DMZ at lan w / NAT - config?
customer premises requires access to our network.
requirements:
provide internet access
restrict access to different servers
nat addresses
y at - it a config there that helps with dmz lan access?
Thanks for any help.
Hello Tsrader,
Your config looks pretty good for the most part. Here are some changes I would make:
access-list inside_access_in allow a tcp
Allow Access-list inside_access_in a whole udp
access-list inside_access_in allow icmp a whole
inside_access_in ip access list allow a whole
TCP/UDP/ICMP are all encompassed in the statement of intellectual property, so that they are not really necessary. However, you do not have acutally apply this list of access inside the interface, so by default, all traffic from the inside would be allowed to the gtadmz. If you want to block the traffic inside the gtadmz, you could do this:
inside_access_in access-list deny ip any object-group customer_nets
inside_access_in ip access list allow a whole
This will only allow connections from the gtadmz to the packets to the internal and back.
On the NAT/Global statements, those are correct. A request from the gtadmz seems to come from the IP address of the inside interface of the firewall to the servers inside. If this is what you want, then it should work perfectly.
Finally, the question concerning the application of the access to the interface list. What you put is correct.
I hope this helps.
Gavin - Budd
Tags: Cisco Security
Similar Questions
-
IF I HAVE APPLAIANCE ON DMZ LETS SAY OF E-MAIL SECURITY... DO I NEED TO ACL OR NAT BETWEEN THE DMZ TO LAN POLICY?
OR SIMPLY POLITICAL NAT AND ACLS OF THE WAN TO DMZ... AND DMZ TO LAN WILL SPEAK WITHOUT INTERRUPTION
You don't need a policy of NAT, DMZ - LAN, only ACLs, which will allow traffic from the local network to your device in the DMZ.
You must configure the NAT policy and an ACL while providing access outside your network form. That is to say, WAN - LAN or WAN - DMZ.
-
VM in DMZ and LAN on the same ESXi Server VM
It is advisable to run two virtual machines on a physical ESXi Server considering only
a VM THAT is connected to the DMZ (demilitarized zone) and another VM is connected to the local network.
For example, a virtual machine can be a gateway mail server in the DMZ and
another VM can be located in LAN mail server.
ESXi box has multiple network cards, so a single card could be connected to the DMZ and others to the local network.
Is it dangerous from the point of view of security?
It becomes really dangerous if you have a virtual machine that is connected to two networks at the same time if not online, there is no way known to cross borders. Other that that, you should be good to go
Steve Beaver
VMware communities user moderator
VMware vExpert 2009
====
Co-author of "VMware ESX Essentials in the data center" virtual
(ISBN:1420070274) Auerbach
Come and see my blog: www.theVirtualBlackHole.com
Come follow me on twitter http://www.twitter.com/sbeaver
*Virtualization is a journey, not a project. *
-
LAN to LAN PAT/NAT 3020 hub
I have a client who wants to create a tunnel L2L, but said that they will only allow us to use up to three IP addresses. I never had no other customers ask me to do it this way and I'm a little confused as how I should make it work. I'm guessing that a form any NAT/Pat should solve the problem for me. Could someone please point me in the right direction.
Thank you!
Yes, you can use this approach to NAT. Maybe they're "too cautious" with their security.
Concerning
Farrukh
-
LAN to LAN VPN with NAT - solved!
Hello world
I have problems with a VPN L2L is implemented and logged, however when traffic comes from the other side of the tunnel it is not the host to internal network using a static NAT. Inside host 172.18.30.225 is current NATted to yyy.30.49.14 which is an IP address on the DMZ (yyy.30.49.0 255.255.255.240) Interface.
Here is the configuration
object-group network NET Tunnel
network-host xxx.220.129.134 objectAccess tunnel list - extended ACL permit ip host yyy.30.49.14 object-group NET Tunnel
correspondence address card crypto MAP_Tunnel 20 Tunnel-ACL
the Tunnel-iServer-NAT object network
Home yyy.30.49.14
network of the Tunnel and drop-in iServer object
Home 172.18.30.225network of the Tunnel and drop-in iServer object
NAT (internal, DMZ) static Tunnel-iServer-NATI hope that it is enough for someone to help me.
Thank you
M
Version 8.3.1 ASA
Post edited by: network operations
The internal host does live on the network DMZ or internal? If she lives on the internal network, you can not NAT to the DMZ to interface and make it out of the external Interface, assuming that the external interface is the interface of VPN endpoint. If you terminate the VPN on the DMZ interface and the internal host lives on the internal network, then that's fine.
-
Config NAT policy in version 8.3
Hi guys
I need help some of you to spend a (site to site) config VPN following ASA 8.2 a ASA v8.3
ASA 8.2
the interface Vlan x
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
Overall 176 172.28.176.10 (outside)
NAT (inside) 176-list of access policy_nat
!
policy_nat to access ip 192.168.1.0 scope list allow 255.255.255.0 10.190.0.0 255.255.0.0
I started to create a group object for the local and remote network, but just/still missing a "policy-nat" config...
ASA v8.3
local network object
subnet 192.168.1.0 255.255.255.0
!
remote network object
10.190.0.0 subnet 255.255.0.0
!
network policy-nat-vpn-range object
172.28.180.0 subnet 255.255.255.0
!
network policy-nat-WAN-IP object
Home 172.28.180.1
.....
BR,
/ S
You can go (and use your existing object):
network object obj - 172.28.176.10
Home 172.28.176.10
NAT (inside, outside) dynamic source local-network obj - 172.28.176.10 destination static remote-remote network
-
WLAN, lan, dmz on esxi with 2 network cards
Hello
I'm newbie esxi. What I'm trying to achieve on my esxi server is simple firewall/gw between internet (vmnic1), LAN (vmnix0) and DMZ. I have only physical 2 NICs in my server, DMZ should be "completely collapsed DMZ. I intend to have 1 web server (www, ftp) in the DMZ, 2 LAN and smoothwall acting as firewall servers.
After reading some pdf files and some forum discussions I've come with an attached 'Networking' design.
Could you experts please check design and advise me how secure is it and where are the potential pitfalls?
COS you need to manage your esxi server.
The following work of wll:
An Esx3i server with two physical network (Teddy) interfaces
pNic0 connected to the internet
pNic1 connected to your local network
3 vSwitches configured, one for each natachasery and one internal vSwitch (DMZ)
Comments "Smoothwall" configured with 3 network cards, one for Internet, a local network, and a DMZ.
Guests in the DMZ must be created with vNic on the DMZ vSwitch.
SmoothWall manages the firewall and passes the correct port_number, etc. to the ip address in the DMZ.
Kind regards
Torben Jungsberg
-
I have a Nat problem that is confounding me.
Today, in our lab, I have a video server that is on the subnet 10.16. 42.91/26
This subnet is managed by a L3 with L3 routing switch to the rest of the network.
I need this test server on a WAN access emulated to validate the performance of the Executive Office.
The WAn emulator is all set up and works fine
Now I would like to extend this slow acess outside the laboratory, so that everyone can test the slow lane of their office.
Do this, I added a 2nd router between subnet of video server and the rest of the network
I want to NAT the 10.16.42.91 address to 10.16. .91 44,
Such as... anyone 10.16.44.91 SEO through the slow lane, and anyone using 10.16.42.91 through the GigE
The NAting router is a 881 running 15.3
Should be hide nat return traffic would be routed through the NAT router
I tried several nat configs, but remain confused.
Diagram below... Would appreciate any suggestions
Thanks in advance
Wes
You need two things-
(1) for the return shipping back to the 881 you need for NAT overload all users IPS to the 10.16.42.x on the 881 interface IP. You have the Interior facing users that makes it a lot easier if-
access-list 101 permit ip 10.0.0.0 0.0.0.255 host 10.16.44.91
IP nat inside source list 101 interface overload<- where="" is="" the="" one="" facing="" the="">->
Note that I'm not entirely sure the exact order of treatment regarding two statements of NAT, so in the acl above where you have the 10.16.44.91 host, you might need to change it to the real server IP. Try the above first.
(2) a NAT for server-
source 10.16.42.91 IP NAT outside static 10.16.44.91 netmask 255.255.255.255
Edit - I'm assuing you have already assigned 'ip nat inside' to the interface on the 881 to users and the 'ip nat outside' on the interface to the server.
Jon
-
Can I use the address of the public by peers as PAT or NAT address also?
With the help of an ASA 5505, I've only private local network IPs and a public IP address from my ISP for the address of the peer. Can I use this same internal peers like PAT or NAT for my private IP local IP address? Remote VPN location policy is to not allow IP addresses private on their local network, so that they want public addresses to me. If possible, could you please show me an example of a config 5505 simple using the following IP addresses? (I need not the IPSec configuration, only the ACL/NAT config)
I have four hosts who need to access a device at the remote location via an IPSec tunnel. They are:
local hosts:
192.168.2.10, 11, 12, 13
Say my public address peer is 205.188.15.34 and the remote peer is 175.10.144.52
remote host:
168.12.10.6
Thanks for any help.
jkeeffe wrote:
Using an ASA-5505, I only have private IPs on the local LAN and one public IP address from my ISP for the peer address. Can I use that same peer IP address as a PAT or NAT for my internal local private IPs? The remote VPN location policy is to not allow private IP address on to their local network, so they want public addresses from me. If that is possible, could you please show me a simple 5505 config example using the following IPs? (I don't need the IPSec config, only the ACL/NAT config)
I have four hosts that need to access a device at the remote location via an IPSec tunnel. They are:
local hosts:
192.168.2.10, 11, 12, 13
Say my public peer address is 205.188.15.34 and the remote peer is 175.10.144.52
remote host:
168.12.10.6
thanks for any help.
Yes you can do it.
the localhosts object-group network
the object-network 192.168.2.10 host
host of the object-Network 192.168.2.11
etc...
list the host 168.12.10.6 ip object-group localhosts allowed VPN access
NAT (inside) 1 VPN access list
Global 1 interface (outside)
Crypto-map list would then look like this-
VPNTRAFFIC ip host 205.188.15.34 access list permit 168.12.10.6
One thing to note. The NAT example above is political NAT IE. If the source is-> 13 192.168.2.10 and the destination is 168.12.10.6 then the source to the public IP 205.188.15.34 NAT. However you may already have something like this in your config file-
NAT (inside) 1 0.0.0.0 0.0.0.0
Global 1 interface (outside)
That is to say. you're natting all your addresses private to the public interface address for internet access in general. If you don't have that then there is no need to do NAT policy and you can't miss those lines that source addresses will be Natted anyway.
the localhosts object-group network
the object-network 192.168.2.10 host
host of the object-Network 192.168.2.11
etc...
list the host 168.12.10.6 ip object-group localhosts allowed VPN access
NAT (inside) 1 VPN access list
Global 1 interface (outside)
Jon
-
Cisco ASA VPN tunnel question - DMZ interface
I am trying to build a tunnel to a customer with NAT and I'm able to get 3 of the 4 networks to communicate. The 1 that is not responding is a DMZ network. Excerpts from config below. What am I doing wrong with the 10.0.87.0/24 network? The error in the log is "routing cannot locate the next hop.
interface Ethernet0/1
Speed 100
half duplex
nameif inside
security-level 100
the IP 10.0.0.1 255.255.255.0
OSPF cost 10
send RIP 1 version
!
interface Ethernet0/2
nameif DMZ
security-level 4
IP 172.16.1.1 255.255.255.0
OSPF cost 10network object obj - 172.16.1.0
subnet 172.16.1.0 255.255.255.0object network comm - 10.240.0.0
10.240.0.0 subnet 255.255.0.0
network object obj - 10.0.12.0
10.0.12.0 subnet 255.255.255.0
network object obj - 10.0.14.0
10.0.14.0 subnet 255.255.255.0
network of the DNI-NAT1 object
10.0.84.0 subnet 255.255.255.0
network of the DNI-NAT2 object
10.0.85.0 subnet 255.255.255.0
network of the DNI-VIH3 object
10.0.86.0 subnet 255.255.255.0
network of the DNI-NAT4 object
10.0.87.0 subnet 255.255.255.0the DNI_NAT object-group network
network-object DNI-NAT1
network-object DNI-NAT2
network-object ID-VIH3
network-object NAT4 DNIDNI_VPN_NAT1 to access ip 10.0.0.0 scope list allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 10.0.12.0 DNI_VPN_NAT2 allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 10.0.14.0 DNI_VPN_NAT3 allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 172.16.1.0 DNI_VPN_NAT4 allow 255.255.255.0 object comm - 10.240.0.0
access-list extended DNI-VPN-traffic permit ip object-group, object DNI_NAT comm - 10.240.0.0NAT (inside, outside) source static obj - 10.0.12.0 DNI-NAT2 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
NAT (inside, outside) source static obj - 10.0.14.0 DNI-VIH3 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
NAT (inside, outside) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arpHello
I see that the issue here is the declaration of NAT:
NAT (inside, outside) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
The correct statement would be:
NAT (DMZ, external) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
Go ahead and do a tracer of packages:
Packet-trace entry DMZ 172.16.1.15 tcp 443 detailed 10.240.X.X
Thus, you will see the exempt NAT works now.
I would like to know how it works!
Please don't forget to rate and score as correct the helpful post!
Kind regards
David Castro,
-
I've recently updated to 8.3.2 and I have been informed of these NAT changes, but even after reading the https://supportforums.cisco.com/docs/DOC-12569 I am still unable to rectify the communication network 192.168.100.0 VPN with hosts on 172.16.1.0 and 172.16.9.0. VPN clients connect to the external interface, and I try to ping inside and the demilitarized zone, respectable 172.16.1.0 and 172.16.9.0 hosts. VPN client shows that the two previously mentioned networks such as roads of security, but still not to the ping pong.
# sh nat
Manual NAT policies (Section 1)
1 (inside) to the (whole) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
2 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
3 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0
translate_hits = 0, untranslate_hits = 0
4 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
5 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0
translate_hits = 0, untranslate_hits = 0
Auto NAT policies (Section 2)
1 (dmz), to the source (external) static obj - 172.16.9.5 interface tcp www www service
translate_hits = 0, untranslate_hits = 142
2 (dmz) (outdoor) source static obj - 172.16.9.5 - 01 interface service tcp 3389 3389
translate_hits = 0, untranslate_hits = 2
3 (dmz) (outdoor) source static obj - 172.16.9.5 - 02 interface tcp ldap ldap service
translate_hits = 0, untranslate_hits = 0
4 (dmz) (outdoor) source static obj interface - 172.16.9.5 - 03 service ftp ftp tcp
translate_hits = 0, untranslate_hits = 0
5 (dmz) to (outside) of the source static obj - 172.16.9.5 - 04 interface tcp smtp smtp service
translate_hits = 0, untranslate_hits = 267
6 (inside) source static obj - 172.16.9.0 172.16.9.0 (dmz)
translate_hits = 4070, untranslate_hits = 224
7 (inside) to (dmz) source static obj - 10.1.0.0 10.1.0.0
translate_hits = 0, untranslate_hits = 0
8 (inside) to (dmz) source static obj - 172.16.0.0 172.16.0.0
translate_hits = 152, untranslate_hits = 4082
9 (dmz) to dynamic interface of the obj - 172.16.9.0 - 01 source (outdoor)
translate_hits = 69, untranslate_hits = 0
10 (inside) to the obj_any interface dynamic source (external)
translate_hits = 196, untranslate_hits = 32
I think you must following two NAT config
NAT (inside, outside) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
NAT (dmz, external) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 192.168.100.0 obj - 192.168.100.0Please configure them and remove any additional NAT configuration and then try again.
-
Cannot access the Web server in the DMZ from the inside using IP global
Hi all
I hope it's a very simple question.
I'm running a PIX 515 firewall v6.3. I set up a Web server in my DMZ and use static NAT for re-branded it overall static IP address. Access from the outside of the demilitarized zone works remarkably well. I can access inside the interface Web site using the internal IP, but I can't access it from inside interface using the global IP are entrusted to him.
Is there a particular reason why this would not be allowed? My feeling was that the request would be forwarded via the external interface (as it is a global IP address) and then be bounced back by my sense of the ISP the request would come to the new external interface (as the static NAT is applied to the external interface).
However if I try and access the global IP from my inside interface, then the browser can not find the server.
can someone explain why this is so? Any information would be appreciated.
see you soon,
Wayne
---------------------------------
6.3 (3) version PIX
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif dmz security50 ethernet2
hostname helmsdeep
domain p2h.com.sg
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
no correction protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
No fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
acl_out list access permit tcp any host 203.169.113.110 eq www
access-list 90 allow the host tcp 10.1.1.27 all
pager lines 24
debug logging in buffered memory
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
IP address outside pppoe setroute
IP address inside 192.168.1.1 255.255.255.0
dmz 10.1.1.1 IP address 255.255.255.0
no failover
failover timeout 0:00:00
failover poll 15
No IP failover outdoors
No IP failover inside
no failover ip address dmz
location of PDM 202.164.169.42 255.255.255.255 inside
location of PDM 202.164.169.42 255.255.255.255 dmz
location of PDM 10.1.1.26 255.255.255.255 dmz
location of PDM 10.1.1.26 255.255.255.255 outside
location of PDM 172.16.16.20 255.255.255.255 outside
location of PDM 192.168.1.222 255.255.255.255 inside
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
Global (dmz) 1 10.1.1.101 - 10.1.1.125
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
NAT (dmz) 0-list of access 90
NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz, external) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0
Access-group acl_out in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.1.222 255.255.255.255 inside
enable floodguard
string fragment 1
Console timeout 0
Terminal width 80
Code v6 pix or less don't let you have traffic "back" or return flow via the same interface on which it was sent. Having also your bounce back off of an external server traffic is never a good idea, because you won't be able to distinguish which and rogue attacks by spoofing someone outside your network.
Since you are using pix 6.3 code, you may be able to outside the NAT. Add this static to your config:
static (dmz, upside down) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0
You may need to run a clear xlate after adding the new static statement. Note that the interfaces: it's demilitarized zone, inside inside, dmz.
I would like to know if it works.
-
ASA 5500 and static NAT 1-to-1
We currently have a pair of s ASA 5500 failover providing firewall & nat with inside, outside and the dmz interfaces. We do PAT interface for most of the internal to the external and static connections 1-to-1 NAT for specific hosts that need to accept connections from the outside inside. The space of the static nat is a 27 which includes the address of the external interface. It's that everything is working properly.
However, we are out of space for the static NAT to this/27. I would like to be able to add a different network, probably another 27, for the more static NAT but I'm a hard time to find the best way to do it. Is this possible with a network that does not include the external interface on the ASA?
Here are some of our current NAT config:
Global interface 10 (external)
NAT (inside) 10 0.0.0.0 0.0.0.0
(dmz1, outside) static dmz1-net-net dmz1 netmask 255.255.255.224
static (inside, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside, dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside, outside) xx.yy.164.15 192.168.98.46 netmask 255.255.255.255
static (inside, outside) xx.yy.164.8 192.168.98.47 netmask 255.255.255.255
static (inside, outside) xx.yy.164.14 192.168.98.48 netmask 255.255.255.255
static (inside, outside) xx.yy.164.13 192.168.101.50 netmask 255.255.255.255
Thank you very much...
Hello
The correct syntax for the proxyarp activation will be
No outside sysopt noproxyarp
-
If I have a LAN or 10.1.1.0/24 and I want NAT all of the hosts in 192.168.1.0/24. I really don't want to create the object for each unique host network, because it's just for a lot. I just wanted to confirm by creating two objects then natting them must configure a NAT right one?
network object obj - 10.1.1.0
10.1.1.0 subnet 255.255.255.0
!
network object obj - 192.168.1.0
subnet 192.168.1.0 255.255.255.0
!
NAT (inside, outside) source static obj - 10.1.1.0 obj - 192.168.1.0 statick "remotely" destination "at a distance".
Now when the remote network need access to network 10.1.1.0/24 hosts they should just be able to access to?
10.1.1.1 will map to 192.168.1.1
10.1.1.2 will map to 192.168.1.2
10.1.1.3 will map to 192.168.1.3
and so on...?
In addition,
A test on my ASA home
Configuration
the object of the LAN network
10.0.0.0 subnet 255.255.255.0
network of the REMOTE object
subnet 10.0.1.0 255.255.255.0
network of the LAN - NAT object
10.0.100.0 subnet 255.255.255.0
LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE
LAN remotely
ASA (config) # packet - trace tcp 10.0.0.10 LAN entry 1025 10.0.1.1 80
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE
Additional information:
Definition of static 10.0.0.10/1025 to 10.0.100.10/1025
REMOTE CONTROL FOR LAN
ASA (config) # packet - trace entry WAN tcp 10.0.1.100 1025 10.0.100.10 80
Phase: 1
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE
Additional information:
NAT divert on the LAN of the output interface
Untranslate 10.0.100.10/80 to 10.0.0.10/80
-Jouni
-
Hi all!
I have a question about L2L VPN and NAT.
Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.
Thank you!
Hello
You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.
This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.
For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:
access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0
Global (outside) 6 200.200.200.200
NAT (inside) 6 access-L199
Which would be NAT traffic to the public IP address only when the traffic matches the ACL.
Your ACL crypto should then be something like
cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0
That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.
I hope this helps.
Raga
Maybe you are looking for
-
Satellite L300 - ODD has exclamation mark in Device Manager
Please could someone help me with my Satellite L300 laptop?It has a pre-installed Pioneer DVD - RW drive, but in Device Manager it has exclamation mark and not show as a CD player and DVD player. I tried for days to find the right drivers but no succ
-
How to write the raw buffer grabber (table 2D) image to PC memory?
Hello I use a library C++ and NIImaq to save table raw image 2D on PC. I have a PCI-1428 acquisition card. Now, I'm writing a 2D framebuffer grab table memory PC I assigned using virtualalloc. Any way to do it? Thank you Travis
-
Wake on LAN - power management On my Media Center PC, I am unable to use Wake on LAN unless "allow this computer to turn off the device to save power" is checked (in the tab power management of the adapter in the Device Manager). "Allow this device t
-
Detect the number of boxes checked
Let's say I want to detect the number of checkboxes selected in a container, how would you do that exactly? Is there a way to get the properties of the child elements? This has been me all day stumping. Thank you.
-
I started getting this error after restarting the Unity 4.0 Server (4) yesterday. I'm curious to know regarding whether a potentially significant problem, or if it would hold up until we have a window of maintenance on this server in a few weeks. It