Cisco Asa vpn site-to-site with nat

Similar Questions

• Cisco ASA VPN Site to Site WITH NAT inside

  Hello!

  I have 2 ASA 5505 related to IPSEC Tunnel VPN Site to Site.

  A 192.168.1.0/24 'remotely' inside the network and a local "192.168.200.0/24' inside the network (you can see the diagram)

  The local host have 192.168.200.254 as default gateway.

  I can't add static route to all army and I can't add static route to 192.168.200.254.

  NAT the VPN entering as 192.168.200.1 or a 192.168.200.x free to connect my host correcly?

  If my host sends packet to exit to the default gateway.

  Thank you for your support

  Best regards

  Marco

  The configuration must be applied on the SAA with the 192.168.200.0 subnet it is inside, there must be something like this:

  permit 192.168.1.0 ip access list VPN_NAT 255.255.255.0 192.168.200.0 255.255.255.0

  NAT (outside) X VPN_NAT outside access list

  Global (inside) X Y.Y.Y.Y (where the Y.Y.Y.Y) is the ip address

  If you have other traffic on the vpn through the tunnel that requires no nat, then you must add external nat exemption rules since these lines above obliges all traffic through the asa to have a nat statement.

  See if it works for you, else post your config nat here.

• Cisco ASA vpn site to site with access internet, error

  Hello

  I have two offises, Central and removed, with the external IP addresses. They are connected to the site to site vpn, LAN works fine, then NAT is disable, but then there is no internet access, then I Internet in NAT is working well, but then there is no access to the local network.
  Where would be the problem?

  There's config:

  ASA Version 8.4(4)1
!
hostname SalSK-ASA
domain-name ld.lt
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 81.X.X.X 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.204.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EET 2
dns server-group DefaultDNS
 domain-name lietuvosdujos.lt
object network LAN
 subnet 192.168.204.0 255.255.255.0
 description Local Area Network
object network LD_Lanai
 subnet 192.168.0.0 255.255.0.0
 description LD lanai
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list vpn extended permit ip any 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 any
access-list vpn extended permit ip object LD_Lanai 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 object LD_Lanai
access-list outside_cryptomap_1 extended permit ip object LAN any
access-list outside extended permit ip any any
pager lines 24
logging enable
logging list VPN_events level informational class auth
logging list VPN_events level informational class vpdn
logging list VPN_events level informational class vpn
logging list VPN_events level informational class vpnc
logging list VPN_events_ID message 713120
logging list VPN_events_ID message 713167
logging list VPN_events_ID message 602303
logging list VPN_events_ID message 713228
logging list VPN_events_ID message 113012
logging list VPN_events_ID message 113015
logging list VPN_events_ID message 713184
logging list VPN_events_ID message 713119
logging list VPN_events_ID message 602304
logging monitor debugging
logging buffered debugging
logging trap VPN_events_ID
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic LAN interface inactive
access-group outside in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 81.7.77.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ISE protocol radius
aaa-server ISE (inside) host 192.168.200.48
 key *****
user-identity default-domain LOCAL
aaa authentication enable console ISE LOCAL
aaa authentication http console ISE LOCAL
aaa authentication serial console ISE LOCAL
aaa authentication ssh console ISE LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set tripledes esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 213.X.X.X
crypto map outside_map 1 set ikev1 transform-set tripledes
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.201.200 source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy SalGP internal
group-policy SalGP attributes
 vpn-filter value vpn
 vpn-tunnel-protocol ikev1 l2tp-ipsec
username Admin password LVPpyc4ATztEAWtq encrypted privilege 15
tunnel-group 213.X.X.X type ipsec-l2l
tunnel-group 213.X.X.X general-attributes
 default-group-policy SalGP
tunnel-group 213.X.X.X ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
 class class-default
  user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]/* */
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d8c29755eff807b1530e38b9ead9edd5
: end

  Two things are here according to you needs.

  First you encrypt all the traffic on the network 192.168.204.0/24... do you intend to send all traffic on that subnet via the VPN? If this isn't the case, specify the remote subnet instead of using all the crypto ACL.

  object network LAN
 subnet 192.168.204.0 255.255.255.0access-list outside_cryptomap_1 extended permit ip object LAN any

  Second, you have not an exempt statement NAT so that encrypted traffic should not be translated.  This statement would look like the following:
  the object of the LAN network
  192.168.204.0 subnet 255.255.255.0

  being REMOTE-LAN network
  255.255.255.0 subnet 192.168.100.0

  Static NAT LAN LAN (inside, outside) destination static REMOTE - LAN LAN

  --

  Please do not forget to choose a good response and the rate

• Redundancy with double tis on cisco ASA VPN Site to Site

  Dear supporters,

  Could you help me to provide a configuration for the network as an attachment diagram.

  I am suitable with your help.

  Thank you

  Best regards

  Hi Sothengse,

  You can visit the below link and configure ASA @ head and Canes accordingly to your condition.

  You must change the configuration of the similar example with ends... Double TIS @ ends in your scenario...

  http://networkology.NET/2013/03/08/site-to-site-VPN-with-dual-ISP-for-BA...

  I hope this helps.

  Concerning

  Knockaert

• Between Cisco ASA VPN tunnels with VLAN + hairpin.

  I have two Cisco ASA (5520 and 5505) both with version 9.1 (7) with Over VPN and Security Plus licenses. I try to understand all the internet a traffic tunnel strategy VLAN especially on the 5520 above the 5505 for further routing to the internet (such as a hair/u-turn hairpin). A few warnings:

  1. The 5505 has a dynamically assigned internet address.
  2. The 5505 has sometimes no device turned on behind her, bringing interfaces down to the inside (which can cause problems from site to site).
  3. The 5520 cannot be a client of ezvpn due to its current role as a server of webvpn (anyconnect).

  Let me know if I need to post my current config. Basically, I'm starting from scratch after several attempts.

  Thank you!

  1. The 5505 has a dynamically assigned internet address.

  You can use the following doc to set up the VPN and then this document to configure Hairping/U tuning

  2. the 5505 has sometimes no device turned on behind her, bringing interfaces down to the inside (which can cause problems from site to site).

  Make sure that the interface is connected to a switch so that it remains all the TIME.

  3. 5520 the may not be a ezvpn customer due to she has current as one role anyconnect webvpn ()) server.

  You can use dynamic VPN with normal static rather EZVPN tunnel.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Cisco 877 + VPN Site to Site

  Hello

  I'm new im this forum.
  I've set up a Site VPN site with 2 Cisco 877.

  SITE A:

  Address IP Adreess public: static
  Internal IP Adrees: 192.168.0.XXX
  Mask: 255.255.255.0

  SITE B:

  IP address public Adreess: Dynamics
  Internal IP address: 192.168.2.XXX
  Mask: 255.255.255.0

  I managed to do a ping on both sides, but I can't access file shares, and could rdp on any server in site A, by the internal IP address.

  Fix, is the SITES A and B SITE startup configs.

  Could you please someone help me?

  Hi Marcos,

  Really happy to know that the problem is solved. There is no need to apologize. Please mark this message as answered if there is nothing more.

  Rregards,

  Assia

• VPN site to Site with NAT (PIX 7.2)

  Hi all

  I hope for more help with config PIX.  TBH I would classify myself as a newb on PIX, only dabbling in it every 6 months or so...

  I have to configure a VPN site-to site between our UK and US Office, to replace our frame relay link.  I have configured multiple VPN site to site on the before PIX, so am reasonably okay with the appearance of the config of who.  What is a new concept for me is the needs of NAT'ing between the IPSEC tunnel.

  The U.S. Agency requires us to NAT source addresses (i.e. 192.168.1.0) usable on their side address (i.e. 143.102.89.0).  The tunnel must then be set to encrypt traffic between 143.102.89.0/24 and 172.24.0.0/14.

  I added the following config and hoping to test it at the U.S. office happens online today.

  If I Ping from 192.168.1.0 to 172.24.x.x source and run a SH NAT inside, the NAT translation seems good.

  is the intellectual property inside 192.168.1.0 255.255.255.0 outside 172.24.0.0 255.252.0.0
  static translation at 143.102.89.0
  translate_hits = 4, untranslate_hits = 0

  Could someone please go through the following lines of config and comment if there is no error?

  Thank you very much

  Kevin

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  IP 143.102.89.0 allow Access-list ipsec - dallas extended 255.255.255.0 172.24.0.0 255.252.0.0

  policy-nat-dallas-list of allowed extensive access ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0

  public static 143.102.89.0 (inside, outside) - list of access policy-nat-dallas

  Crypto ipsec transform-set esp-3des esp-md5-hmac 3desmd5set

  card crypto map dyn 40 correspondence address ipsec - dallas

  set dyn-map 40 crypto map peer 143.101.6.141

  card crypto dyn-map 40 transform-set 3desmd5set

  dyn-map interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  tunnel-group 143.101.6.141 type ipsec-l2l

  IPSec-attributes tunnel-group 143.101.6.141

  pre-shared-key *.

  You can configure NAT/Global pair for the rest of the users.

  For example:

  You can use the initially configured ACL:

  policy-nat-dallas-list of allowed extensive access ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0
  NAT (inside) 1 access list policy-nat-dallas

  Global 1 143.102.89.x (outside)

  The static statement that you configured previously will take precedence over the above. So the printer gets statically using a NAT to 143.102.89.10, and the rest can do another ip address 143.102.89.x PATed.

  Please note that for PAT, traffic can only be initiated from 192.168.1.0/24 LAN to 172.24.0.0/14, not the other way around.

  Hope that helps.

• local host to access the vpn site to site with nat static configured

  I have two 881 routers with vpn site to site between them. I have a static nat on the router for a Web server that is accessible from the internet. I can't access the Web server through the vpn. All other traffic is fine its VPN. I think that there is a problem with the NAT. Here are the relevant configuration lines.

  IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
  IP nat inside source static 192.168.150.2 bonnefin map route SDM_RMAP_1

  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 100

  access-list 100 deny ip 192.168.150.0 0.0.0.255 192.168.123.0 0.0.0.255
  access-list 100 permit ip 192.168.150.0 0.0.0.255 any

  You should be able to access the web server with its IP private (192.168.150.2) through the VPN connection.

  If you just add the VPN and the road map, try to clear the existing translation and see if you can access it via its private of the Remote LAN VPN ip address.

• VPN site to Site with NAT

  Hello Experts

  We intend to set up a VPN site-to site between two sites, sites, Site & A B such as shown in the attached diagram.

  The LAN on SIte A is 10.8.1.0/24 who are planning to NAT on the ASA5505 to 192.168.42.0/24 because this is the range that is allowed on the firewall on the remote end (Site B ASA 5520)

  What type of configuration requires we on the firewall of the Site regarding the interesting traffic.

  Natted IPs will be the interesting traffic?

  Is there another thing we have in other mind while configuring the ASA for the scenarios.

  Help would be appreciated.

  ACL "crypto-NAT" of my example will be the NAT traffic that source of 10.8.1.0/24 for 10.3.0.0/24 to match 192.168.42.0/24.

  For example:

  10.8.1.1 will be coordinated to 192.168.42.1 when traffic is destined to the 10.3.0.0/24 subnet.

  10.8.1.2 will be coordinated to 192.168.42.2 when traffic is destined to the 10.3.0.0/24 subnet.

  etc etc.

  If you have another remote subnet, you are right, you just add the extra line to the crypto-NAT and crypto-ACL. So, you will have the following lines:

  IP 10.8.1.0 allow Access-list crypto-NAT 255.255.255.0 10.3.0.0 255.255.255.0

  10.8.1.0 IP Access-list crypto-NAT 255.255.255.0 allow 10.5.0.0 255.255.0.0

  Crypto ip 192.168.42.0 access list ACL allow 255.255.255.0 10.3.0.0 255.255.255.0

  Crypto ip 192.168.42.0 access list ACL allow 255.255.255.0 10.5.0.0 255.255.0.0

• A Site with NAT

  Hi all, thanks for looking. I'm a very basic user to a Cisco ASA 5510, I tend to do most of the things in the ASDM GUI interface.

  We need to create a site to site with a client connection. It's pretty easy but there is a caveat, we can use our internal IPS that they already use the range elsewhere. If we gave them two different IP, for example 192.158.22.101 and 192.158.22.102. I created the site to the site using these two survey periods, but these do not exist internally on the machines because they are not IPs on our network, which is using 192.158.44.0.

  The question I have is how can I get the IP addresses 192.158.44.101 and 192.158.44.102 to become 92.158.22.101 and 92.158.22.102 before being sent via this connection. I tried to add the NAT to the object of an IP address related, but I'm obviously missing something.

  The other option, I do not fear to do, is to add a new range of internal IP 192.158.22.0 addresses, but I don't know how do either.

  Any help would be appreciated, I'm really bad here and spent two weeks on this subject already. I searched for it, but it seems that it is either too basic for most people wonder or slightly different, for example, they have control of the two sites.

  Hello

  Add to that dieng said here is the config for NATTING as two IPS 192.158.44.101 and 102:

  network object obj - 192.158.44.101

  Home 192.158.44.101

  network object obj - 192.158.44.102

  Home 192.158.44.102

  object obj -192.158.22.101 network

  Home 192.158.22.101

  object obj -192.158.22.102 network

  host 192.158.22.102

  object obj remote network

  10.x.x.x subnet 255.255.255.0

  You need two NAT statements for this:

  NAT (inside, outside) source dynamic obj - 192.158.44.101 obj -192.158.22.101 destination static obj-remote obj-remote

  nat source (indoor, outdoor) obj dynamic obj - 192.158.44.102 - 192.158.22.102 destination static obj obj-remote control-remote control

  It will be useful.

  Kind regards

  Aditya

  Please evaluate the useful messages.

• Cisco ASA 5505 site for multiple subnet of the site.

  Hello. I need help to configure my cisco asa 5505.

  I set up a VPN between two ASA 5505 tunnel

  Site 1:

  Subnet 192.168.77.0

  Site 2:

  Have multiple VLANs and now the tunnel goes to vlan400 - 192.168.1.0

  What I need help:

  Site 1, I need to be able to reach a different virtual LAN on site 2. vlan480 - 192.168.20.0

  And 1 site I have to reach 192.168.77.0 subnet of vlan480 - 192.168.20.0

  Vlan480 is used for phones. In vlan480, we have a PABX.

  Is this possible to do?

  Any help would be much appreciated!

  Config site 2:

  : Saved

  :

  ASA Version 7.2 (2)

  !

  ciscoasa hostname

  domain default.domain.invalid

  activate the password encrypted x

  names of

  name 192.168.1.250 DomeneServer

  name of 192.168.1.10 NotesServer

  name 192.168.1.90 Steadyily

  name 192.168.1.97 TerminalServer

  name 192.168.1.98 eyeshare w8

  name 192.168.50.10 w8-print

  name 192.168.1.94 w8 - app

  name 192.168.1.89 FonnaFlyMedia

  !

  interface Vlan1

  nameif Vlan1

  security-level 100

  IP 192.168.200.100 255.255.255.0

  OSPF cost 10

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address 79.x.x.226 255.255.255.224

  OSPF cost 10

  !

  interface Vlan400

  nameif vlan400

  security-level 100

  IP 192.168.1.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan450

  nameif Vlan450

  security-level 100

  IP 192.168.210.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan460

  nameif Vlan460-SuldalHotell

  security-level 100

  IP 192.168.2.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan461

  nameif Vlan461-SuldalHotellGjest

  security-level 100

  address 192.168.3.1 IP 255.255.255.0

  OSPF cost 10

  !

  interface Vlan462

  Vlan462-Suldalsposten nameif

  security-level 100

  192.168.4.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Vlan470

  nameif vlan470-Kyrkjekontoret

  security-level 100

  IP 192.168.202.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan480

  nameif vlan480 Telefoni

  security-level 100

  address 192.168.20.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan490

  nameif Vlan490-QNapBackup

  security-level 100

  IP 192.168.10.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan500

  nameif Vlan500-HellandBadlands

  security-level 100

  192.168.30.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Vlan510

  Vlan510-IsTak nameif

  security-level 100

  192.168.40.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Vlan600

  nameif Vlan600-SafeQ

  security-level 100

  192.168.50.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  switchport access vlan 500

  switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610

  switchport mode trunk

  !

  interface Ethernet0/3

  switchport access vlan 490

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passwd encrypted x

  passive FTP mode

  clock timezone WAT 1

  DNS server-group DefaultDNS

  domain default.domain.invalid

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  Lotus_Notes_Utgaaande tcp service object-group

  UT og Frim Notes Description til alle

  area of port-object eq

  port-object eq ftp

  port-object eq www

  EQ object of the https port

  port-object eq lotusnotes

  EQ Port pop3 object

  EQ pptp Port object

  EQ smtp port object

  Lotus_Notes_inn tcp service object-group

  Description of the inn og alle til Notes

  port-object eq www

  port-object eq lotusnotes

  EQ Port pop3 object

  EQ smtp port object

  object-group service Reisebyraa tcp - udp

  3702 3702 object-port Beach

  5500 5500 object-port Beach

  range of object-port 9876 9876

  object-group service Remote_Desktop tcp - udp

  Description Tilgang til Remote Desktop

  3389 3389 port-object range

  object-group service Sand_Servicenter_50000 tcp - udp

  Description program tilgang til sand service AS

  object-port range 50000 50000

  VNC_Remote_Admin tcp service object-group

  Description Fra ¥ oss til alle

  5900 5900 port-object range

  object-group service Printer_Accept tcp - udp

  9100 9100 port-object range

  port-object eq echo

  ICMP-type of object-group Echo_Ping

  echo ICMP-object

  response to echo ICMP-object

  object-group service Print tcp

  9100 9100 port-object range

  FTP_NADA tcp service object-group

  Suldalsposten NADA tilgang description

  port-object eq ftp

  port-object eq ftp - data

  Telefonsentral tcp service object-group

  Hoftun description

  port-object eq ftp

  port-object eq ftp - data

  port-object eq www

  EQ object of the https port

  port-object eq telnet

  Printer_inn_800 tcp service object-group

  Fra 800 thought-out og inn til 400 port 7777 description

  range of object-port 7777 7777

  Suldalsposten tcp service object-group

  Description send av mail hav Mac Mail at - Ã ¥ nrep smtp

  EQ Port pop3 object

  EQ smtp port object

  http2 tcp service object-group

  Beach of port-object 81 81

  object-group service DMZ_FTP_PASSIVE tcp - udp

  55536 56559 object-port Beach

  object-group service DMZ_FTP tcp - udp

  20 21 object-port Beach

  object-group service DMZ_HTTPS tcp - udp

  Beach of port-object 443 443

  object-group service DMZ_HTTP tcp - udp

  8080 8080 port-object range

  DNS_Query tcp service object-group

  of domain object from the beach

  object-group service DUETT_SQL_PORT tcp - udp

  Description for a mellom andre og duett Server nett

  54659 54659 object-port Beach

  outside_access_in of access allowed any ip an extended list

  outside_access_out of access allowed any ip an extended list

  vlan400_access_in list extended access deny ip any host 149.20.56.34

  vlan400_access_in list extended access deny ip any host 149.20.56.32

  vlan400_access_in of access allowed any ip an extended list

  Vlan450_access_in list extended access deny ip any host 149.20.56.34

  Vlan450_access_in list extended access deny ip any host 149.20.56.32

  Vlan450_access_in of access allowed any ip an extended list

  Vlan460_access_in list extended access deny ip any host 149.20.56.34

  Vlan460_access_in list extended access deny ip any host 149.20.56.32

  Vlan460_access_in of access allowed any ip an extended list

  vlan400_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande

  vlan400_access_out list extended access permit tcp any host DomeneServer object-group Remote_Desktop

  vlan400_access_out list extended access permit tcp any host TerminalServer object-group Remote_Desktop

  vlan400_access_out list extended access permit tcp any host http2 object-group Steadyily

  vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_inn

  vlan400_access_out list extended access permit tcp any host NotesServer object-group Remote_Desktop

  vlan400_access_out allowed extended access list tcp any host w8-eyeshare object-group Remote_Desktop

  vlan400_access_out allowed extended access list tcp any host w8 - app object-group Remote_Desktop

  vlan400_access_out list extended access permit tcp any host FonnaFlyMedia range 8400-8600

  vlan400_access_out list extended access permit udp any host FonnaFlyMedia 9000 9001 range

  vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host DomeneServer

  vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host w8 - app object-group DUETT_SQL_PORT

  Vlan500_access_in list extended access deny ip any host 149.20.56.34

  Vlan500_access_in list extended access deny ip any host 149.20.56.32

  Vlan500_access_in of access allowed any ip an extended list

  vlan470_access_in list extended access deny ip any host 149.20.56.34

  vlan470_access_in list extended access deny ip any host 149.20.56.32

  vlan470_access_in of access allowed any ip an extended list

  Vlan490_access_in list extended access deny ip any host 149.20.56.34

  Vlan490_access_in list extended access deny ip any host 149.20.56.32

  Vlan490_access_in of access allowed any ip an extended list

  Vlan450_access_out list extended access permit icmp any any Echo_Ping object-group

  Vlan1_access_out of access allowed any ip an extended list

  Vlan1_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

  Vlan1_access_out deny ip extended access list a whole

  Vlan1_access_out list extended access permit icmp any any echo response

  Vlan460_access_out list extended access permit icmp any any Echo_Ping object-group

  Vlan490_access_out list extended access permit icmp any any Echo_Ping object-group

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTPS

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTP

  Vlan500_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan470_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan470_access_out list extended access permit tcp any host 192.168.202.10 - group Remote_Desktop object

  Vlan510_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan480_access_out of access allowed any ip an extended list

  Vlan510_access_in of access allowed any ip an extended list

  Vlan600_access_in of access allowed any ip an extended list

  Vlan600_access_out list extended access permit icmp any one

  Vlan600_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

  Vlan600_access_out list extended access permitted tcp 192.168.1.0 255.255.255.0 host w8-printing eq www

  Vlan600_access_out list extended access permitted tcp 192.168.202.0 255.255.255.0 host w8-printing eq www

  Vlan600_access_out list extended access permitted tcp 192.168.210.0 255.255.255.0 host w8-printing eq www

  Vlan600_access_in_1 of access allowed any ip an extended list

  Vlan461_access_in of access allowed any ip an extended list

  Vlan461_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan400_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

  outside_20_cryptomap_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

  outside_20_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

  access-list Vlan462-Suldalsposten_access_in extended ip allowed any one

  access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo response

  access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo response

  access-list Vlan462-Suldalsposten_access_in_1 extended ip allowed any one

  pager lines 24

  Enable logging

  asdm of logging of information

  MTU 1500 Vlan1

  Outside 1500 MTU

  vlan400 MTU 1500

  MTU 1500 Vlan450

  MTU 1500 Vlan460-SuldalHotell

  MTU 1500 Vlan461-SuldalHotellGjest

  vlan470-Kyrkjekontoret MTU 1500

  MTU 1500 vlan480-Telefoni

  MTU 1500 Vlan490-QNapBackup

  MTU 1500 Vlan500-HellandBadlands

  MTU 1500 Vlan510-IsTak

  MTU 1500 Vlan600-SafeQ

  MTU 1500 Vlan462-Suldalsposten

  no failover

  Monitor-interface Vlan1

  interface of the monitor to the outside

  the interface of the monitor vlan400

  the interface of the monitor Vlan450

  the interface of the Vlan460-SuldalHotell monitor

  the interface of the Vlan461-SuldalHotellGjest monitor

  the interface of the vlan470-Kyrkjekontoret monitor

  Monitor-interface vlan480-Telefoni

  the interface of the Vlan490-QNapBackup monitor

  the interface of the Vlan500-HellandBadlands monitor

  Monitor-interface Vlan510-IsTak

  Monitor-interface Vlan600-SafeQ

  the interface of the monitor Vlan462-Suldalsposten

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 522.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  vlan400_nat0_outbound (vlan400) NAT 0 access list

  NAT (vlan400) 1 0.0.0.0 0.0.0.0 dns

  NAT (Vlan450) 1 0.0.0.0 0.0.0.0 dns

  NAT (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0

  NAT (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0

  NAT (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0

  NAT (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns

  NAT (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0

  NAT (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0

  NAT (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0

  NAT (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0

  static (vlan400, external) 79.x.x.x DomeneServer netmask 255.255.255.255

  static (vlan470-Kyrkjekontoret, external) 79.x.x.x 192.168.202.10 netmask 255.255.255.255

  static (vlan400, external) 79.x.x.x NotesServer netmask 255.255.255.255 dns

  static (vlan400, external) 79.x.x.231 netmask 255.255.255.255 TerminalServer

  static (vlan400, external) 79.x.x.234 Steadyily netmask 255.255.255.255

  static (vlan400, outside) w8-eyeshare netmask 255.255.255.255 79.x.x.232

  static (Vlan490-QNapBackup, external) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns

  static (Vlan600-SafeQ, external) 79.x.x.235 w8 - print subnet mask 255.255.255.255

  static (vlan400, outside) w8 - app netmask 255.255.255.255 79.x.x.236

  static (Vlan450, vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

  (Vlan500-HellandBadlands, vlan400) static 192.168.30.0 192.168.30.0 netmask 255.255.255.0

  (vlan400, Vlan500-HellandBadlands) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  (vlan400, Vlan450) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  static (vlan400, external) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255

  static (Vlan462-Suldalsposten, vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

  static (vlan400, Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  static (vlan400, Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  static (Vlan600-SafeQ, vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

  static (Vlan600-SafeQ, Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

  static (Vlan600-SafeQ, vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

  static (Vlan450, Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

  static (vlan470-Kyrkjekontoret, Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0

  Access-group interface Vlan1 Vlan1_access_out

  Access-group outside_access_in in interface outside

  Access-group outside_access_out outside interface

  Access-group vlan400_access_in in the vlan400 interface

  vlan400_access_out group access to the interface vlan400

  Access-group Vlan450_access_in in the Vlan450 interface

  Access-group interface Vlan450 Vlan450_access_out

  Access-group interface Vlan460-SuldalHotell Vlan460_access_in

  Access-group interface Vlan460-SuldalHotell Vlan460_access_out

  Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_in

  Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_out

  Access-group vlan470_access_in in interface vlan470-Kyrkjekontoret

  vlan470_access_out access to the interface vlan470-Kyrkjekontoret group

  access to the interface vlan480-Telefoni, vlan480_access_out group

  Access-group interface Vlan490-QNapBackup Vlan490_access_in

  Access-group interface Vlan490-QNapBackup Vlan490_access_out

  Access-group interface Vlan500-HellandBadlands Vlan500_access_in

  Access-group interface Vlan500-HellandBadlands Vlan500_access_out

  Access-group interface Vlan510-IsTak Vlan510_access_in

  Access-group interface Vlan510-IsTak Vlan510_access_out

  Access-group Vlan600_access_in_1 interface Vlan600-SafeQ

  Access-group Vlan600_access_out interface Vlan600-SafeQ

  Access-group Vlan462-Suldalsposten_access_in_1 Vlan462-Suldalsposten interface

  Access-group Vlan462-Suldalsposten_access_out_1 Vlan462-Suldalsposten interface

  Route outside 0.0.0.0 0.0.0.0 79.x.x.225 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  x x encrypted privilege 15 password username

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.210.0 255.255.255.0 Vlan450

  http 192.168.200.0 255.255.255.0 Vlan1

  http 192.168.1.0 255.255.255.0 vlan400

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map 20 match address outside_20_cryptomap_1

  card crypto outside_map 20 set pfs

  peer set card crypto outside_map 20 62.92.159.137

  outside_map crypto 20 card value transform-set ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  ISAKMP crypto enable vlan400

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  tunnel-group 62.92.159.137 type ipsec-l2l

  IPSec-attributes tunnel-group 62.92.159.137

  pre-shared-key *.

  Telnet 192.168.200.0 255.255.255.0 Vlan1

  Telnet 192.168.1.0 255.255.255.0 vlan400

  Telnet timeout 5

  SSH 171.68.225.216 255.255.255.255 outside

  SSH timeout 5

  Console timeout 0

  dhcpd update dns both

  !

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1

  !

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 outside interface

  !

  dhcpd address 192.168.1.100 - 192.168.1.225 vlan400

  dhcpd option ip 6 DomeneServer 81.167.36.11 interface vlan400

  dhcpd option 3 ip 192.168.1.1 interface vlan400

  vlan400 enable dhcpd

  !

  dhcpd address 192.168.210.100 - 192.168.210.200 Vlan450

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450

  dhcpd ip interface 192.168.210.1 option 3 Vlan450

  enable Vlan450 dhcpd

  !

  dhcpd address 192.168.2.100 - 192.168.2.150 Vlan460-SuldalHotell

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell

  dhcpd 192.168.2.1 ip interface option 3 Vlan460-SuldalHotell

  dhcpd enable Vlan460-SuldalHotell

  !

  dhcpd address 192.168.3.100 - 192.168.3.200 Vlan461-SuldalHotellGjest

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest

  dhcpd ip interface 192.168.3.1 option 3 Vlan461-SuldalHotellGjest

  dhcpd enable Vlan461-SuldalHotellGjest

  !

  dhcpd address 192.168.202.100 - 192.168.202.199 vlan470-Kyrkjekontoret

  interface of dhcpd option 3 ip 192.168.202.1 vlan470-Kyrkjekontoret

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret

  dhcpd enable vlan470-Kyrkjekontoret

  !

  dhcpd option 3 192.168.20.1 ip interface vlan480-Telefoni

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni

  !

  dhcpd address 192.168.10.80 - 192.168.10.90 Vlan490-QNapBackup

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup

  dhcpd 192.168.10.1 ip interface option 3 Vlan490-QNapBackup

  !

  dhcpd address 192.168.30.100 - 192.168.30.199 Vlan500-HellandBadlands

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands

  dhcpd ip interface 192.168.30.1 option 3 Vlan500-HellandBadlands

  dhcpd enable Vlan500-HellandBadlands

  !

  dhcpd address 192.168.40.100 - 192.168.40.150 Vlan510-IsTak

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak

  dhcpd 3 ip Vlan510-IsTak 192.168.40.1 option interface

  Vlan510-IsTak enable dhcpd

  !

  dhcpd address 192.168.50.150 - 192.168.50.199 Vlan600-SafeQ

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ

  Vlan600-SafeQ enable dhcpd

  !

  dhcpd address 192.168.4.100 - 192.168.4.150 Vlan462-Suldalsposten

  interface option 6 ip DomeneServer 81.167.36.11 Vlan462-Suldalsposten dhcpd

  interface ip dhcpd option 3 Vlan462-Suldalsposten 192.168.4.1

  Vlan462-Suldalsposten enable dhcpd

  !

  !

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  !

  context of prompt hostname

  Cryptochecksum:x

  : end

  Site 1 config:

  : Saved

  :

  ASA Version 7.2 (4)

  !

  ciscoasa hostname

  domain default.domain.invalid

  activate the password encrypted x

  passwd encrypted x

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.77.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  PPPoE Telenor customer vpdn group

  IP address pppoe setroute

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  switchport access vlan 15

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  DNS server-group DefaultDNS

  domain default.domain.invalid

  outside_access_in list extended access permit icmp any any disable log echo-reply

  access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0

  access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.1.0 255.255.255.0

  pager lines 24

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 524.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Access-group outside_access_in in interface outside

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  Enable http server

  http 192.168.77.0 255.255.255.0 inside

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs

  peer set card crypto outside_map 1 79.160.252.226

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow inside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet 192.168.77.0 255.255.255.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  VPDN group Telenor request dialout pppoe

  VPDN group Telenor localname x

  VPDN group Telenor ppp authentication chap

  VPDN x x local store password username

  dhcpd outside auto_config

  !

  dhcpd address 192.168.77.100 - 192.168.77.130 inside

  dhcpd dns 192.168.77.1 on the inside interface

  dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside

  dhcpd allow inside

  !

  dhcpd option 6 ip 130.67.15.198 193.213.112.4 outside interface

  !

  tunnel-group 79.160.252.226 type ipsec-l2l

  IPSec-attributes tunnel-group 79.160.252.226

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:x

  : end

  Hello

  The addition of a new network to the existing VPN L2L should be a fairly simple process.

  Essentially, you need to add the network of the Crypto present ACL configurations "crypto map" . You also need to configure the NAT0 configuration for it in the appropriate interfaces of the SAA. These configurations are all made on both ends of the VPN L2L connection.

  Looking at your configurations above it would appear that you need to the following configurations

  SITE 1

  • We add the new network at the same time the crypto ACL and ACL NAT0

  access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.20.0 255.255.255.0

  access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.20.0 255.255.255.0

  SITE 2

  • We add new ACL crypto network
  • We create a new NAT0 configuration for interface Vlan480 because there is no previous NAT0 configuration

  outside_20_cryptomap_1 to access extended list ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

  Comment by VLAN480-NAT0 NAT0 for VPN access-list

  access-list VLAN480-NAT0 ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

  NAT 0 access-list VLAN480-NAT0 (vlan480-Telefoni)

  These configurations should pretty much do the trick.

  Let me know if it worked

  -Jouni

• Issue of ASA vpn site to site isakmp

  Hello

  He has been asked to configure on ASA a new vpn site-to-site. For that vpn should I put:

  crypto isakmp identity address
  crypto ISAKMP allow outside

  .. the configuration of my identity crypto isakmp is automatic and isakmp crypto is not enabled on any interface. I love vpn with ike enabled on the external interface. My question is: why should I enable isakmp on the external interface and especially can create disturbances to ike vpn that are already in place?

  By elsewhere-group or tunnel-group strategy, it was me asked to set up, the two do not have indication of ike. Never seen this kind of configuration before vpn, something new.

  Thank you

  Hi, Giuseppe.

  The crypto isakmp command activate outside changed ikev1 crypto Enable outside in the new ASA versions you need not enable this.

  There is also no need configure isakmp crypto identity address such that it is set to auto.

  This command indicates that the tunnel would be negotiated on the basis of the IP address but since it is set to auto it on it own will therefore not need to specify this command.

  Yes, you can create a new group policy group for this new tunnel and tunnel and there should be no impact on other tunnels of work.

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• ASA, VPN Site-to-Site

  Hello

  I would like to VPN site-to-site using ASA 5520 and I have some question if you don't mind:

  Site A:

  Peer IP address: aaa.aaa.aaa.aaa/32

  Local network: bbb.bbb.bbb.bbb/32

  Site b:

  Peer IP address: xxx.xxx.xxx.xxx/32

  Local network: yyy.yyy.yyy.yyy/32

  on the site to site vpn Wizard (site B), the network of peers should be site A and the LAN must be site B and remote network must be the site one right?

  the IP address of the local network should be not be used right by other devices on the right? I can use use a unique IP address instead of the beach of network on the LAN and remotely? from the client on site give me a unique IP address?

  can I allow on site A browse only a single IP address on my site B and allowing only ports 80 and 443, please can you give me example I prefer ASDM.

  Thank you and waiting for your help.

  Hello

  I can only really give an example of this using the CLI (or I rather do as I do not use ASDM almost at all)

  You have all already existing L2L / Site to Site VPN connections on the SAA?

  Could you share your current configuration (delete all sensitive information) so we can take into account all existing configurations you have

  Did you agree on what will be the settings phase 1 VPN L2L and Phase2 with the other sites technical contact who will set up their side of the L2L VPN?

  -Jouni

• ASA - a Site with self-signed certificates

  Team,

  ASA version 9.1 (3), ASDM 7.1 (4) on 5505.

  I have a pair of Cisco ASA 5505 that I am trying to establish a tunnel. I do everything with PSK. IKEv2 with AES256 IPSec. No problem...

  However, I learned that I can auto-signer certificates and use them to authenticate each firewall to another. I tried for hours... Generating of certs in all combinations and options, and the export of the P12 in the other firewall, by adding in - no problem

  I have self signed CERTS, so there is no CA.

  Then I'll be back in the connection profile and remove the PSK - flip on to RSA - SIG in the IKE Policy.

  Does anyone have this working with the ASA version, I'm running and care apart from your snippets of configuration especially how you created the pair of keys, self-signed one, exported and adding in the adjacent firewall?

  I don't want to use PSK for authentication.

  Help!

  I never used this way without a CA so I can't guarantee that it will work, but one thing is often forgotten with digital certificates: you assigned the ID-Cert cert in the crypto-plan?

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• Cisco Asa 5505 and level 3 with remote access VPN switch

  Today I had a new CISCO LAYER 3 switch... So here's my scenrio

  Cisco Asa 5505

  I have

  Outside of the == 155.155.155.x

  Inside = 192.168.7.1

  Address POOL VPN = 10.10.10.1 - 10.10.10.20

  3 layer switch configuration

  VLAN 2

  ip address of the interface = 192.168.1.1

  VLAN 2

  ip address of the interface = 192.168.2.1

  VLAN 2

  ip address of 192.168.3.1 = interface

  VLAN 2

  ip address of the interface = 192.168.4.1

  VLAN 2

  ip address of the interface = 192.168.5.1

  IP Routing

  So I want the customers of my remote access VPN to access all that these networks. So please can you give me a useful tip or a link to set up the rest of my trip

  Thanks to you all

  Al ready has responded

  Sent by Cisco Support technique iPad App