Disable the NAT for VPN site-to-site

Hello world

I work in a company, and we had to make a VPN site-to site.

Everything works fine, except that the packages sent to my site are translated, in other words: the firewall on the other site (site_B) see only the IP address of my firewall (Site_A).

I tried to solve the problem, but without success, I think that natives of VPN packets is the problem.

Here is my current config running:

ASA Version 8.3(2)


!


hostname ciscoasa


enable password 9U./y4ITpJEJ8f.V encrypted


passwd 2KFQnbNIdI.2KYOU encrypted


names


!


interface Vlan1


nameif inside


security-level 100


ip address 192.168.67.254 255.255.255.0


!


interface Vlan2


nameif outside


security-level 0


ip address 41.220.X.Y 255.255.255.252 (External WAN public IP Address)


!


interface Ethernet0/0


switchport access vlan 2


!


interface Ethernet0/1


!


interface Ethernet0/2


!


interface Ethernet0/3


!


interface Ethernet0/4


!


interface Ethernet0/5


!


interface Ethernet0/6


!


interface Ethernet0/7


!


ftp mode passive


clock timezone CET 1


object network obj_any


subnet 0.0.0.0 0.0.0.0


object network 41.220.X1.Y1


host 41.220.X1.Y1



object network NETWORK_OBJ_192.168.67.0_24


subnet 192.168.67.0 255.255.255.0


object network NETWORK_OBJ_172.19.32.0_19


subnet 172.19.32.0 255.255.224.0


object network 194.2.176.18


host 194.2.XX.YY (External IP address public of the other site (Site_B))


description 194.2.XX.YY


access-list inside_access_in extended permit ip any any log warnings


access-list inside_access_in extended permit ip object NETWORK_OBJ_172.19.32.0_19 object NETWORK_OBJ_192.168.67.0_24 log debugging


access-list inside_access_in extended permit ip object 194.2.176.18 any log debugging


access-list inside_access_in extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging


access-list outside_1_cryptomap extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0 log debugging


access-list outside_1_cryptomap extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging


access-list 1111 standard permit 172.19.32.0 255.255.224.0


access-list 1111 standard permit 192.168.67.0 255.255.255.0


access-list outside_1_cryptomap_1 extended permit ip 172.19.32.0 255.255.224.0 any log debugging


access-list outside_1_cryptomap_1 extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging


access-list outside_1_cryptomap_2 extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0 log debugging


access-list outside_1_cryptomap_2 extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging


access-list outside_access_in extended permit ip any any log warnings


access-list outside_access_in extended permit ip object 194.2.XX.YY any log debugging


access-list outside_access_in extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging


access-list nonat extended permit ip 192.168.67.0 255.255.255.0 176.19.32.0 255.255.224.0


access-list nonat extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0


pager lines 24


logging enable


logging monitor informational


logging asdm warnings


mtu inside 1500


mtu outside 1500


icmp unreachable rate-limit 1 burst-size 1


icmp permit any inside


icmp permit any outside


no asdm history enable


arp timeout 14400


nat (inside,outside) source dynamic any interface


nat (inside,outside) source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19


access-group inside_access_in in interface inside


access-group outside_access_in in interface outside


route outside 0.0.0.0 0.0.0.0 41.220.X.Y 1


timeout xlate 3:00:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00


timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00


timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute


timeout tcp-proxy-reassembly 0:01:00


dynamic-access-policy-record DfltAccessPolicy


aaa authentication ssh console LOCAL


aaa authentication telnet console LOCAL


http server enable


http 192.168.67.0 255.255.255.0 inside


http 0.0.0.0 0.0.0.0 outside


no snmp-server location


no snmp-server contact


snmp-server enable traps snmp authentication linkup linkdown coldstart


crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac


crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac


crypto ipsec security-association lifetime seconds 28800


crypto ipsec security-association lifetime kilobytes 4608000


crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-MD5


crypto map outside_map 1 match address outside_1_cryptomap_2


crypto map outside_map 1 set peer 194.2.XX.YY


crypto map outside_map 1 set transform-set ESP-DES-MD5


crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP


crypto map outside_map interface outside


crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP


crypto map inside_map interface inside


crypto isakmp enable inside


crypto isakmp enable outside


crypto isakmp policy 10


authentication pre-share


encryption des


hash md5


group 2


lifetime 86400


telnet 192.168.67.200 255.255.255.255 inside


telnet timeout 5


ssh 0.0.0.0 0.0.0.0 outside


ssh timeout 30


console timeout 0


dhcpd auto_config outside


!


threat-detection basic-threat


threat-detection statistics access-list


no threat-detection statistics tcp-intercept


webvpn


username bel_md password HSiYQZRzgeT8u.ml encrypted privilege 15


username nebia_said password qQ6OoFJ5IJa6sgLi encrypted privilege 15


tunnel-group 194.2.XX.YY type ipsec-l2l


tunnel-group 194.2.XX.YY ipsec-attributes


pre-shared-key *****


!


class-map inspection_default


match default-inspection-traffic


!


!


policy-map type inspect dns preset_dns_map


parameters


message-length maximum client auto


message-length maximum 512


policy-map global_policy


class inspection_default


inspect dns preset_dns_map


inspect ftp


inspect h323 h225


inspect h323 ras


inspect rsh


inspect rtsp


inspect esmtp


inspect sqlnet


inspect skinny


inspect sunrpc


inspect xdmcp


inspect sip


inspect netbios


inspect tftp


inspect ip-options


inspect icmp


inspect ipsec-pass-thru


!


service-policy global_policy global


prompt hostname context


Cryptochecksum:0398876429c949a766f7de4fb3e2037e


: end

If you need any other information or explanation, just ask me.

My firewall model: ASA 5505

Thank you for the help.

Hey Houari,.

I suspect something with the order of your NATing statement which is:

NAT (inside, outside) static static source NETWORK_OBJ_172.19.32.0_19 destination NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_172.19.32.0_19

Can you please have this change applied to the ASA:

No source (indoor, outdoor) nat static static NETWORK_OBJ_172.19.32.0_19 destination NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_172.19.32.0_19

NAT (inside, outside) 1 static source NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 static destination NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19

Try and let me know how it goes.

If she did not help, please put the output form a package tracer will shape your internal network to the remote VPN subnet with the release of «see the nat detail»

HTH,

Mo.

Tags: Cisco Security

Similar Questions

  • Making the NAT for VPN through L2L tunnel clients

    Hi.I has the following situation in my network. We need for users who log on our site with the VPN clients to connect to another site via a tunnel L2L. The problem is that I need NAT addresses from the pool of VPN client in another beach before going on the L2L tunnel because on the other side, we have duplication of networks.

    I tried to do NAT with little success as follows:

    ACL for pool NAT of VPN:

    Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.0.0 255.255.255.0

    Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.5.0 255.255.255.0

    NAT:

    Global 172.20.105.1 - 172.20.105.254 15 (outdoor)

    NAT (inside) 15 TEST access-list

    CRYPTO ACL:

    allowed ro access list extended LAN ip 255.255.0.0 192.168.0.0 255.255.255.0

    allowed ro access list extended LAN ip 255.255.0.0 192.168.5.0 255.255.255.0

    IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.0.0 255.255.255.0

    IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.5.0 255.255.255.0

    permit same-security-traffic intra-interface

    Am I missing something here? Something like this is possible at all?

    Thanks in advance for any help.

    We use the ASA 5510 with software version 8.0 (3) 6.

    You need nat to the outside, not the inside.

    NAT (outside) 15 TEST access-list

  • Two links one for VPN Site to Site and another for internet on the same router configuration

    Hi all

    I have 2 internet links an ADSL and lease terminated on the same router. I need to configure ADSL for VPN site-to-site of HO and internet leased line dedicated for all users.

    my site IP subnet is 10.10.100.0/24 and HO subnet is 10.1.0.0/24.   Please find attached Config and advice it will be OK and works fine

    Thanks in advance...

    Mikael

    Hello

    For me, it looks like it has configured the route correctly;

    ip route 0.0.0.0 0.0.0.0 fastethernet4 -> for all traffic to the internet.

    Road 10.1.0.0 ip 255.255.255.0 Dialer1 -> for vpn traffic to HO.

    The public_IP_HO must be defined according to the map of encryption using the set by the peers command.

    I want to add is on the isakmp policy hash attribute, you can choose between sha/md5 or whatever available on your device. Make sure that the isakmp policy to match political isakmp of your HO.

    The other thing is the acl for the internet. You may want to consider replacing the deny statement if you want to deny traffic only to your jar currently it is said to deny all traffic 10.10.100.0 10.0.0.0 network, not to the 10.1.0.0 HO (network).

    HTH,

  • What is the function of the IOS minimum set required for VPN site-to-site software?

    Hi guys,.

    I have a Cisco 1841 router to do a VPN site-to site. I would like to know what is the function of the IOS minimum set required for VPN site-to-site software?

    Thanks in advance.

    Hi Ja,

    Advanced security or more should do it. The version of the IOS, you can try later 12.4 T which is c1841-advsecurityk9 - mz.124 - 24.T5.bin, in which case you don't want to go to 15.1 still.

    I hope this helps.

    Raga

  • How can I put a sign of mine as a sign of the tab for my site?

    How can I put a sign of my choice as a sign of the Tab for a site, I created? Thanks in advance - basifra

    See also:

  • IE has a function of right click to "Create a shortcut" on the desktop for Web sites... FF has something like that?

    IE has a feature done right click to "Create a shortcut on the desktop" for Web sites... FF has a function simalr?

    No, but there is an extension that adds this functionality in Firefox.
    deskCut
    https://addons.Mozilla.org/en-us/Firefox/addon/66/

  • Error message "revocation information for the security for this site certificate not available. Do you want? [Yes] [No] [View the certificate]

    For awhile, I got the dialog box with «security alert "revocation information for the security for this site certificate not available.» Do you want? [Yes] [No] [View the certificate] ". » I know that many, if not all, sites are OK because I used them several times in the past.

    I tried different "fixed" found by Google "revocation information" and nothing solves the problem - what is.

    When I try to make various updates, not related to this problem, I can not download updates due to a security problem.

    Suggestions for a computer challenged the user? Thank you.

    Richard

    http://www.brighthub.com/Internet/Security-Privacy/articles/82291.aspx

    read this, see if he can address your question.

  • When I disable the NAT on my WRT160N I can't access the Internet

    Hello

    I had my WRT160N set up and great to work for months.  I had a few non-cable problems and the Cable Guy split my cable and now I have a specific modem just for the internet.  I can connect to the internet directly and great wireless!  However, I went into my XBox 360 to play some Halo 3 and he yelled at me that I have to disable the NAT.  I thought it was weird because my WRT160N is still the same piece of material and I think that's where I have disabled the NAT months ago and that he should always have this same setting.  Apparently not?  So I connected to it and of course it has been activated.  I disabled it and now I can connect is no longer directly or wireless internet.  Of course, if I set it to active NAT so I can get to the internet again.  I need to disable NAT.

    Don't know what to do here.   Is it possible on the modem cable (Time Warner Cable) where the problem lies?  HE would have a configurable parameter for the NAT?

    Any suggestions would be most appreciated.

    Kevin

    Make the following settings for X - Box...

    Open an Internet Explorer browser on your computer (desktop) wired page. In the address bar type - 192.168.1.1 and press ENTER...
    Let the empty user name & password use admin lowercase...

    On the Configuration tab change the size of the MTU to 1365, then click on save settings...

    Click the 'Administration' tab and disable UPnP and click on save settings...

    Click on the tab "Games and Applications" and then click the sub-tab "Port Range Forwarding"...

    (1) on the first line in the box, type Application in ABC, in the start box, type in 53 and type in 3074 service box, leave the Protocol as and under type 192.168.1.20 ip address and check the box to enable, click on save settings once it's been...

    (2) once you return to the game to the top page, click the Security tab and uncheck block anonymous Internet requests and click on save settings...

    3) click on Setup and change the size of the MTU to 1452 and click on save settings... Click the status tab, and take note of DNS1 and DNS2 address...

    (4) address IP, Goto settings XBox network settings and assign the following on your Xbox and select manual IP settings
    IP address:-192.168.1.20, subnet mask:-255.255.255.0 default gateway:-192.168.1.1...

    (5) also assign addresses DNS on Xbox
    Use DNS1 and DNS2 addresses you took note of the primary router as secondary DNS & DNS status tab for the xbox...

    (6) turn off your modem, router and Xbox... Wait a minute...

    (7) plug the power to the modem first, wait a minute and plug the router power cable, wait another minute and turn on the Xbox and... test it connects...

  • How to disable the option for children to receive messages from my iPhone on their iPhones?

    How to disable the option for my children to receive my iPhone imesages on their iPhones?

    Do not share account iCloud with them. iCloud accounts are not meant to be shared.

  • I want to disable the motherboard for a Pavilion p6232p video driver

    I need to turn off or disable the driver for the card on mother built in video card in a p6232p of Pavalion.

    The manufacturers motherboard is an Asus IPIBL-LB

    I bought a GE Force 620 Nivida GT video card. I installed it. Then, I ordered a 400 watt power supply to replace the 300 watts delivered with the p6232p. I put everything back together and then I read the installation

    Once again the instructions and I saw that everything built the onboard video drivers supplied with the p6232p had to be disabled. I was frustrated and hung on my monitor for the new card (Nividia GT 620).

    I booted up and everything worked fine. I then installed the CD supplied with the card and it worked as well. BUT! the installation instructions were to remove the old video card or disable any motherboard built

    among drivers. So, that's what worry me because when I started first with the new pc card took control without any installation disc. There is no connection to the old pc blue monitor connector. Maybe I could check the list of devices to see if the drivers are always active. Thank you for your response, cajanpepper

  • Can I disable the requirement for a password at startup in Vista?

    Can I disable the requirement for a password at startup in vista?

    Hello

    This should help you:

    "How to Log on automatically on startup of Vista '

    http://www.Vistax64.com/tutorials/66966-logon-automatically.html

    See you soon.

  • How can I disable the narrator for GOOD?

    How can I disable the narrator for GOOD! Whenever I turn off the narrator in his small window, (the program access programs) everytiime I turm back on my computer, he returned and annoyingly turns back on and it's a real struggle to find where the Narrator function to turn it off. She sometimes, most of the time I need still to do. Please tell me what to do and how I can stop this ONCE and FOR ALL! without going back over and over every time I turn on my computer. It's very annoying and time consuming. Thank you.

    Separated from the:

    http://answers.Microsoft.com/en-us/Windows/Forum/windows_vista-performance/i-started-the-Narrator-by-mistake-and-i-cannot-get/8d8d6ece-95d9-4F05-9965-011eb2799275?TM=1315352201308

    How can I disable the narrator for GOOD! Whenever I turn off the narrator in his small window, (the program access programs) everytiime I turm back on my computer, he returned and annoyingly turns back on and it's a real struggle to find where the Narrator function to turn it off. She sometimes, most of the time I need still to do. Please tell me what to do and how I can stop this ONCE and FOR ALL! without going back over and over every time I turn on my computer. It's very annoying and time consuming. Thank you.

    Separated from the:

    http://answers.Microsoft.com/en-us/Windows/Forum/windows_vista-performance/i-started-the-Narrator-by-mistake-and-i-cannot-get/8d8d6ece-95d9-4F05-9965-011eb2799275?TM=1315352201308

    This link you has the answer.

    If you want another version of the answer, here's the tutorial to show you how enable or DISABLE Narrator

    http://www.Vistax64.com/tutorials/124575-Narrator-turn-off.html

  • How to disable the sound for the Minesweeper

    The old winmine had no noise. I liked it. How can I disable the sounds for the new Minesweeper?

    Thank you, Doug

    In Minesweeper, press F5 to bring up the options then uncheck play sounds , and then click OK.

  • Cannot access the internal resources for VPN site-to-site

    We have two ASA.  We set up just VPN site-to-site.  For some reason, we are not able to access internal resources at the main office of the remote office.  Do you have any suggestions?  Thank you.

    as wu suggested, please first confirm that the tunnel is mounted correctly

    "sh cry isa his '-> will tell u if the phase 1 is in place

    "sh cry ips its '-> say if phase 2 is in place

    now once they r upward, when you ping from site to site b

    program in the site, you should see one and decaps site b for traffic from a to b and vice versa for return transportation

    Now we have to see where it is a failure

    could be tht package is coming up to the asa but not getting is not encrypted or that the package does not come to the asa itself

    You can run tracer package to see if it's getting wrapped, or in other words hits vpn tunnel

    It might be a nat problem, and sometimes if it is a new configuration probably ISP may have blocked the esp traffic in one direction or in the other direction

    the best approach, that it is turn on "management of access to the inside" on the firewall and make a ping of source of asa

    inside ping

  • When I create a new tab and enter the URL for a site already called on another tab, instead of download the new site in the new tab Firefox switches to the tab with the site already called up. How to disable "switch to tab"?

    How to disable "switch to tab"? Why? The site that I want to turn a Java program, and I want the program to run several times. I looked in tools > Options > tabs and found no way to disable the switch 'tabs '. I looked through the Options together and found nothing. I thought tools > Options > advanced could hold the key to a solution, but I found nada.

    You can turn it off by using the switch to tab no Add on more - https://addons.mozilla.org/firefox/addon/switch-to-tab-no-more/

Maybe you are looking for

  • How can I get my Apple TV to use ethernet when it is also connected to WiFi?

    I have my Apple TV 4 connected by WiFi and ethernet. I want to assure you that it uses the ethernet connection, it will be faster, but when I go to the network settings on the TV, I see only the symbol of WiFi and my WiFi network name. If my Apple TV

  • URGENT PROBLEMA PARA ACABAR EL PROYECTO

    Muy buenas: Tengo a problema in el programa Québec he hecho ayudandome of different programs and there came y me gustaria saber como puedo change el valor al PANEL_STRING_LENGTH mi programa porque aunque lo he have changed fr the extension .uir al fi

  • Enable or disable Windows features: most of them is unchecked.

    original title: Turn Windows features or not: just stumbled on this feature when uninstalling a program and noticed that most of them is unchecked. What would constitute the "standard/default" installed in windows for a Dell Inspiron 64 programs.   I

  • Spectrum HP convertible x 360: keyboard does not not on windows logon

    Hello people... I just bought a convertible of spectrum HP X 360 nine (13-inch, i7 - product number: N5R93UA #ABA) and its keyboard is not be enabled automatically on the Windows login screen. If, however, I it switch manually in tablet mode and then

  • Apps denied the lack of test material?

    I have two applications that work together.  Here is the description: hxFOV is a live video monitoring and control system.  It consists of 2 applications: application of the Agent and the application of control. This Agent app turns your mobile devic