Endpoints NAT and tunnel

I have two ASA firewall on different subnets, each with their own internet connection.  An ipsec tunnel is set up between my company and another company that ends on one of my ASA firewalls.  The remote end of the tunnel will not support a second endpoint of the tunnel for redundancy.

For this reason, I was wondering if it is possible to route the packets that establish the tunnel on the second firewall and simply NAT the source address to the address of my main firewall outside address.  The tunnel is configured to be established by interesting traffic from my business side.

My ISP, in case my main connection goes down, you can route packets intended for my end point of tunnel to my second internet connection firewall.  I think if I can just NAT address of endpoint of the tunnel (destination address) in the address assigned to my second firewall outside interface, I could set up the tunnel in this way. Anyone know if this is supported?  I know only about 10 years ago, it wasn't but I've heard that this can be done now.

Thank you.

It should work.

I saw him work like this at least in cisco equipment.

I also think that if you see this problem with NAT, should be fixed by NAT - T (when the devices sense that there is a NAT device on the way, packages 5 and 6 for Exchange of key go to UDP 4500).

It seems like it should work.

Federico.

Tags: Cisco Security

Similar Questions

  • IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

    Hello

    My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

    "Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

    NAT takes place before the encryption verification!

    In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

    Thanks for any help

    Best regards

    Heiko

    Hello

    Try to change your static NAT with static NAT based policy.

    That is to say the static NAT should not be applicable for VPN traffic

    permissible static route map 1

    corresponds to the IP 104

    access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

    access-list 104 allow the host ip 10.1.110.10 all

    IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

    HTH

    Kind regards

    GE.

  • NAT VPN tunnel and still access Internet traffic

    Hello

    Thank you in advance for any help you can provide.

    I have a server with the IP 192.168.1.9 that needs to access a subnet remote from 192.168.50.0/24, through the Internet.  However, before the server can access the remote subnet, the server IP must be NAT'ed to 10.1.0.1 because the VPN gateway remote (which is not under my control) allows access to other customers who have the same subnet address that we do on our local network.

    We have a 2801 Cisco (running c2801-advsecurityk9 - mz.124 - 15.T9.bin) set up to make the NAT.  It is the only gateway on our network.

    I have configured the Cisco 2801 with the following statements of NAT and the relevant access lists:

    access-list 106 allow host ip 192.168.1.9 192.168.50.0 0.0.0.255

    NAT extended IP access list
    refuse the host ip 192.168.1.9 192.168.50.0 0.0.0.255
    deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
    ip permit 192.168.1.0 0.0.0.255 any

    route allowed ISP 10 map
    corresponds to the IP NAT

    IP nat EMDVPN 10.1.0.1 pool 10.1.0.1 netmask 255.255.255.0
    IP nat inside source list 106 pool EMDVPN
    IP nat inside source map route ISP interface FastEthernet0/1 overload

    When the server (192.168.1.9) attempts to ping on the subnet of 192.168.50.0/24 devices, the VPN tunnel is established successfully.  However, after that, the server is no longer able to access the Internet because the NAT translation for 192.168.1.9 has changed since the external IP address of the router (FastEthernet0/1) at 10.1.0.1.

    The documentation I've seen on the site of Cisco says that this type of Setup allows only host subnet communication.  Internet access is not possible.  However, maybe I missed something, or one of you experts can help me.  Is it possible to configure the NAT router traffic destined to the VPN tunnel and still access the Internet by using the dynamic NAT on FastEthernet0/1?

    Once again, thank you for any help you can give.

    Alex

    Hello

    Rather than use a pool for NAT

    192.168.1.9 - 10.1.0.1 > 192.168.50.x

    ACL 102 permit ip 192.168.1.9 host 192.168.50.0 0.0.0.255

    RM-STATIC-NAT route map permit 10
    corresponds to the IP 102

    IP nat inside source static 192.168.1.9 10.1.0.1 card expandable RM-STATIC-NAT route

    ACL 101 deny host ip 192.168.1.9 192.168.50.0 0.0.0.255
    ACL 101 by ip 192.168.1.0 0.0.0.255 any
    overload of IP nat inside source list 101 interface FastEthernet0/1

    VPN access list will use the source as 10.1.0.1... *.

    Let me know if it works.

    Concerning

    M

  • Order of procedure SonicWALL for routing, NAT and policies

    I'm confused on the prescription that the sonicwall verifies a package.  The way I heard the order, it will:

    (1) check against the access rules,

    (2) check against NAT Polies

    (3) check the routing.

    Installation program:

    Subnet point of VPN endpoint - Internet - SW NSA 2400 (VPN) - sub-network B (from C subnet)

    A subnet is 10.1.100.x/24

    Subnet B is consists of three IPs, 192.168.99.4,.50, and 109.

    Subnet C is contains the host IPs 192.168.13.4,.50, and 109.

    I VPN configured to allow traffic from 10.1.100.x to the hosts on the subnet B, what NAT and the host subnet C.  This method works more large, is not a problem.

    I need to reduce access to certain ports.  Once I set access restrictions in the port, the firewall blocks ALL.

    When I look at a screenshot of packets when traffic is blocked, I see the following:

    Source 10.1.100.5--> 192.168.99.4 accepted

    Source 10.1.100.5--> 192.168.13.4 refused.

    Block of code indicates that it is because of politics.  However the policy review should have been checked and checked already.  If I change the VPN policy to represent both sides of the NAT (ie. 192.168.99.4 and 192.168.13.4) then passes the traffic.

    If anyone can explain what is happening?

    I tried to look through some KB SonicWall has publicly available articles. But I did not see anything that doesn't seem to help. In this case, I think you might want to give SonicWall support a call.

    https://support.software.Dell.com/manage-service-request

    They can help to look over your configurations and see if we have to make changes. They should also be able to answer your technical questions about how the packets are received or managed.

  • IPsec VPN between two routers - mode ESP Transport and Tunnel mode

    Hi experts,

    I have this question about the Transport mode and Tunnel mode for awhile.

    Based on my understanding of 'Transport' mode is not possible because you always original "internal" private in the IP headers or IP addresses. They are always different as public IP on interfaces enabled with Crypto Card addresses. When encapsulated in the VPN tunnel, the internal IP addresses must be included or the remote VPN router won't know where to forward the packet.

    To test, I built a simple GNS3 with three routers laboratory. R1 and R3 are configured as VPN routers and the R2 must simulate Internet.

    My configs are also very basic. The R2 is routing between 1.1.1.0/24 and 2.2.2.0/24. It is defined as the gateway of R1 and R3.

    R1:

    crypto ISAKMP policy 100
    BA aes
    preshared authentication
    Group 2
    ISAKMP crypto key 123456 address 2.2.2.2
    !
    Crypto ipsec transform-set ESP_null null esp esp-sha-hmac
    !
    10 map ipsec-isakmp crypto map
    defined peer 2.2.2.2
    transformation-ESP_null game
    match address VPN

    !

    list of IP - VPN access scope
    ip permit 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
    !

    R3:

    crypto ISAKMP policy 100
    BA aes
    preshared authentication
    Group 2
    ISAKMP crypto key 123456 address 1.1.1.2
    !
    !
    Crypto ipsec transform-set ESP_null null esp esp-sha-hmac
    !
    10 map ipsec-isakmp crypto map
    defined peer 1.1.1.2
    transformation-ESP_null game
    match address VPN

    !

    list of IP - VPN access scope
    Licensing ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

    I configured transform-"null" value, while it will not encrypt the traffic.

    Then I tried the two 'transport' mode and mode "tunnel". I ping a host in the internal network of the R1 to another host in the internal network of the R3. I also tried 'telnet'. I also captured packets and carefully compared in both modes.

    Packets encapsulated in exactly the same way!

    It's just SPI + sequence No. + + padding

    I will attach my screenshots here for you guys to analyze it. I would be grateful for any explanation. I confused maybe just when it comes to the NAT...

    I guess my next step is to check if the two modes to make the difference when the GRE is used.

    Thank you

    Difan

    Hi Difan,

    As you point out the mode of transport is not always applicable (i.e. applicable if IP source and destination is equal to corresnpoding proxy IDs).

    A typical scenario in this mode of transport is used:

    -Encryption between two hosts

    -GRE tunnels

    -L2TP over IPsec

    Even if you set "transport mode" this does not mean that it will be used. IOS routers and I blieve also ASA will perform backup even if the mode of transport is configured but does not apply in tunnel mode.

    I can take a look at your traces to sniff, but all first can you please check if you transport mode on your ipsec security associations? "See the crypto ipsec his" exit you will show the tunnel or transport mode.

    HTH,

    Marcin

  • Clarification of authentication PIX NAT and BGP

    Hi all

    I did some tests on PIX and crossing this area of BGP traffic.

    When I configure the PIX to do no config NAT (NAT 0) and configure a BGP session between two routers (one inside) and the other on the outside net everything works fine.

    When I configure BGP authentication, I may add the keyword "norandomseq" NAT and STATIC commands cause BGP auth embedded TCP header for authentication information. It's OK.

    But when I reconfigure the PIX to make real NAT between the inside and the outside network and reconfigure my routers, BGP session doesn't happen if BGP authentication has been disabled. If I enable authentication BGP, I had errors of MD5 authentication on routers. (Note "norandomseq" is enabled for NAT and STATIC instructions)

    Now my question is BGP unsupported for NAT on PIX sessions? (for my tests, it has worked for NAT 0 config, also all the examples that I always found working with NAT 0 config)

    I think the problem is that the TCP pseudo-header changes to the NAT device and therefore it will never work right? Or is there any correction internal bgp which should fix this? I think it's almost impossible that this is known with the password simple bgp, right?

    Concerning

    Michael

    Your reasoning is dead the. BGP authentication works like this: the sending peer BGP takes and MD5 hash of the TCP header before sending the package and includes this hash in the TCP header option. The BGP receiver receives the packet and also did a MD5 hash of the TCP header. Then, it compares its value to the value sent by the sender of BGP. If they match, all right. If they fail, the packet is ignored and you get error messages, did you see.

    Because the NAT will change the address source TCP, the TCP header will be changed which should bring a different MD5 hash for the receiver that the sender originally sent.

    BGP peer by a PIX authtenticatio is supported only in a Nat 0 or static identity with the norandomseq option is enabled.

    Make sense?

    Scott

  • Issue of ASA NAT and routing

    Hello

    I have a question about NAT and routing on the SAA. I'm relatively new to ASA and don't know if it works or not. I have a pool of public IP (209.x.x.x/28) that routes my ISP to the external interface of my ASA. IP was assigned address for the outside of the ASA is an address of 206.x.x.2/24 with a default GW of 206.x.x.1. I intend using NAT to allow my web/mail servers on the DMZ (192.168.x.x) use 209.x.x.x addresses. However, I do know how to make it work since I'm not arping on any interface for 209.x.x.x addresses as they will be sent to the 206.x.x.2 address by the ISP. Can I just set up a translation NAT (on the external interface?) of the 209.x.x.x on 192.168.x.x address and the ASA will figure it out?

    Thanks for the help.

    Todd

    The ASa will figure it out, he will answer ARP queries for all that he has set up in a "static" command As long as th PSIA routes 209.x.x.x directly to the ASA addresses then it should all work fine.

    You just need to add lines like the following:

    static (dmz, external) 209.x.x.x netmask 255.255.255.255 192.168.x.x

    for each of your internal servers in the DMZ. Then an access-list to allow only HTTP/SMTP/etc through these addresses 209.x.x.x.

    list of allowed inbound tcp access any host 209.x.x.x eq smtp

    list of allowed inbound tcp access any host 209.y.y.y eq http

    Access-group interface incoming outside

  • NAT and VMware View

    I am

    try again using VMware View, where a person uses a VPN to

    connect to my view of the Park, but my connection to the server is running NAT, and

    the client tries to connect in my Park he cannot get the virtual

    machine. Are there restrictions? Any tips?

    If you have found this information useful, please consider awarding points to 'Correct' or 'Useful'*.

    Exactly THAT PCOIP do not work on the Security server.  If your using VPN and connect to a broker internal conection it should work good as new NAT could shake things.    Should be a simple test however.

    If you have found this device or any other useful post please consider the use of buttons useful/correct to award points

    Twitter: http://twitter.com/mittim12

  • Policy Nat and IPSec tunnel

    Hello

    I have a Cisco IOS router and you want to configure an IPSec tunnel between myself and the client.  Unfortunately, we have two overlapping of 10 network IP addresses.

    Is it possible for me to just Nat addresses IP on my side or should the customer Nat as well?

    I have configured NAT on the inside of the interface for 10.134.206.1 to 192.168.156.6 so that Nat happens before that packages are encrypted in the tunnel, however tunnel is not coming.    The client uses a sonic firewall and allowed their 10.91.0.0/16 network 192.168.156.0/24.

    See attachment

    Kind regards

    They are wrong to installation.  Remote local networks are not 10.134.206.0 and 10.134.206/42.  It is simply your public IP address.

  • VTI and NAT IPsec Tunnel mode

    Hello world

    I don't know that this subject has been beaten to death already on these forums.  Nevertheless, I have yet to find the exact solution, I need.  I have three machines, two routers and an ASA.  One of the routers sits behind the ASA and I have a GRE VTI configuration between two routers with ASA NATting, one of the routers to a public IP address.  I can guarantee the tunnel mode IPsec transport, but as soon as I pass in tunnel mode, the communication fails even if the SA is established.

    Please see the configuration below and tell me what I am missing please.  I changed the IP addresses for security.

    The following configuration works when transform-set is set to the mode of transport

    Note: The Router 2 is sitting behind the ASA and is coordinated to the public IP 200.1.1.2

    Router 1:

    Crypto ipsec transform-set SEC esp - aes 256 esp-md5-hmac

    tunnel mode

    !

    Crypto ipsec IPSEC profile

    transformation-SEC game

    !

    !

    interface tunnels2

    IP 172.16.1.1 255.255.255.252

    tunnel source 200.1.1.1

    tunnel destination 200.1.1.2

    Ipsec IPSEC protection tunnel profile

    !

    SECURITYKEY address 200.1.1.2 isakmp encryption key

    !

    crypto ISAKMP policy 1

    BA aes 256

    md5 hash

    preshared authentication

    Group 2

    ASA:

    public static 200.1.1.2 (indoor, outdoor) 10.1.1.1 netmask 255.255.255.255

    Router 2:

    interface Tunnel121

    address 172.16.1.2 IP 255.255.255.252

    IP nat inside

    IP virtual-reassembly

    tunnel source 10.1.1.1

    tunnel destination 200.1.1.1

    Ipsec IPSEC protection tunnel profile

    !

    Crypto ipsec transform-set SEC esp - aes 256 esp-md5-hmac

    tunnel mode

    !

    Crypto ipsec IPSEC profile

    transformation-SEC game

    !

    SECURITYKEY address 200.1.1.1 isakmp encryption key

    !

    crypto ISAKMP policy 2

    BA aes 256

    md5 hash

    preshared authentication

    Group 2

    There is no access-lists on the SAA except to allow a whole ICMP

    I am very grateful for any guidance you can provide in advance guys.

    Hello

    MTU, and the overhead was in this case.

    You changed encapsulating ipv4 instead of LIKING - which have less overhead (no GRE inside). This is why it started working.

    If you want to continue using GRE you decrease the MTU as described.

    ---

    Michal

  • PAT/NAT and VPN through a PIX

    "PPTP through the PIX with Port address translation (PAT) does not work because there is no concept of ports in GRE"-this is an excerpt from a config PIX version 6.2 and below.

    1. how this problem has been fixed in 6.3? GRE is encapsulated in udp or tcp to use ports to follow the connection?

    2. is it "fixup protocol esp-ike" use the same technology - the source port created by the IKE protocol? -ISAKMP cannot be enabled when you use this command

    3. What is "isakmp nat-traversal? How is this different from fixup protocol esp-ike"

    Thank you

    RJ

    1. when the PIX sees outgoing PPTP (TCP 1723 port) packets it now opens holes for them to return, as well as opening a hole for the GRE packets, it has never done this before. The PPTP TCP packets can be PAT would be fine because they are TCP packets. GRE packets, I believe, are followed by the id field only tunnel in the package.

    2. we use the source port of the ISAKMP packet for ESP packets as well. The current limitation is that if you have this option, you cannot use the PIX to close the IPSec sessions, so you can not turn on ISAKMP any interface. You can also have only a single IPSec client internal to use this feature.

    3 NAT - T is a new standard for IPSec to work through a NAT device peers, because they detect changes of address during the negotiation of tunnel and automatically encapsulate packets in UDP 4500. This market allows the PIX and the other device (if it supports it) to automatically detect a NAT/PAT device between them. This differs from the "esp - ike correction '' that the PIX ends not in fact the IPSec tunnel with esp - ike, but it is the endpoint in nat - t.

  • Access to services: conflict NAT and VPN

    Hi people!

    I encountered a problem with external access to local services of:
    (a) remote clients (port open on the side WAN)
    (b) the remote sites (through IPsec tunnels)

    Here's a topology:

    EXPLANATIONS

    FW1 (actually from TMG 2010) overload NAT of preforms.

    The service in question (for example tcp 9999) is published on 192.168.100.0/24 via static NAT translation, which is accessible from the network.

    HQ1 is a border router (cisco 2921). It also performs NAT overload for public addresses. (Other than cisco) Branch1 also performs NAT overload.

    All traffic between the headquarters and the remote site is allowed. The service is accessible from the remote site.

    PROBLEM

    I want to allow access to the service for an external user (remote user). I do the following configuration:

    IP nat inside source static tcp 192.168.100.2 2.2.2.2 9999 9999 extensible

    After this command remote user is able to access the service by public IP, BUT the site's users remote losing it. If I roll back with

    No nat ip inside the source static tcp 192.168.100.2 2.2.2.2 9999 9999 extensible

    then access to the remote site is restored, and remote user lose again. Seems that it is connected with the static NAT translations.

    How can I make it work in both cases of simulteniously? Both for the remote site and the remote user.

    Thank you!

    You must use a map of the route with your static NAT configuration.

    Recently answered a question for the same thing, please visit this link and if you have any questions please come back.

    https://supportforums.Cisco.com/discussion/12544291/IPSec-IP-NAT-inside-source-static

    Jon

  • With NAT VPN tunnels

    I have read on several posts on the topic and still think I'm missing something, I'm looking for help.

    Basically, I'm now implementing multiple VPN tunnels for external connections. We strive to keep the external "private addresses" our basic using NAT network.

    I can get the Tunnel to work without problems using the ACL SHEEP; However, this technique requires that our internal network is aware of their external addresses "private." Our goal is to enter an address on the inside that is NAT to the external address 'private' and then shipped via the VPN tunnel. Basically to hide the external address 'private' of our internal systems that they would appear as thought the connection was one of our own networks.

    The reverse is true coming from their external 'private' network. Any information of "their" private network external origin would result in our 'private' on arrival address space.

    Is this possible? I am attaching a schema, which could help.

    Hello

    Yes, this should be possible. Lets say you allocate 10.112.2.250 as the address that you use to present the external server 192.168.10.10.

    On your ASA device

    public static 10.112.2.250 (exterior, Interior) 192.168.10.10 netmask 255.255.255.255

    You will need to make sure that when the system tries to connect to 10.112.2.250 it is routed to the device of the SAA.

    HTH

    Jon

  • NAT and vpn acl

    Hello

    I have asa 5512-x

    ASA 9.1 version 2

    ASDM version 7.2 (1)

    I'm not really good with a syntax of cisco, so I use asdm

    I created a split tunnel remote ipsec vpn with cisco vpn client

    the purpose is to allow vpn for LAN traffic

    and to allow the vpn to a public Web site traffic

    so I set the two objects and added to the exemption of split tunnel (the names of the objects: 'LAN', 'Rackspace')

    access to the local network is ok, access to a Web site does not work

    I guess I have some missing nat/ACL,

    can someone explain to me please in the most simple way to do this?

    Thank you very much

    Hello

    What is subnet

    network of the NETWORK_OBJ_172.18.0.0_26 object
    255.255.255.192 subnet 172.18.0.0

    This 'nat' configuration seems strange

    NAT (LAN, WAN1) source static Tunnel VPN VPN Tunnel static destination NETWORK_OBJ_172.18.0.0_26 NETWORK_OBJ_172.18.0.0_26 non-proxy-arp-search to itinerary

    When you see that the source for the "nat" interface is 'LAN' and source networks are those configured under "Tunnel VPN" it seems to suggest that this NAT configuration transmits traffic destined to 'LAN' and 'rackspace' to the 'LAN' interface. It is naturally very good for the subnet configured under 'LAN' , but the 'rackspace' to my knowledge is located behind an external interface of the ASA correct? But I guess I really need to know this as the subnet that I mentioned at the beginning of the post (which is used in this configuration NAT too)

    What is the interface to which the VPN users connect to? WAN1 or DSL? Although the following list what the map interface Crypto is attached

    See the crypto run map

    You can also list the output of the following command

    See the establishment of performance ip local pool

    -Jouni

  • NAT and VPN site-2-Site

    Hello world.

    I have question about Site 2 Site VPN and NAT.

    HQ is connected to the partner and the co-location through site to site VPN (with two different tunnels). Co-location is connected to the HQ with the site 2 site VPN.

    HQ:
    Co-location:
    Partner:

    Basically, what I want to achieve is to do the following:

    All traffic from the combination with destination partner should switch from AC and source what IP must be changed. So it seems that the traffic originated in the DMZ HQ on the side of the partner.

    How can I achieve that?

    HW: Cisco ASA

    Hello Roger,.

    The configuration you need will be on the ASA HQ.

    First configure the ASA so that it would allow the traffic to leave through the same interface it came through:

    permit same-security-traffic intra-interface

    Then, you create a nat that an IP address of this beach (it will work if the partner does not need to go to the apartment, just camp to the partner):

    policy-based-nat1 permit ip access list

    NAT () to access list policy-based-nat1

    (Global)

    That is asuming that you already have a rule of traffic interesting (crypto ACL map) allowed your DMZ for flatsharing.

    For a more specific example, see below:

    Colocation network: 192.168.1.0/24

    Network DMZ HQ: 10.10.10.0/24

    Network partner: 172.16.10.0/24

    permit same-security-traffic intra-interface

    access list policy-based-nat1 permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0

    NAT (outdoor) 100 access list policy-based-nat1

    global (outside) 100 10.10.10.253

    vpn10 10.10.10.0 ip access list allow 255.255.255.0 172.16.10.0 255.255.255.0

    10 correspondence address vpn vpn crypto card

    If the partner needs to access the apartment so (two-way access) you may not use the DMZ network as there must be a translation from one to the other and you have the same amount of addresses to be translated you have on the apartment.

    However, it would be possible if your DMZ network is greater than the apartment (like DMZ being a 16 and colo in 24) and you can isolate a subnet just for NAT.

    Hope this helps to solve the problem.

Maybe you are looking for