Disable the NAT for VPN site-to-site
Hello world
I work in a company, and we had to make a VPN site-to site.
Everything works fine, except that the packages sent to my site are translated, in other words: the firewall on the other site (site_B) see only the IP address of my firewall (Site_A).
I tried to solve the problem, but without success, I think that natives of VPN packets is the problem.
Here is my current config running:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password 9U./y4ITpJEJ8f.V encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.67.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 41.220.X.Y 255.255.255.252 (External WAN public IP Address)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CET 1
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 41.220.X1.Y1
host 41.220.X1.Y1
object network NETWORK_OBJ_192.168.67.0_24
subnet 192.168.67.0 255.255.255.0
object network NETWORK_OBJ_172.19.32.0_19
subnet 172.19.32.0 255.255.224.0
object network 194.2.176.18
host 194.2.XX.YY (External IP address public of the other site (Site_B))
description 194.2.XX.YY
access-list inside_access_in extended permit ip any any log warnings
access-list inside_access_in extended permit ip object NETWORK_OBJ_172.19.32.0_19 object NETWORK_OBJ_192.168.67.0_24 log debugging
access-list inside_access_in extended permit ip object 194.2.176.18 any log debugging
access-list inside_access_in extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging
access-list outside_1_cryptomap extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0 log debugging
access-list outside_1_cryptomap extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging
access-list 1111 standard permit 172.19.32.0 255.255.224.0
access-list 1111 standard permit 192.168.67.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 172.19.32.0 255.255.224.0 any log debugging
access-list outside_1_cryptomap_1 extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging
access-list outside_1_cryptomap_2 extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0 log debugging
access-list outside_1_cryptomap_2 extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging
access-list outside_access_in extended permit ip any any log warnings
access-list outside_access_in extended permit ip object 194.2.XX.YY any log debugging
access-list outside_access_in extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging
access-list nonat extended permit ip 192.168.67.0 255.255.255.0 176.19.32.0 255.255.224.0
access-list nonat extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0
pager lines 24
logging enable
logging monitor informational
logging asdm warnings
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 41.220.X.Y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.67.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap_2
crypto map outside_map 1 set peer 194.2.XX.YY
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 192.168.67.200 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username bel_md password HSiYQZRzgeT8u.ml encrypted privilege 15
username nebia_said password qQ6OoFJ5IJa6sgLi encrypted privilege 15
tunnel-group 194.2.XX.YY type ipsec-l2l
tunnel-group 194.2.XX.YY ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect ipsec-pass-thru
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0398876429c949a766f7de4fb3e2037e
: end
If you need any other information or explanation, just ask me.
My firewall model: ASA 5505
Thank you for the help.
Hey Houari,.
I suspect something with the order of your NATing statement which is:
NAT (inside, outside) static static source NETWORK_OBJ_172.19.32.0_19 destination NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_172.19.32.0_19
Can you please have this change applied to the ASA:
No source (indoor, outdoor) nat static static NETWORK_OBJ_172.19.32.0_19 destination NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_172.19.32.0_19
NAT (inside, outside) 1 static source NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 static destination NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19
Try and let me know how it goes.
If she did not help, please put the output form a package tracer will shape your internal network to the remote VPN subnet with the release of «see the nat detail»
HTH,
Mo.
Tags: Cisco Security
Similar Questions
-
Making the NAT for VPN through L2L tunnel clients
Hi.I has the following situation in my network. We need for users who log on our site with the VPN clients to connect to another site via a tunnel L2L. The problem is that I need NAT addresses from the pool of VPN client in another beach before going on the L2L tunnel because on the other side, we have duplication of networks.
I tried to do NAT with little success as follows:
ACL for pool NAT of VPN:
Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.0.0 255.255.255.0
Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.5.0 255.255.255.0
NAT:
Global 172.20.105.1 - 172.20.105.254 15 (outdoor)
NAT (inside) 15 TEST access-list
CRYPTO ACL:
allowed ro access list extended LAN ip 255.255.0.0 192.168.0.0 255.255.255.0
allowed ro access list extended LAN ip 255.255.0.0 192.168.5.0 255.255.255.0
IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.0.0 255.255.255.0
IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.5.0 255.255.255.0
permit same-security-traffic intra-interface
Am I missing something here? Something like this is possible at all?
Thanks in advance for any help.
We use the ASA 5510 with software version 8.0 (3) 6.
You need nat to the outside, not the inside.
NAT (outside) 15 TEST access-list
-
Two links one for VPN Site to Site and another for internet on the same router configuration
Hi all
I have 2 internet links an ADSL and lease terminated on the same router. I need to configure ADSL for VPN site-to-site of HO and internet leased line dedicated for all users.
my site IP subnet is 10.10.100.0/24 and HO subnet is 10.1.0.0/24. Please find attached Config and advice it will be OK and works fine
Thanks in advance...
Mikael
Hello
For me, it looks like it has configured the route correctly;
ip route 0.0.0.0 0.0.0.0 fastethernet4 -> for all traffic to the internet.
Road 10.1.0.0 ip 255.255.255.0 Dialer1 -> for vpn traffic to HO.
The public_IP_HO must be defined according to the map of encryption using the set by the peers command.
I want to add is on the isakmp policy hash attribute, you can choose between sha/md5 or whatever available on your device. Make sure that the isakmp policy to match political isakmp of your HO.
The other thing is the acl for the internet. You may want to consider replacing the deny statement if you want to deny traffic only to your jar currently it is said to deny all traffic 10.10.100.0 10.0.0.0 network, not to the 10.1.0.0 HO (network).
HTH,
-
What is the function of the IOS minimum set required for VPN site-to-site software?
Hi guys,.
I have a Cisco 1841 router to do a VPN site-to site. I would like to know what is the function of the IOS minimum set required for VPN site-to-site software?
Thanks in advance.
Hi Ja,
Advanced security or more should do it. The version of the IOS, you can try later 12.4 T which is c1841-advsecurityk9 - mz.124 - 24.T5.bin, in which case you don't want to go to 15.1 still.
I hope this helps.
Raga
-
How can I put a sign of mine as a sign of the tab for my site?
How can I put a sign of my choice as a sign of the Tab for a site, I created? Thanks in advance - basifra
See also:
-
IE has a feature done right click to "Create a shortcut on the desktop" for Web sites... FF has a function simalr?
No, but there is an extension that adds this functionality in Firefox.
deskCut
https://addons.Mozilla.org/en-us/Firefox/addon/66/ -
For awhile, I got the dialog box with «security alert "revocation information for the security for this site certificate not available.» Do you want? [Yes] [No] [View the certificate] ". » I know that many, if not all, sites are OK because I used them several times in the past.
I tried different "fixed" found by Google "revocation information" and nothing solves the problem - what is.
When I try to make various updates, not related to this problem, I can not download updates due to a security problem.
Suggestions for a computer challenged the user? Thank you.
Richard
http://www.brighthub.com/Internet/Security-Privacy/articles/82291.aspx
read this, see if he can address your question.
-
When I disable the NAT on my WRT160N I can't access the Internet
Hello
I had my WRT160N set up and great to work for months. I had a few non-cable problems and the Cable Guy split my cable and now I have a specific modem just for the internet. I can connect to the internet directly and great wireless! However, I went into my XBox 360 to play some Halo 3 and he yelled at me that I have to disable the NAT. I thought it was weird because my WRT160N is still the same piece of material and I think that's where I have disabled the NAT months ago and that he should always have this same setting. Apparently not? So I connected to it and of course it has been activated. I disabled it and now I can connect is no longer directly or wireless internet. Of course, if I set it to active NAT so I can get to the internet again. I need to disable NAT.
Don't know what to do here. Is it possible on the modem cable (Time Warner Cable) where the problem lies? HE would have a configurable parameter for the NAT?
Any suggestions would be most appreciated.
Kevin
Make the following settings for X - Box...
Open an Internet Explorer browser on your computer (desktop) wired page. In the address bar type - 192.168.1.1 and press ENTER...
Let the empty user name & password use admin lowercase...On the Configuration tab change the size of the MTU to 1365, then click on save settings...
Click the 'Administration' tab and disable UPnP and click on save settings...
Click on the tab "Games and Applications" and then click the sub-tab "Port Range Forwarding"...
(1) on the first line in the box, type Application in ABC, in the start box, type in 53 and type in 3074 service box, leave the Protocol as and under type 192.168.1.20 ip address and check the box to enable, click on save settings once it's been...
(2) once you return to the game to the top page, click the Security tab and uncheck block anonymous Internet requests and click on save settings...
3) click on Setup and change the size of the MTU to 1452 and click on save settings... Click the status tab, and take note of DNS1 and DNS2 address...
(4) address IP, Goto settings XBox network settings and assign the following on your Xbox and select manual IP settings
IP address:-192.168.1.20, subnet mask:-255.255.255.0 default gateway:-192.168.1.1...(5) also assign addresses DNS on Xbox
Use DNS1 and DNS2 addresses you took note of the primary router as secondary DNS & DNS status tab for the xbox...(6) turn off your modem, router and Xbox... Wait a minute...
(7) plug the power to the modem first, wait a minute and plug the router power cable, wait another minute and turn on the Xbox and... test it connects...
-
How to disable the option for children to receive messages from my iPhone on their iPhones?
How to disable the option for my children to receive my iPhone imesages on their iPhones?
Do not share account iCloud with them. iCloud accounts are not meant to be shared.
-
I want to disable the motherboard for a Pavilion p6232p video driver
I need to turn off or disable the driver for the card on mother built in video card in a p6232p of Pavalion.
The manufacturers motherboard is an Asus IPIBL-LB
I bought a GE Force 620 Nivida GT video card. I installed it. Then, I ordered a 400 watt power supply to replace the 300 watts delivered with the p6232p. I put everything back together and then I read the installation
Once again the instructions and I saw that everything built the onboard video drivers supplied with the p6232p had to be disabled. I was frustrated and hung on my monitor for the new card (Nividia GT 620).
I booted up and everything worked fine. I then installed the CD supplied with the card and it worked as well. BUT! the installation instructions were to remove the old video card or disable any motherboard built
among drivers. So, that's what worry me because when I started first with the new pc card took control without any installation disc. There is no connection to the old pc blue monitor connector. Maybe I could check the list of devices to see if the drivers are always active. Thank you for your response, cajanpepper
-
Can I disable the requirement for a password at startup in Vista?
Can I disable the requirement for a password at startup in vista?
Hello
This should help you:
"How to Log on automatically on startup of Vista '
http://www.Vistax64.com/tutorials/66966-logon-automatically.html
See you soon.
-
How can I disable the narrator for GOOD?
How can I disable the narrator for GOOD! Whenever I turn off the narrator in his small window, (the program access programs) everytiime I turm back on my computer, he returned and annoyingly turns back on and it's a real struggle to find where the Narrator function to turn it off. She sometimes, most of the time I need still to do. Please tell me what to do and how I can stop this ONCE and FOR ALL! without going back over and over every time I turn on my computer. It's very annoying and time consuming. Thank you.
Separated from the:
How can I disable the narrator for GOOD! Whenever I turn off the narrator in his small window, (the program access programs) everytiime I turm back on my computer, he returned and annoyingly turns back on and it's a real struggle to find where the Narrator function to turn it off. She sometimes, most of the time I need still to do. Please tell me what to do and how I can stop this ONCE and FOR ALL! without going back over and over every time I turn on my computer. It's very annoying and time consuming. Thank you.
Separated from the:
This link you has the answer.
If you want another version of the answer, here's the tutorial to show you how enable or DISABLE Narrator
http://www.Vistax64.com/tutorials/124575-Narrator-turn-off.html
-
How to disable the sound for the Minesweeper
The old winmine had no noise. I liked it. How can I disable the sounds for the new Minesweeper?
Thank you, Doug
In Minesweeper, press F5 to bring up the options then uncheck play sounds , and then click OK.
-
Cannot access the internal resources for VPN site-to-site
We have two ASA. We set up just VPN site-to-site. For some reason, we are not able to access internal resources at the main office of the remote office. Do you have any suggestions? Thank you.
as wu suggested, please first confirm that the tunnel is mounted correctly
"sh cry isa his '-> will tell u if the phase 1 is in place
"sh cry ips its '-> say if phase 2 is in place
now once they r upward, when you ping from site to site b
program in the site, you should see one and decaps site b for traffic from a to b and vice versa for return transportation
Now we have to see where it is a failure
could be tht package is coming up to the asa but not getting is not encrypted or that the package does not come to the asa itself
You can run tracer package to see if it's getting wrapped, or in other words hits vpn tunnel
It might be a nat problem, and sometimes if it is a new configuration probably ISP may have blocked the esp traffic in one direction or in the other direction
the best approach, that it is turn on "management of access to the inside" on the firewall and make a ping of source of asa
inside ping
-
How to disable "switch to tab"? Why? The site that I want to turn a Java program, and I want the program to run several times. I looked in tools > Options > tabs and found no way to disable the switch 'tabs '. I looked through the Options together and found nothing. I thought tools > Options > advanced could hold the key to a solution, but I found nada.
You can turn it off by using the switch to tab no Add on more - https://addons.mozilla.org/firefox/addon/switch-to-tab-no-more/
Maybe you are looking for
-
How can I get my Apple TV to use ethernet when it is also connected to WiFi?
I have my Apple TV 4 connected by WiFi and ethernet. I want to assure you that it uses the ethernet connection, it will be faster, but when I go to the network settings on the TV, I see only the symbol of WiFi and my WiFi network name. If my Apple TV
-
URGENT PROBLEMA PARA ACABAR EL PROYECTO
Muy buenas: Tengo a problema in el programa Québec he hecho ayudandome of different programs and there came y me gustaria saber como puedo change el valor al PANEL_STRING_LENGTH mi programa porque aunque lo he have changed fr the extension .uir al fi
-
Enable or disable Windows features: most of them is unchecked.
original title: Turn Windows features or not: just stumbled on this feature when uninstalling a program and noticed that most of them is unchecked. What would constitute the "standard/default" installed in windows for a Dell Inspiron 64 programs. I
-
Spectrum HP convertible x 360: keyboard does not not on windows logon
Hello people... I just bought a convertible of spectrum HP X 360 nine (13-inch, i7 - product number: N5R93UA #ABA) and its keyboard is not be enabled automatically on the Windows login screen. If, however, I it switch manually in tablet mode and then
-
Apps denied the lack of test material?
I have two applications that work together. Here is the description: hxFOV is a live video monitoring and control system. It consists of 2 applications: application of the Agent and the application of control. This Agent app turns your mobile devic