Cisco IOS - how config static nat to NAT on the VPN

Similar Questions

• 2 static NAT on the same Interface

  I have an ASA 5510 (8.2 (5)) and I'm trying to set up a VPN site-to site of one of our suppliers.  The problem I am running into is that they want me NAT one specific to one of our servers private IP, and this server already has a static NAT from the outside of a demilitarized zone.  It's the current rule NAT:

  static (DMZ1, external) 65.43.x.x 10.0.0.3 netmask 255.255.255.255

  and they want card me 172.28.9.42 on the same server, so I tried to add:

  (DMZ1, external) 172.28.9.42 static 10.0.0.3 netmask 255.255.255.255

  but can not because it's a double translation.

  Any help would be greatly appreciated.

  Hello

  It seems to me you must configure a static NAT to politics

  Configurations would be as follows

  DMZ-POLICY-NAT of ip 10.0.0.3 host allowed access list

  (DMZ1, external) 172.28.9.42 static access-list DMZ-POLICY-NAT

  Regarding configurations

  • Name of the ACL can be naturally you want
  • Destination network can be a single host if necessary IP address
  • You should be able to configure multiple lines if necessary

  Note that you need to have this NAT configuration before the real public IP address command static NAT. You need to remove the existing static NAT to configure the above and add the original.

  This is because if you do not configure static NAT of politics first in the configuration, all traffic will keep hitting the normal rule of the static NAT for the public IP address.

  -Jouni

• Static NAT with the road map for excluding the VPN

  We have problems of access to certain IPs NATted static via a VPN.  After some research, we have learned that you have to exclude traffic destined for the VPN to the static NAT using a road map. So we did this:

  10.1.1.x is the VPN IP pool.

  access-list 130 refuse ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 allow ip 192.168.1.0 0.0.0.255 any

  sheep allowed 10 route map
  corresponds to the IP 130

  IP nat inside source static 192.168.1.5 1.1.1.1 sheep map route

  Above worked to fix the VPN but the IP 192.168.1.5 is no longer publicly available via 1.1.1.1.  What seems to happen, is that the static NAT is not really work and this IP address is NATted with the IP of PAT.

  Any ideas on how to get this to work?

  Thank you
  Diego

  Hello

  The following example details exactly your case:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

  Try to replace the 192.168.1.0 subnet by the host address.

  It should work

  HTH

  Laurent.

• Cannot access static nat address via vpn.

  I have an asa5510 where I

  a static nat from one interface to the other.

  I also have a VPN connection to the asa...

  On the other side of the vpn connection, I can not access this static NAT.

  192.168.170.x is the vpn network.

  Is it not possible to access the static NAT over vpn?

  the DM_INLINE_NETWORK_16 object-group network
  object-network 192.168.0.0 255.255.255.0
  object-network vxtron 255.255.255.0
  object-network dmz_zone 255.255.255.0
  object-network 192.168.170.0 255.255.255.0

  MPLS_nat0_outbound list extended access deny host ip 172.26.1.5 all

  Access extensive list ip 172.26.0.0 MPLS_nat0_outbound allow 255.255.252.0 object-group DM_INLINE_NETWORK_16

  pnat1 list extended access permit ip host 172.26.1.5 all

  static (MPLS, inside) 192.168.0.199 access list pnat1

  NAT (MPLS) 0-list of access MPLS_nat0_outbound
  NAT (MPLS) 1 172.26.0.0 255.255.252.0
  static (MPLS, inside) 172.26.1.5 MPLS_nat_static access list

  René, happy you including yourself this one! If you could, please mark the post as solved so that we know that it is not need more attention

• I can NAT before the VPN Tunnel?

  Hello

  I want to add servers in a configuration in ipsec tunnel site to another for transportation.

  However, I have to NAT these machines for the presentation of the other side.

  For a Cisco 1760 (vpn termination point) running on 12.3 code, is it possible?

  If it's possible, could I get a link to a config? Or maybe an excerpt here?

  We use two interfaces ethernet for this:

  Ethernet1/0 is inside

  ethernet0/0 is outside

  Can't seem to find any documentation for it.

  Thank you

  Paul

  It is "NAT order of operation" used by Cisco devices, it seems that NAT is anyway before the crypto control

  http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

  Concerning

  Farrukh

• NAT on the VPN traffic

  Hello everyone, I need help in a vpn configuration, this is the problem that I need nat all vpn traffic because I net to put into place a vpn but I already have another vpn with the same network, so that overlap with the new one, then how I can nat overlaps all traffic to another network in order to avoid the network?.

  Please I really need help

  Thank you

  You say that the 192.168.1.100 is able to go through the tunnel and the internet now?

  Try to add another...

  IP nat inside source static 192.168.1.101 10.10.44.101 map route VPN

  for example.

  Federico.

• Static NAT & DMVPN Hub

  Hello

  I don't think that will be a problem DMVPN supports the rays behind NAT devices, but I anticipate change my network for reasons of security and redudancy autour and putting a pair of ASA firewalls on my Internet collocation.  Right now I have a DMVPN race 3845, NAT & ZBFW.  I'm going to remove the ZBFW and move the NAT to the ASA, leaving only the DMVPN hub and routing.  If I create a static NAT mapping on my ASA to point to the DMVPN hub that will work?

  I think it will be, but I just wanted to be 110% sure.

  Thank you!

  Hi Brantley,

  DMVPN with static NAT on the hub is supported in the installer. Just be awear it there are limits.

  1, all DMVPN router, hub and spokes must be running at least 12.3(9a) and 12.3 (11) T code.

  2, must use ipsec transport mode.

  3, so need dynamic tunnel talk to rays, hub should work at least 12.3 (13), 12.3 (14) T and 12.3 (11) T3 code.

  See the configuration guide

  http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_DMVPN_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1122466

  HTH,

  Lei Tian

• 2 one-Site VPN Cisco 2801 and with crossing NAT

  Hi guys,.

  I would like to configure two Cisco 2801 using IPSEC/IKE. Both routers are connected to the internet through DSL lines. The DSL line have RFC1918 address side LAN where routers connected to the internet face. I can do NAT on DSL modems.

  Cisco IOS 2801 routers allow to configure site-2-site VPN with NAT crossing?

  Here is a model of physics/IP configuration:

  LAN<->2801 Modem DSL<-Internet->DSL modem<-Priv ip-=""> 2801<-Priv ip-=""><-> LAN

  Thank you

  Gonçalo

  Yes, you're good to go only if one or both of the sites has an IP address which is natted with private IP address statically. The implementation of IPSec on SRI NAT support in most crosses so that shouldn't be a concern

• Static NAT to 10.140.2.0 to 10.240.2.0 via VPN

  I need help to set up a static nat device between oursite and seller

  oursite has a subnet 10.140.2.0/24 the provider uses for something else.  They asked that we nat 10.140.2.0/24 to 10.240.2.0/24 via the VPN, so they will see the 10.140 10.240? any help is appreciated. I think that map crypo acl must be standing as well, we run version 8.2

  LOCAL SITE - ASA - TUNEL VPN - ASA - SITE PROVIDER

  Thanks in advance

  Hello Bbftijari,

  In this case, according to the ASA version, but you will need to configure, this way:

  Pre - 8.3

  1. create groups of objects for use in the ACL,

  the LOCAL_SITE object-group network
  object-network 10.140.2.0 255.255.255.0

  the Vendor_SITE object-group network
  network-object XXXXXX XXXXXX

  2. create ACLs, as a condition,

  access-list VPN_NAT permitted object-group LOCAL_SITE object group ip Vendor_SITE

  3 create the static NAT, call the ACL, so he says "when I come inside outside of LOCAL_SITE to Vendor_SITE, I will result in 10.240.2.0/24.

  public static 10.240.2.0 (inside, outside) access-list VPN_NAT netmask 255.255.255.0

  --------------------------------------------------------------------------------------------------------------------------------

  Post 8.3

  1 create the network objects and create a static entry:

  the LOCAL_SITE object-group network
  object-network 10.140.2.0 255.255.255.0

  the NAT_SITE object-group network
  object-network 10.240.2.0 255.255.255.0

  the Vendor_SITE object-group network
  network-object XXXXXX XXXXXX

  2. static NAT creation,

  NAT (inside, outside) 1 static source LOCAL_SITE NAT_SITE Vendor_SITE Vendor_SITE non-proxy-arp-search of route static destination

  Test and keep me posted.

  Please note and mark it as the correct answer if it helped you.

  David Castro,

• Static NAT enable VPN site-to-site.

  Hello

  We plan to build VPN site to site, but, we have a single public routerable internet IP address to assign VPN on Site A, but Site B is ok.

  in this case, I think that we must use static NAT on the router, the simple diagram is as below.

  internal a subnet - router VPN - router for Internet of the Site - to - VPN - B B Site internal subnet.

  the final goal is to make the communication between internal a subnet and subnet B on IPSEC tunnel.

  OK, as I said, Site A having a public IP address, then it must use the static NAT and need to apply on the Site router.

  Router

  interface x/x

  Head of ESCR to the internet

  NAT outside IP

  !

  interface x/x

  Head of DESC to internal (VPN)

  IP nat inside

  !

  IP nat inside source static (like IP address x.x.x.x) public (as private VPN interface IP x.x.x.x)

  so, wouldn't be work without any problem? I think it will work, but I would find other one just in case.

  Hey,.

  Is that what you try to achieve:

  subnet A - A = vpn router = router B - Sub-B network

  and you need communicate between Subnet A and subnet via ipsec vpn b?

  Concerning

• local host to access the vpn site to site with nat static configured

  I have two 881 routers with vpn site to site between them. I have a static nat on the router for a Web server that is accessible from the internet. I can't access the Web server through the vpn. All other traffic is fine its VPN. I think that there is a problem with the NAT. Here are the relevant configuration lines.

  IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
  IP nat inside source static 192.168.150.2 bonnefin map route SDM_RMAP_1

  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 100

  access-list 100 deny ip 192.168.150.0 0.0.0.255 192.168.123.0 0.0.0.255
  access-list 100 permit ip 192.168.150.0 0.0.0.255 any

  You should be able to access the web server with its IP private (192.168.150.2) through the VPN connection.

  If you just add the VPN and the road map, try to clear the existing translation and see if you can access it via its private of the Remote LAN VPN ip address.

• PIX 501 PPPoE w / static NAT loss of connectivity

  I have a {should} installation very simple. PIX 501 with PPPoE on the external interface, 3 inside customers using PAT and 1 inside the client I am trying to use an address mapping static on permit communications with this host from the outside using a particular service. I did a lot of these before where there was an ADSL router in front of the PIX, but this is the first where I've used the PIX as the PPPoE client. When I use the static NAT for the single host it loses all connectivity beyond the PIX outside interface. When I get rid of the static mapping, through PAT very well. I spent many hours troubleshooting and control a lot of obvious things, but I am at a loss right now... unless it could be a problem with the IP address that has been assigned by the ISP for use with static NAT. Any thoughts on this would be greatly appreciated.

  Thank you

  Sorry, in your case that static would look like this because of the dynamic IP.

  static (inside, outside) 23 interface 10.1.1.1 23 netmask 255.255.255.255

  Daniel

• Cisco IOS device - password enable

  Y at - there a trick to getting the password to enable working on Cisco's IOS device?

  I created my first workflow to connect to a Cisco IOS device recently and initially could not do the work of enable mode.

  Using activity "Send commands to the Interface", I run the command "enable."

  From there on, the activity times out.

  The goal is to use the Cisco IOS expect model, I noticed the option 'raising command privilege '.

  How is it used? Should expect model automatically detect the order of lifting and then use awaits below?

  If so, it doesn't seem to work.

  The only way I could make it work was to add my own manual expect activity "send commands to the Interface. I used the targets 'Elevation of privilege command' variable reference as await them and sent the password for admin users in response.

  It is to open the model waiting for you to use an order of elevation. If you select not those expect the models and you run an 'enable' command and you command prompt, turned to the sign ' # ', then it would not be all wait would expire models and additional orders and not work.

  -shaun

• VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

  Hello

  I'm a little confused as to which is the problem. This is the premise for the problem I have face.

  One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

  Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

  So essentially the encryption field is configured as follows:

  access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
  access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
  access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

  Free NAT has been configured as follows (names modified interfaces):

  NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

  the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

  NAT (interface2) 0-list of access VPN-SHEEP

  VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

  After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

  There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

  The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

  Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

  This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit rule
  Additional information:
  MAC access list

  Phase: 2
  Type: FLOW-SEARCH
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  Not found no corresponding stream, creating a new stream

  Phase: 3
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  in 10.82.0.200 255.255.255.252 outside

  Phase: 4
  Type: ACCESS-LIST
  Subtype: Journal
  Result: ALLOW
  Config:
  Access-group interface interface1
  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  Additional information:

  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 6
  Type: INSPECT
  Subtype: np - inspect
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  Policy-map global_policy
  class inspection_default
  inspect the http
  global service-policy global_policy
  Additional information:

  Phase: 7
  Type: FOVER
  Subtype: Eve-updated
  Result: ALLOW
  Config:
  Additional information:

  Phase: 8
  Type: NAT-FREE
  Subtype:
  Result: ALLOW
  Config:
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
  Exempt from NAT
  translate_hits = 32, untranslate_hits = 35251
  Additional information:

  -Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

  Phase: 9
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
  NAT-control
  is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
  static translation at 10.231.0.0
  translate_hits = 153954, untranslate_hits = 88
  Additional information:

  -Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

  Phase: 10
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT (interface1) 5 10.231.191.0 255.255.255.0
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
  dynamic translation of hen 5 (y.y.y.y)
  translate_hits = 3048900, untranslate_hits = 77195
  Additional information:

  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional information:

  Phase: 12
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional information:

  Phase: 13
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 1047981896 id, package sent to the next module

  Result:
  input interface: interface1
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

  And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
  current_peer: y.y.y.y

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

  Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

  If there is any essential information that I can give, please ask.

  -Jouni

  Jouni,

  8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

  If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

  Marcin

• Next hop for the static route on the VPN site to site ASA?

  Hi all

  I would be grateful if someone could help me with my problem ASA/misunderstanding. I have a VPN site-to site on a SAA. I want to add a floating static route to point to the VPN on the ASA. Note that the traffic in this way is not with in subnets cryptographic ACL that is used to bring up the VPN. This VPN is used only as a backup.

  The static route with the next hop add local public address or the remote public address of the VPN? The next break maybe local ASA isp internet facing interface? I intend to do on the ASDM. I'm sorry if it's a simple question but I found no material that explains this?

  Concerning

  Ahh, ok, makes sense.

  The next hop should be the next jump to the interface that ends the VPN connection, essentially the same as your Internet connection / outside the next hop interface.

  Example of topology:

  Site B (outside interface - 1.1.1.1) - (next hop: 1.1.1.2) Internet

  The static route must tell:

  outdoor 10.2.2.2 255.255.255.255 1.1.1.2 200

  I hope this helps.