitizes the firewall on the other ends NAT devices - here is some good information on NAT - T for reference in the future
http://www.Microsoft.com/technet/community/columns/cableguy/cg0802.mspx
2. we fixed the VPN-POOL/28 network as well as the access list and acl to be coherent crypto sheep.
Here is a link for future reference with many PIX configuration scenarios
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/prod_configuration_examples_list.html
Finally, your only question remaining, we can say is purely isolated with the customer software vpn and MAC machine.
You could maybe try a different version of the client in the MAC, or also look at the release notes for the open caveats to avoid cisco cleint managing versions and MAC versions if there are problems.
http://www.Cisco.com/en/us/products/sw/secursw/ps2308/prod_release_notes_list.html
Concerning
-
SSH on vShield Edge using Java CCES
I am trying to connect to vShield Edge using jsch for SSH connection library.
Connection to a linux server it works perfectly, but connected to the vShield edge server, the output is:
vtysh: invalid option-'c '.
Try "vtysh - help ' for more information.
What it means?
The connection seems to work correctly, I think the problem is the command I want exec ('list' command).
I tried many commands, but I always have the same answer.
I also used this methos Java to set the Pty:
(Channel) .setPtyType ("vt100") (ChannelExec);
Can I define another type?
Thank you all
Giovanni
I was determined to uisng the ssh-tool Java library
You can retrieve the lib since this link sourceForge: SSHTools | Free software on SourceForge.net downloads
And here is my code.
Was indeed a problem of reading of the result of the command, but it should be simple to solve.
public {} public static void executeSSHCommand (String username, String password, String hostname, string command)
SshClient ssh = new SshClient();
PasswordAuthenticationClient auth = new PasswordAuthenticationClient();
int result = 0;
Session SessionChannelClient = null;
OutputStream out = null;
BufferedReader in = null;
try {}
SSH. Connect (hostname, new IgnoreHostKeyVerification());
auth.setUsername (username);
auth.setPassword (password);
result = ssh.authenticate (auth);
If (result! = AuthenticationProtocolState.COMPLETE) {}
System.out.println ("authentication error");
}
session = ssh.openSessionChannel ();
session.startShell ();
out = session.getOutputStream ();
out. Write (Command.GetBytes ());
in = new BufferedReader (new InputStreamReader (session.getInputStream ()));
Read string = null;
While ((read = in.readLine ())! = null) {}
System.out.println (Read);
}
} catch (IOException ex) {}
}
}
Hope this helps others :-)
-
Hello world
I installed VSphere 5.5, 5.5 VCloud and VShield 5.5 for a test. Everything seems fine. But when I create an organization VDC and add an EDGE gateway for him, the automatic system create a VM VSE under "system vDC". Virtual machine contains multiply network cards, including two he uses for the external network and the Organization's network. But there are still many that connect to a standard switch named 'None '.
Although it works well, the problem is I can not migrate or do his host in maintenance mode. During the migration network interface adapter, it shows"2 use 'none' network, which is not accessible. »
Does anyone know something?
Thank you
This should be a non-issue.
Each vShield edge device has 10 NIC cards. One will be attached to a given network (an external, one internal).
The 'None' network, a group of port assigned. This does not block vMotion does not happen, and I was
Even if you get one! ------warning message, you should still be able to click Next and complete the vMotion.
The only way you would be blocked from vMotion is if one of the two real networks were somehow connected to a specific host.
Can you provide a screenshot of it with the next button grey and everything that is not a warning to the network no?
-
vShield edge # configure terminal
vShield-edge-17-0 # configure terminal
% Unknown command.
WTF? The CLI became useless between some exits or something? I'm quite sure I've done this before
5.5.4 - 2504419
Ah right, everything is done from the cli of vShield Manager device. Silly me
-
Problem posting photos on Facebook Pages. Help!
Everyone knows a problem posting photos on Facebook Pages? I do so on a daily basis for a few years now. Yesterday, I was unable to post on a Facebook Page (non-personal accounts).
Now, when I try to create a Collection published to Facebook, I have more to select an existing Album to Facebook Page.
If something has changed? Thank you very much in advance for your comments!
Paul,
Midlothian, WILL
Yes, someone fixed something. Facebook? I can post BACK to the pages that I managed!
Everyone please see if it works for you! -
I have recently updated my laptop to Windows 10 and can now access Lightroom, I had the same problem before, when I upgraded and you were able to walk through the changes, can advise you?
It seems that there is a problem with the graphics card.
Please try the step under the troubleshooting topic: Adobe Lightroom GPU troubleshooting and FAQ
-
IOS IPSEC VPN with NAT - translation problem
I'm having a problem with IOS IPSEC VPN configuration.
/*
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto keys TEST123 address 205.xx.1.4
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN
!
!
Map 10 CRYPTO map ipsec-isakmp crypto
the value of 205.xx.1.4 peer
transformation-CHAIN game
match address 115
!
interface FastEthernet0/0
Description FOR the EDGE ROUTER
IP address 208.xx.xx.33 255.255.255.252
NAT outside IP
card crypto CRYPTO-map
!
interface FastEthernet0/1
INTERNAL NETWORK description
IP 10.15.2.4 255.255.255.0
IP nat inside
access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3
*/
(This configuration is incomplete / NAT configuration needed)
Here is the solution that I'm looking for:
When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.
For more information, see "SCHEMA ATTACHED".
Any help is greatly appreciated!
Thank you
Clint Simmons
Network engineer
You can try the following NAT + route map approach (method 2 in this link)
http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Thank you
Raja K
-
Networks VPN NAT l2l problem-Dup-HELP!
I use a router IOS as a VPN L2L device to connect my site to several different customer locations, some of them use the same internal IP addresses. These VPNS have been working well.
I recently added another client to this system and I am now having a problem with the new configuration. With this configuration, I have NAT my internal addresses. NAT works correctly, but it NAT my bad common NAT addresses and therefore do not generate the tunnel.
My internal IP 10.10.x.x
incorrect NAT pool 10.129.x.x
decent NAT pool 10.99.x.x
Help... :))
Thank you
The problem is simple. You have almost an identical ACL for two guests. As the first NAT rule has been added previously, it comes into play. To resolve this issue, you must set explicit host/subnet destination match instead of 'none' keyword.
For example like this:
ip access-list extended ME-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63
ip access-list extended ME-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
ip access-list extended SA-CRYPTO-ACL
permit ip 10.96.21.0 0.0.0.255 host 10.99.2.95
ip access-list extended SA-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.99.2.95
Another solution is more complex and harder to understand (and explain), you can use Virtual models with tunnel-protection for each customer, VRF and NAT for common services.
___
HTH. Please rate this post if this has been helpful. If it solves your problem, please mark this message as "right answer".
-
ASA VPN Site to Site (WITH the NAT) ICMP problem
Hi all!
I need traffic PAT 192.168.1.0/24 (via VPN) contact remote 151.1.1.0/24, through 192.168.123.9 router in the DMZ (see diagram)
It works with this configuration, with the exception of the ICMP.
This is the error: Deny icmp src dmz:151.1.1.1 dst foreign entrants: 192.168.123.229 (type 0, code 0)
Is there a way to do this?
Thank you all!
Marco
------------------------------------------------------------------------------------
ASA Version 8.2 (2)
!
ciscoasa hostname
domain default.domain.invalid
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name 192.168.1.0 network-remote control
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.200.199 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
the IP 10.0.0.2 255.255.255.0
!
interface Vlan3
prior to interface Vlan1
nameif dmz
security-level 0
192.168.123.1 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passive FTP mode
DNS server-group DefaultDNS
domain default.domain.invalid
the DM_INLINE_NETWORK_1 object-group network
object-network 151.1.1.0 255.255.255.0
object-network 192.168.200.0 255.255.255.0
outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_1 remote ip 255.255.255.0 network
inside_nat0_outbound to access extended list ip 192.168.200.0 allow 255.255.255.0 255.255.255.0 network-remote control
VPN_NAT list extended access allow remote-network ip 255.255.255.0 151.1.1.0 255.255.255.0
dmz_access_in list extended access permit icmp any one
outside_access_in list extended access permit icmp any one
pager lines 24
Enable logging
notifications of logging asdm
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all dmz
ASDM image disk0: / asdm - 625.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global (dmz) 5 192.168.123.229
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 192.168.200.0 255.255.255.0
NAT (outside) 5 VPN_NAT list of outdoor access
Access-group outside_access_in in interface outside
Access-group dmz_access_in in dmz interface
Route outside 0.0.0.0 0.0.0.0 10.0.0.100 1
Dmz route 151.1.1.0 255.255.255.0 192.168.123.9 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 0.0.0.0 0.0.0.0 inside
remote control-network http 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
card crypto outside_map 1 set peer 10.0.0.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
------------------------------------------------------------------------------------Review the link, you have two ways to leave outgoing icmp, good acl or icmp inspection
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
Maybe you are looking for
-
When I install the new version of firefox browser dose being not fit on my screen. I cannot see the tabs or the bar ul and can leave not even firefox without using ctrl-alt-del and opening a master and have it at the end of program. Help, please.
-
After an update, all Favorites and Favorites bar disappears
OK? Can someone explain to me what happened? I was just online when all of a sudden that I lived a problem with a website so I decided to restart Firefox. I did, but then after that I guess that tries to install an update, it (failing or canned) but
-
Re: press tab no working.omni10
Hello The HP OMNI 10 Tablet isn't shuttting down or start the system. The screen is half on. It happened after trying to use public WIFI. Tried reloading for a while. It has been recently updated of the victory of 8-10. Rarely in use. At the ti
-
L50A satellite - Internet stops frequently answer until I restart the pc
Hello I had a problem of delay where internet seems to stop working. The details of the network connection to the bottom near the clock in the taskbar still say connected her with access to internet, but it does not. I have another older laptop that
-
Upgrade of El Capitan 10.11.2 to 10.11.3 gets stuck
My El Capitan at level 10.11.2 to 10.11.3 gets stuck in a loop... The update file is downloaded from the App Store and the iMac will restart and try to install the update, but after a few minutes, I get a message from the system (in my native languag