Config of ASA 8.3 NAT pre then no. - NAT

Hello

I'm trying to set up a VPN S2S on a SAA V8.0.

I want NAT 10.1.1.1 20.2.2.2 (as a result of conflict of IP address to the other side) then exempt from NAT cela on the remote VPN to the subnet of 30.3.3.3

10.1.1.1 is based on the 'inside' interface, the cryptomap VPN is configured and applied to 'outside' interface.

The ACL Crypto is:

VPN line 1 permit access list extended ip 10.1.1.1 host 30.3.3.3

(1) am not familiar with pre 8.3 config, only used 8.4 + in the past, can someone please send the config that NAT / No. - NAT will be.

(2) in the ACL crypto you define real address (10.1.1.1) as the source or the Natt treat (20.2.2.2)?

3) there is also an ACL on the external interface, you allow 30.3.3.3 (remote vpn) access to destination IP, the actual address (10.1.1.1) or the NATT (20.2.2.2) treat?

Thank you!!

It is not a double NAT.

So 10.1.1.1 is simply translated to 20.2.2.2 when the destination IP address is 30.3.3.3.

If this example is correct IE. your acl made reference to the real IP of 10.1.1.1 and 3.3.3.3 destination IP address.

Then the static policy statement NAT uses 20.2.2.2 and refers to the acl.

It is the NAT policy.

Jon

Tags: Cisco Security

Similar Questions

Problems with ACL in config IPSec ASA-5504

I'm putting a tunnel IPSec between two ASA - 5540 s. There is a PC (SunMed_PC) behind the ASA-5540-B and a laptop (laptop-GHC) behind the ASA-5540-A. If the card encryption allows all IP, through the outside_cryptomap ACL, then the tunnel rises a FTP session is established.

But, when I restrict the following FTP, error message traffic is generated:

... Group = 164.72.1.147, IP = 164.72.1.147, IPSec tunnel rejecting: no entry for crypto for proxy card proxy remote 164.72.1.155/255.255.255.255/6/0 local 164.72.1.135/255.255.255.255/6/21 on the interface to the outside

Here's the configs giving only the relevant controls. I added the ACL 100 and "access-group 100 in the interface inside", but the error has not changed.

No idea what I'm missing?

CRO-ASA5540-A

names of

164.72.1.135 GHC_Laptop description name to test the VPN

164.72.1.155 SunMed_pc description name to test the VPN

!

interface GigabitEthernet0/0

nameif inside

security-level 100

IP 164.72.1.129 255.255.255.240

!

!

interface GigabitEthernet0/3

nameif outside

security-level 0

IP 164.72.1.145 255.255.255.248

!

passive FTP mode

DM_INLINE_TCP_1 tcp service object-group

port-object eq ftp

port-object eq ftp - data

access-list extended permits outside_cryptomap tcp ftp eq host GHC_Laptop host SunMed_pc object-group DM_INLINE_TCP_1

access-list 100 scope ip allow a whole

ASDM image disk0: / asdm - 603.bin

Access-group 100 in the interface inside

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

card crypto outside_map0 1 match address outside_cryptomap

outside_map0 card crypto 1jeu peer 164.72.1.147

outside_map0 card crypto 1jeu transform-set ESP-3DES-SHA

outside_map0 card crypto 1jeu nat-t-disable

outside_map0 interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Group Policy Lan-2-Lan_only internal

attributes of Lan-2-Lan_only-group policy

VPN-filter no

Protocol-tunnel-VPN IPSec

tunnel-group 164.72.1.147 type ipsec-l2l

tunnel-group 164.72.1.147 General-attributes

Group Policy - by default-Lan-2-Lan_only

IPSec-attributes tunnel-group 164.72.1.147

pre-shared-key *.

!

: end

----------------------------------------------------------------------------------------------------------

ROC-ASA5540-B # sh run

ASA Version 8.0 (3)

!

names of

name 164.72.1.135 GHC_laptop

name 164.72.1.155 SunMed_PC

!

interface GigabitEthernet0/0

nameif inside

security-level 100

IP 164.72.1.153 255.255.255.248

!

interface GigabitEthernet0/3

nameif outside

security-level 0

IP 164.72.1.147 255.255.255.248

!

passive FTP mode

DM_INLINE_TCP_1 tcp service object-group

port-object eq ftp

port-object eq ftp - data

outside_cryptomap list extended access permit tcp host host SunMed_PC GHC_laptop object-group DM_INLINE_TCP_1

access-list 100 scope ip allow a whole

ASDM image disk0: / asdm - 603.bin

Access-group 100 in the interface inside

Route outside 164.72.1.128 255.255.255.240 GHC-Medical 1

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

card crypto outside_map0 1 match address outside_cryptomap

outside_map0 card crypto peer GHC-Medical 1jeu

outside_map0 card crypto 1jeu transform-set ESP-3DES-SHA

outside_map0 card crypto 1jeu nat-t-disable

outside_map0 interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 4

preshared authentication

3des encryption

sha hash

Group 2

life 86400

internal Lan-2-Lan group strategy

Lan Lan 2-strategy of group attributes

Protocol-tunnel-VPN IPSec

tunnel-group 164.72.1.145 type ipsec-l2l

tunnel-group 164.72.1.145 General-attributes

strategy-group-by default 2 Lan Lan

IPSec-attributes tunnel-group 164.72.1.145

pre-shared-key *.

: end

Your acl mapped on the card encryption is suspect on the first device:

access-list extended permits outside_cryptomap tcp ftp eq host GHC_Laptop host SunMed_pc object-group DM_INLINE_TCP_1

The source port should not be defined because it

is dynamic.

The second acl appears corrected:

outside_cryptomap list extended access permit tcp host host SunMed_PC GHC_laptop object-group DM_INLINE_TCP_1

ASA firewall and Nat

Hi to everyone.

I have a firewall asa with the external interface pointing to a router on the subnet 192.168.1.0

And the inside of the 192.168.0.0 subnet interface

I want to know if is required to configure the Nat object between the two interface or is not a prerequisite to have connectivity to the Internet behind the asa in the LAN segment

Thank you all!

Hello

It is not necessary to configure the NAT on the SAA, providing your gateway router knows how to route the packets intended for your home network and routers NAT ACL can be configured to include your home subnet.

If you have a router in bridge base that can not configure static routes or dynamic routing and cannot have its edited NAT policy, then you need to configure NAT on the SAA.

see you soon,

SEB.

Cisco ASA 5505 without nat

Hi all!

Can I disable nat at all. I mean like this comand:

no nat (inside) 1 0.0.0.0 0.0.0.0

I want to use my camera as a router.

It work?

(I've done of access lists and bind to interfaces.)

Yes you can and you should also disable 'nat-control' with the command:

no nat control

For the ASA behaves like a router, please also configure the interfaces of the SAA in the same level of security. If they have different security level, you need to configure static NAT 1:1 to itself not nat traffic.

Then also set:

security-even allowed inter-interface

CSCug24584 - console ASA crashes with nat sh nat statements duplicate

Hello

Experts of the ASA

I want to know this condition.

---------------------------------

Conditions:

When change continuously last nat nat auto config can lead to corrupt pointer, to this execution time of sh nat will show nat repeated entries in section 2. It is entries will go infinite and console/ssh/telnet session can crash if trying to stop by pressing q.

---------------------------------

Could you please tell me.

What kind of operations to cause a failure of the pointer?

Kind regards

Word

This bug comes to change a set of inputs NAT in a certain way and was submitted by CSCua68934.

% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; Connection refused because of the failure of the path opposite. NAT VPN clients problems after that put 8.3.2 to level.

I've recently updated to 8.3.2 and I have been informed of these NAT changes, but even after reading the https://supportforums.cisco.com/docs/DOC-12569 I am still unable to rectify the communication network 192.168.100.0 VPN with hosts on 172.16.1.0 and 172.16.9.0. VPN clients connect to the external interface, and I try to ping inside and the demilitarized zone, respectable 172.16.1.0 and 172.16.9.0 hosts. VPN client shows that the two previously mentioned networks such as roads of security, but still not to the ping pong.

# sh nat

Manual NAT policies (Section 1)

1 (inside) to the (whole) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

2 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

3 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0

translate_hits = 0, untranslate_hits = 0

4 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

5 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0

translate_hits = 0, untranslate_hits = 0

Auto NAT policies (Section 2)

1 (dmz), to the source (external) static obj - 172.16.9.5 interface tcp www www service

translate_hits = 0, untranslate_hits = 142

2 (dmz) (outdoor) source static obj - 172.16.9.5 - 01 interface service tcp 3389 3389

translate_hits = 0, untranslate_hits = 2

3 (dmz) (outdoor) source static obj - 172.16.9.5 - 02 interface tcp ldap ldap service

translate_hits = 0, untranslate_hits = 0

4 (dmz) (outdoor) source static obj interface - 172.16.9.5 - 03 service ftp ftp tcp

translate_hits = 0, untranslate_hits = 0

5 (dmz) to (outside) of the source static obj - 172.16.9.5 - 04 interface tcp smtp smtp service

translate_hits = 0, untranslate_hits = 267

6 (inside) source static obj - 172.16.9.0 172.16.9.0 (dmz)

translate_hits = 4070, untranslate_hits = 224

7 (inside) to (dmz) source static obj - 10.1.0.0 10.1.0.0

translate_hits = 0, untranslate_hits = 0

8 (inside) to (dmz) source static obj - 172.16.0.0 172.16.0.0

translate_hits = 152, untranslate_hits = 4082

9 (dmz) to dynamic interface of the obj - 172.16.9.0 - 01 source (outdoor)

translate_hits = 69, untranslate_hits = 0

10 (inside) to the obj_any interface dynamic source (external)

translate_hits = 196, untranslate_hits = 32

I think you must following two NAT config

NAT (inside, outside) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
NAT (dmz, external) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 192.168.100.0 obj - 192.168.100.0

Please configure them and remove any additional NAT configuration and then try again.

Remote access ASA, VPN and NAT

Hello

I try to get access to remote VPN work using a Cisco VPN client and ASA with no split tunneling. The VPN works a little, I can access devices inside when I connect, but I can't access the Internet. I don't see any errors in the log ASA except these:

1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/137 dst outside:192.168.47.255/137
1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/54918 dst outsidexx.xxx.xxx.xxx/53

There is only one address public IP that is assigned to the external interface of DHCP. The Interior is 192.168.1.0/24 network which is PAT'ed to the external interface and the VPN network is 192.168.47.X.

I think my problem is that the net.47 is not NAT'ed out properly and I don't know how to put in place exactly. I can't understand how this is supposed to work since the net VPN technically provenance from the outside already.

Here are all the relevant config:

list of vpn access extended permits all ip 192.168.47.0 255.255.255.0
Within 1500 MTU
Outside 1500 MTU
IP local pool vpnpool 192.168.47.200 - 192.168.47.220 mask 255.255.255.0
IP verify reverse path to the outside interface
IP audit info alarm drop action
IP audit attack alarm drop action
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
Global interface (2 inside)
Global 1 interface (outside)
NAT (inside) 0-list of access vpn
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 2 192.168.47.0 255.255.255.0 outside
static (inside, outside) tcp 3074 XBOX360 3074 netmask 255.255.255.255 interface
static (inside, outside) udp 3074 XBOX360 3074 netmask 255.255.255.255 interface
public static (inside, outside) udp interface 88 88 XBOX360 netmask 255.255.255.255
public static tcp (indoor, outdoor) https someids netmask 255.255.255.255 https interface

I can post more of the configuration if necessary.

Change ' nat (outside) 2 192.168.47.0 255.255.255.0 apart ' "NAT (2-list of vpn access outdoors outside)" gives these:

1 Jul 06:18:35 % gatekeeper ASA-3-305005: no group of translation not found for udp src outside:192.168.47.200/56003 dst outside:66.174.95.44/53

So, how I do right NAT VPN traffic so it can access the Internet?

A few things that needs to be changed:

(1) NAT exemption what ACL must be modified to be more specific while the traffic between the internal subnets and subnet pool vpn is not coordinated. NAT exemption takes precedence over all other statements of NAT, so your internet traffic from the vpn does not work.

This ACL:

list of vpn access extended permits all ip 192.168.47.0 255.255.255.0

Should be changed to:

extensive list of access vpn ip 192.168.47.0 255.255.255.0 allow

(2) you don't need statement "overall (inside) 2. Here's what to be configured:

no nat (outside) 2 192.168.47.0 255.255.255.0 outside

no global interface (2 inside)

NAT (outside) 1 192.168.47.0 255.255.255.0

(3) and finally, you must activate the following allow traffic back on the external interface:

permit same-security-traffic intra-interface

And don't forget to clear xlate after the changes described above and connect to your VPN.

Hope that helps.

The import of the PIX 501 config to ASA 5505

Is there something special that must occur to import a PIX 501 (IOS Version 6.3) config to an ASA 5505 appliance or is it as simple as download the config?

Greg

No, this isn't unfortunately because your pix is running 6.4 and the ASA 5505 will run a minimum of code 7.x and there were quite a few changes. Note that many existing commands would work, but some will not. Attached is a link to a doc for improving pix ASA who speaks both a manual method and an assisted version of tool -.

http://www.Cisco.com/en/us/docs/security/ASA/migration/guide/pix2asa.html

Jon

ASA L2L VPN NAT

We have a partner that we set up a VPN L2L with. Their internal host IP infringes on our internal IP range. Unfortunately, they are not offer NAT on their side. Is it possible on the SAA to configure a NAT device for my internal hosts will say 1.1.1.1 and ASA changes the internal address of the remote end overlapping?

If this is the scenario

192.168.5.0 ASA1 <---> <-- internet="" --="">ASA2<-->

ASA1 (NAT will be applied)

ASA2 (without nat will be applied)

You want to do something like that on ASA1

Change your source host or network to be 192.168.7.0 when communicating with the remote network. Change the remote network to come as long as 192.168.8.0 coming to your network on the SAA.

ACL soccer match:!-match-list ACLaccess acl_match_VPN ip 192.168.7.0 allow 255.255.255.0 192.168.5.0 255.255.255.0

! - NAT ACL

vpn_nat 192.168.5.0 ip access list allow 255.255.255.0 192.168.8.0 255.255.255.0

! - Translations

public static 192.168.7.0 (exterior, Interior) 192.168.5.0 netmask 255.255.255.0 0 0

static (inside, outside) 192.168.8.0 public - access policy-nat list

Complete the VPN configuration using acl_match_VPN as the ACL match. Your inside host will have to use the 192.168.7.0 network when you talk to the remote end.

I hope this helps.

two DMVPN rays behind the ASA made hide NAT for Internet

This scenario requires that the particular configuration of the ASA? Until now, the installation program does not work, we face the following problem:

The nodal point DMVPN shows an error "invalid SPI", because the two rays to come with the same IP address (ASA hide-NAT) to the DMVPN hub.

THX

Holger

Using an IP address for the two rays? This is not going to work

ASA 5520 IPSec NAT question

I like more than 150 of VPN on my ASA 5520. A specific customer, with that I'll put up a VPN has an overlap of two of the intellectual property, it must reach from its internal network. It is NATing 10.251.11.177 internal network traffic to my ASA presents itself as 10.251.11.177 of the 10.251.11.176/29 network. Now the two IP of its internal network, it must reach are 10.1.254.200 and 10.1.254.201.

Thus, following the documentation on the site Web of Cisco I'm doing Policy Based Routing on the ASA 5520 (my thesis) so that its traffic will 1.1.1.1 and 1.1.1.2 instead of 10.1.254.200 and 10.1.254.201. Once it reaches my ASA 5520 it gets back to these IP tranlated.

I am using the following configuration, but when I try to add static entries, it won't let me add them. I even tried "static 1.1.1.1 (exterior, Interior) POLICYNAT of the access list" with the ACL in reverse but no use.

object-group, network VPN-map

network-object host 1.1.1.1

network-object host 1.1.1.2

!

POLICYNAT list extended access allowed host ip 10.1.254.200 10.251.11.176 255.255.255.248

POLICYNAT list extended access allowed host ip 10.1.254.201 10.251.11.176 255.255.255.248

!

static (inside, outside) 1.1.1.1 access-list POLICYNAT

public static (inside, outside) 1.1.1.2 - POLICYNAT access list

Try breaking the IPs in two ACL

POLICYNAT1 list extended access allowed host ip 10.1.254.200 10.251.11.176 255.255.255.248

POLICYNAT2 list extended access allowed host ip 10.1.254.201 10.251.11.176 255.255.255.248

!

static (inside, outside) 1.1.1.1 access-list POLICYNAT1

public static (inside, outside) 1.1.1.2 - POLICYNAT2 access list

HTH

GE

ASA pre shared key

I currently use an ASA 5550 version 8.2 anwith ASDM version 6.2.

I have an ASA 5505 in remote and unable to connect via VPN.

My papers say perhaps unsuited pre-shared key.

On my 5550, via the ASDM I used the command more: execution of the system-config and it will not show my before shared key in plain text format, shows only one *.

Any help would be appreciated.

Hello

The command should work.

I guess you could always consider using the CLI and by inserting the command.

"If that leads to the same result you should probably consider you might have to copy and paste the ' * ' as the PSK real at some point?

I created a ' tunnel-group ' example in my ASA with commands

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

IKEv1 pre-shared-key TESTPSK

ASA # sh run 1.1.1.1 tunnel-group

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

IKEv1 pre-shared-key *.

I discover with "more system: running-config"

ASA # more system: running-config | start the tunnel-group 1.1.1.1

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

IKEv1 pre-shared-key TESTPSK

This works as expected

-Jouni

ASA VPN (NAT problem)?

Hi people, I was hoping sopmeone on these forums might be able to help. I have some problem with a config for our ASA5510, functioning 8.2 (1)

I installed a VPN tunnel a firewall to vyatta off-site. The tunnel is up.

ABN-FW3-CISCO ASA5510 # show crypto ipsec his
Interface: outside
Tag crypto map: VPN_Zettagrid_Map, seq num: 10, local addr: 116.212.X.X
VPN_cryptomap list access ip 192.9.0.0 255.255.0.0 allow 192.168.11.0 255.255.255.0
local ident (addr, mask, prot, port): (192.9.0.0/255.255.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.11.0/255.255.255.0/0/0)
current_peer: 119.252.X.X
#pkts program: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 16, #pkts decrypt: 16, #pkts check: 16
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 14, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 116.212.X.X, remote Start crypto. : 119.252.X.X
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 670F3BF5

Now I can pass information of the 119.252.X.X to our internal networks (192.9.0.0/16) vyatta (yes I know this is a wide audience, but it comes to the environment, I inherited, I'm running with a project to put private network addresses, but its not finished quite yet)

The problem seems to be information of ASA to the internal network behind the vyatta - 192.168.11.0/24.

When I check my syslog I get the following error: (this example has been a connection attempt mstsc)
: Inbound TCP connection deny from 192.9.216.190/60660 to 192.168.11.101/3389 SYN flags on the interface inside

Now Im guessing this SYN message means that the ASA trying to NAT my outgoing packets... which is strange because I have configured a rule sheep. But when I do a show nat is the result:

ABN-FW3-CISCO ASA5510 # display nat inside
is the intellectual property inside 192.9.0.0 outside 192.168.11.0 255.255.0.0 255.255.255.0
Exempt from NAT
translate_hits = 0, untranslate_hits = 37 (this value does not change)

Here is my config for NAT

Inside_nat0_outbound to access extended list ip 192.9.0.0 255.255.0.0 allow 192.168.11.0 255.255.255.0
Inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.255.255.0 192.168.11.0 255.255.255.0
Access extensive list ip 192.10.201.0 Inside_nat0_outbound allow 255.255.255.0 192.168.11.0 255.255.255.0

(I have a separate ACL for interesting traffic)

VPN_cryptomap to access extended list ip 192.9.0.0 255.255.0.0 allow 192.168.11.0 255.255.255.0

VPN_cryptomap to access ip 10.0.0.0 scope list allow 255.0.0.0 192.168.11.0 255.255.255.0

Access extensive list ip 192.10.201.0 VPN_cryptomap allow 255.255.255.0 192.168.11.0 255.255.255.0

Global 1 interface (outside)
NAT (inside) 0-list of access Inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (dmz) 1 172.30.3.0 255.255.255.0
NAT (management) 1 192.10.201.0 255.255.255.0
NAT (dmz2) 1 172.30.2.0 255.255.255.0
static (inside, dmz) 192.9.0.0 192.9.0.0 255.255.0.0 subnet mask

Im guessing that one of these rules is in conflict? Does nat (inside) 0 Inside_nat0_outbound access list take precedence over the nat (inside) 1 0.0.0.0 0.0.0.0?

I can post more if necessary config, any help at this point would be much appreciated

Hmm looks like you establish 192.168.11.0 who seems to be blocked by the ACL on the traffic of 192.9.0.0 inside the interface.

Please paste config ACL or see if that blocks this traffic.

Thank you

Ajay

VPN L2L ASA with NAT

Hello, I was hoping someone might have an example of a site to site VPN configuration where the ASA is statically NATting its internal network. Basically the same configuration like this, but instead of "not nat", the ASA is NATting. So instead of the remote site, connect to the local network 10.10.10.0/24, ASA would be NAT at 172.16.17.0/24 for example.

http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

Thank you.

Mike

It's not very complicated, just keep in mind that NAT is done before the encryption.

So if you your network 10.10.10.0/24 nat internal to 172.16.17.0/24:

public static 172.16.17.0 (Interior, exterior) 10.10.10.0 netmask 255.255.255.0

You can use the address translated into your crypto-ACL:

REMOTE VPN ip 172.16.17.0 access list allow REMOTE-NET 255.255.255.0 255.255.255.0

I suppose that you run ASA v8.3 + that you referred to an older document. If you have a more recent software, the logic is the same but the NAT commands differ.

Sent by Cisco Support technique iPad App

Site to IP - sec site ASA 9.1 worm problem vs IOS

Hi all

I'm trying to set up the vpn site-to site between ASA and IOS, but unsuccessfully router,

newspapers are:

(1) this is not behind a nat device

(2) an encrypted packet received with no counterparty SA

networks are:

172.25.0.0 (inside ASA) A.A.A.A (outside of ASA) is required to connect to the address B.B.B.B router IOS with inside the network 192.168.1.0

Here are the configs:

ASA:

ASA 5505 # sh run
: Saved
:
ASA Version 9.0 (1)
!
hostname ASA 5505
KZ 1 domain name.
names of
vpn_pool_ASA-5505 192.168.172.2 mask - 255.255.255.0 IP local pool 192.168.172.100
local pool SAME_NET_ALA 172.25.66.200 - 172.25.66.210 255.255.255.0 IP mask
!
interface Ethernet0/0
switchport access vlan 2
10 speed
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.25.66.15 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP A.A.A.A 255.255.255.252
!
passive FTP mode
clock timezone ALMST 6
summer time clock ALMDT recurring last Dim Mar 0:00 last Sun Oct 0:00
DNS server-group DefaultDNS
KZ 1 domain name.
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NETWORK_OBJ_172.25.66.0_24 object
172.25.66.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.172.0_25 object
subnet 192.168.172.0 255.255.255.128
network of the NETWORK_OBJ_172.25.66.192_27 object
subnet 172.25.66.192 255.255.255.224
network of the ALA_office object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_172.25.0.0_16 object
172.25.0.0 subnet 255.255.0.0
Standard access list SAME_NET_ALA_splitTunnelAcl allow 172.25.66.0 255.255.255.0
SAME_NET_ALA_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0
Standard access list SAME_NET_ALA_splitTunnelAcl allow 172.0.0.0 255.0.0.0
list access VPN-OUT-INS scope ip 192.168.172.0 255.255.255.0 allow no matter what paper
VPN-IN-INS scope any allowed ip access list no matter what paper
extended VPN OUTPUT access list permits all ip 192.168.172.0 255.255.255.0 connect
access list permit VPN OUT ALL standard any4
standard access list net172 allow 172.25.0.0 255.255.0.0
access-list standard net10 allowed 10.0.0.0 255.0.0.0
outside_cryptomap list extended access permitted ip NETWORK_OBJ_172.25.66.0_24 object ALA_office
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_192.168.172.0_25 NETWORK_OBJ_192.168.172.0_25 non-proxy-arp-search of route static destination
NAT (inside, outside) source static obj_any obj_any NETWORK_OBJ_172.25.66.192_27 NETWORK_OBJ_172.25.66.192_27 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 ALA_office ALA_office non-proxy-arp-search of route static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
!
NAT source auto after (indoor, outdoor) dynamic one interface
group-access VPN-IN-INS in the interface inside
group-access VPN-IN-INS interface inside
Route outside 0.0.0.0 0.0.0.0 88.204.136.165 1
Route inside 10.0.0.0 255.0.0.0 172.25.66.1 2
Route inside 172.0.0.0 255.0.0.0 172.25.66.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.25.66.16 255.255.255.255 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 Alma-series esp - aes esp-sha-hmac
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_cryptomap
outside_map game 1 card crypto peer B.B.B.B
card crypto outside_map 1 set ikev1 Alma-set transform-set
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 5
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0

dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
No anyconnect essentials
internal web_access group policy
attributes of the strategy of group web_access
clientless ssl VPN tunnel-Protocol
WebVPN
the value of the URL - list PRTG
internal SAME_NET_ALA group policy
SAME_NET_ALA group policy attributes
value of server DNS 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SAME_NET_ALA_splitTunnelAcl
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
internal GroupPolicy_to_ALA group strategy
type tunnel-group SAME_NET_ALA remote access
attributes global-tunnel-group SAME_NET_ALA
address SAME_NET_ALA pool
Group Policy - by default-SAME_NET_ALA
IPSec-attributes tunnel-group SAME_NET_ALA
IKEv1 pre-shared-key *.
type tunnel-group web_access remote access
tunnel-group web_access General-attributes
Group Policy - by default-web_access
tunnel-group B.B.B.B type ipsec-l2l
attributes global-tunnel-group B.B.B.B
Group Policy - by default-GroupPolicy1
IPSec-attributes tunnel-Group B.B.B.B
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
inspect the http
!
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:932099620805dc22d9e48a5e04314887
: end

and router IOS:

R1921_center #sh run
Building configuration...

Current configuration: 6881 bytes
!
! Last configuration change to 12:22:45 UTC Friday, August 29, 2014 by yerzhan
version 15.2
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname R1921_center
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
IP cef
!
!
!
!

!
!
!
!
"yourdomain.com" of the IP domain name
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki trustpoint TP-self-signed-260502430
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 260502430
revocation checking no
rsakeypair TP-self-signed-260502430
!
!
TP-self-signed-260502430 crypto pki certificate chain
certificate self-signed 01
30820229 30820192 A0030201 02020101 300 D 0609 2A 864886 F70D0101 05050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 32363035 30323433 30301E17 313331 31323630 35343131 0D 6174652D
355A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3236 30353032
06092A 86 4886F70D 01010105 34333030 819F300D 00308189 02818100 0003818D
C178A16C 26637 HAS 32 E2FE6EB2 DE63FC5D 2F4096D2 1A223CAF 52A122A1 F152F0E0
D2305008 FA312D36 E055D09C 487A01D5 629F8DE4 42FF0444 4B3B107A 730111B 6
F6439BA2 970EFE71 C9127F72 F93603E0 11B3F622 73DB1D7C 1889D57C 88C3B141
ED39B0EA 377CE1F7 610F9C76 FC9C843F A81AEFFE 07917A4B 2946032B 207160B 9
02030100 01A 35330 03551 D 13 51300F06 0101FF04 05300301 01FF301F 0603551D
23041830 1680146B B9F671FA BDD822DF 76802EEA 161D18D6 1 060355 9B8C4030
1D0E0416 04146BB9 F671FABD D822DF76 802EEA16 1D18D69B 8C40300D A 06092, 86
01010505 00038181 00B0C56F F1F4F85C 5FE7BF24 27D1DF41 7E9BB9CE 4886F70D
0447910A E780FA0D 07209827 3A969CD0 14AAA496 12929830 0D17F684 7F841261
56365D9C AA15019C ABC74D0A 3CD4E002 F63AA181 B3CC4461 4E56E58D C8237899
29F48CFA 67C4B84B 95D456C3 F0CF858D 43C758C3 C285FEF1 C002E2C5 DCFB9A8A
6A1DF7E3 EE675EAF 7A608FB7 88
quit smoking
license udi pid CISCO1921/K9 sn FCZ1748C14U
!
redundancy
!
!
!
!
!
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 5
BA aes 256
preshared authentication
Group 2
PSK - KEY key crypto isakmp A.A.A.A address
PSK - KEY crypto isakmp key address 6 0.0.0.0
!
Configuration group crypto isakmp ALA-EMP-VPN client
key *. *. *. *
DNS 8.8.8.8
domain cisco.com
pool ippool
ACL 101
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac dmvpn_alad
transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
tunnel mode
Crypto ipsec transform-set esp-3des esp-md5-hmac TRIPSECMAX
transport mode
Crypto ipsec transform-set AES - SHA aes - esp esp-sha-hmac
tunnel mode
!
Profile of crypto ipsec MAXPROFILE
game of transformation-TRIPSECMAX
!
!
Crypto ipsec profile dmvpn_profile
Set transform-set dmvpn_alad
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
20 ipsec-isakmp crypto map clientmap
defined by peer A.A.A.A
game of transformation-AES-SHA
match address VPN_ASA_PAV
!
!
!
!
!
interface Loopback1
IP 10.10.10.10 address 255.255.255.255
!

interface tunnels2
IP 192.168.101.1 255.255.255.240
no ip redirection
authentication of the PNDH IP NHRPMAX
dynamic multicast of IP PNDH map
PNDH id network IP-4679
dissemination of IP ospf network
IP ospf hello-interval 30
IP ospf priority 10
source of tunnel GigabitEthernet0/1
multipoint gre tunnel mode
tunnel key 4679
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
Description to_LAN
IP 192.168.1.253 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
Description to_ISP
address IP B.B.B.B 255.255.255.252
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
clientmap card crypto
!
router ospf 100
Auto-cout reference-bandwidth 1000
0 message digest authentication box
area 192.168.1.0 digest authentication message
redistribute static subnets
passive-interface default
no passive-interface Tunnel1
network of 10.10.10.10 0.0.0.0 area 192.168.1.0
network 192.168.1.0 0.0.0.255 area 192.168.1.0
192.168.222.0 network 0.0.0.15 area 0
!
router ospf 1
router ID 1.1.1.1
redistribute static subnets
passive-interface default
no passive-interface tunnels2
network of 10.10.10.10 0.0.0.0 area 192.168.1.0
network 192.168.1.0 0.0.0.255 area 192.168.1.0
192.168.101.0 network 0.0.0.15 area 0
!
IP local pool ippool 192.168.33.1 192.168.33.20
IP forward-Protocol ND
!
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
overload of IP nat inside source list 111 interface GigabitEthernet0/1
IP nat inside source static tcp 192.168.1.11 22 Expandable 8022 B.B.B.B
IP route 0.0.0.0 0.0.0.0 B.B.B.C
!
extended ACL - NAT IP access list
deny ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
allow an ip
IP extended ACL - VPN access list
ip permit 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
VPN_ASA_PAV extended IP access list
ip permit 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access ip-list 111 allow a whole
!
!
!
!
!
control plan
!
!
!
Line con 0
line to 0
line 2
no activation-character
No exec
preferred no transport
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end

The biggest problem is the incompatibility in the VPN access lists.

The ASA said

outside_cryptomap list extended access permitted ip NETWORK_OBJ_172.25.66.0_24 object ALA_office

The router said

ip permit 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255

Match them. If it still does not work then please post the revised configurations.

HTH

Rick

Config of ASA 8.3 NAT pre then no. - NAT

Similar Questions

Maybe you are looking for