Inspection of traffic between hair-pinning VPN on a SAA with AIP SSM.

Hello

I want to deploy an ASA as a VPN endpoint and to use the AIP SSM module to inspect and provide protection for inbound traffic arriving on a VPN and start on another within the same ASA. I guess it's possible because traffic is unencrypted in the ASA State and must be intercepted by the class plan. Anyone who has done this or can anyone confirm that this will work?

Thank you very much

Wil Bowes

If the ASA finishes the VPN, then indeed it can also inspect internally. The decryption happens before "module controls" for inbound traffic and the arrival of "control module" before encryption for outgoing traffic. If you can do it.

I hope it helps.

PK

Tags: Cisco Security

Similar Questions

  • Dynamic VPN for a SAA with IP tunnel

    Hi community.

    Can someone please send a simple configuration for a SAA with dynamic IP connected to an ASA with a static IP address. I read some manuals and how to. But neither works with my ASA. All the how to are older versions of software, I use softwareversion 9.0.

    Do you need a config tunnel and political group for the ASA for dynamic IP and static IP ASA.

    Thanks in advance and greetings patrick

    Hello

    Maybe that this document could help or have you already had a look?

    http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml

    It gives simple examples of HUB with a static public IP address and 2 sites of TALKING with dynamic public IP address. Cisco ASA and Cisco router:

    In my work I rarely run in the situation where I have to configure VPNS between sites, while the other site has a dynamic IP address. Although the situations that I met were conducted using an ASA5505 as a hardware network Extension Mode client.

    I should really lab installation documents a day before me also.

    -Jouni

  • Easy traffic between remote sites via Cisco VPN

    We have a Cisco 2921 router at Headquarters (Easy VPN Server) and deployed Cisco 887VA (EasyVPN - Extension of remote network) for remote offices using EasyVPN. We allow voice traffic and data via VPN.  Everything has been great to work until this problem has been discovered today:

    When a remote user behind Cisco 887VA calls another remote user also behind Cisco 887VA, the call connects and Avaya IP phone rings but no voice in both feel.

    Calls from Headquarters and external mobile/fixed are very good. Only calls between two remote sites are affected.

    There is no need for DATA connection between the remote desktop, our only concern is the voice.

    By the looks of it, I think that "hair - pinning" traffic on the interface VPN is necessary. But need some advice on the configuration. (Examples configs etc.).

    Thanks in advance.

    Thanks for your quick response.

    I am sorry, I assumed that the clients have been configured in client mode.

    No need to remove the SDM_POOL_1, given that customers already have configured NEM.

    But add:

    Configuration group customer isakmp crypto CliniEasyVPN

    network extension mode

    You are able to ping to talked to the other?

    Please make this change:

    105 extended IP access list

    Licensing ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

    * Of course free to do trafficking of translated on the shelves.

    Let me know if you have any questions.

    Thank you.

    Portu.

  • Routing of traffic between two VPN Site-to-Site Tunnels

    Hi people,

    I am trying to establish routing between two vpn Site-to-Site tunnels which are destined for the same outside the interface of my Cisco ASA.

    Please find attached flowchart for the same thing. All used firewalls are Cisco ASA 5520.

    Two VPN tunnels between Point A and Point B, Point B and Point C is too much upward. I activated same command to permit security level interface also intra.

    How can I activate the LAN subnets traffic behind Point to join LAN subnets behind C Point without having to create a tunnel separated between Point A and Point C

    Thank you very much.

    Hello

    Basically, you will need to NAT0 and VPN rules on each site to allow this traffic.

    I think that the configurations should look something like below. Naturally you will already probably a NAT0 configuration and certainly the L2L VPN configuration

    Site has

    access-list NAT0 note NAT0 rule for SiteA SiteC traffic

    access-list allowed NAT0 ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    NAT (inside) 0 access-list NAT0

    Note L2L-VPN-CRYPTO-SITEB access-list interesting traffic for SiteA to SiteC

    access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    Where

    • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteA LAN to LAN SiteC traffic must use the VPN L2L existing SiteB

    Site B

    access list OUTSIDE-NAT0 note NAT0 rule for SiteA SiteC traffic

    OUTSIDE-NAT0 allowed 192.168.1.0 ip access list 255.255.255.0 192.168.3.0 255.255.255.0

    NAT (outside) 0-list of access OUTSIDE-NAT0

    Note L2L-VPN-CRYPTO-SITEA access-list traffic for SiteA to SiteC through a Tunnel between A - B

    access-list L2L-VPN-CRYPTO-SITEA ip 192.168.3.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

    Note L2L-VPN-CRYPTO-SITEC access-list traffic for SiteA to SiteC through a Tunnel between B - C

    access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    Where

    • OUTSIDE-NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic. It is this time tied to the 'outer' interface, as traffic will be coming in and out through this interface to SiteB
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEA (and SITEC) = are the ACL in the configurations of VPN L2L that defines the SiteA LAN to LAN SiteC traffic should use existing VPN L2L connections.

    Site C

    access-list NAT0 note NAT0 rule for SiteC SiteA traffic

    NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

    NAT (inside) 0 access-list NAT0

    Note list-access-L2L-VPN-CRYPTO-SITEB SiteC to SiteA interesting traffic

    L2L-VPN-CRYPTO-SITEB 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

    Where

    • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteC to SiteA NAT traffic
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteC LAN to LAN SiteA traffic must use the VPN L2L existing SiteB

    To my knowledge, the foregoing must manage the selection NAT0 and traffic for VPN L2L connections. Naturally, the Interface/ACL names may be different depending on your current configuration.

    Hope this helps

    -Jouni

  • Unable to pass traffic between ASA Site to Site VPN Tunnel

    Hello

    I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

    I've also attached the ASA5505 config and the ASA5510.

    This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

    Thank you

    Adam

    Hello

    Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

     access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 

    Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

    So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

    I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

    THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

    -Jouni

  • Hub and spoke VPN network traffic between two points talked

    Hi, I have a star VPN network topology, and all traffic is remote office to the data center,

    I have a request to build a tunnel between two remote sites to access some servers between two remote sites,

    Can I just change the ACL of valuable traffic to to include say a Cabinet to Office B in rule Cabinet a Datacenter and Office B tunnel to tunnel data center.

    In doing so, I can avoide the tunnel between two offices (and B)

    See you soon

    Hello

    You can make the traffic between the two rays go through the hub or build a new tunnel between the rays.

    If the hub is an ASA you must authorize same-security-traffic intra-interface permits

    If the hub and the spokes are routers, you can also use DMVPN to dynamically create a tunnel between the spokes when necessary.

    Federico.

  • Split of static traffic between the VPN and NAT

    Hi all

    We have a VPN from Site to Site that secures all traffic to and from 10.160.8.0/24 to/from 10.0.0.0/8.  It's for everything - including Internet traffic.  However, there is one exception (of course)...

    The part that I can't make it work is if traffic comes from the VPN (10.0.0.0/8) of 10.160.8.5 (on 80 or 443), then the return traffic must go back through the VPN.  BUT, if traffic 80 or 443 comes from anywhere else (Internet via X.X.X.X which translates to 10.160.8.5), so there need to be translated réécrirait Internet via Gig2.

    I have the following Setup (tried to have just the neccessarry lines)...

    interface GigabitEthernet2

    address IP Y.Y.Y.Y 255.255.255.0! the X.X.X.X and Y.Y.Y.Y are in the same subnet

    address IP X.X.X.X 255.255.255.0 secondary

    NAT outside IP

    card crypto ipsec-map-S2S

    interface GigabitEthernet4.2020

    Description 2020

    encapsulation dot1Q 2020

    IP 10.160.8.1 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    IP nat inside source list interface NAT-output GigabitEthernet2 overload

    IP nat inside source static tcp 10.160.8.5 80 80 X.X.X.X map route No. - NAT extensible

    IP nat inside source static tcp 10.160.8.5 443 443 X.X.X.X map route No. - NAT extensible

    NAT-outgoing extended IP access list

    refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

    refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

    permit tcp host 10.160.8.5 all eq www

    permit tcp host 10.160.8.5 any eq 443

    No. - NAT extended IP access list

    refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

    refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

    allow an ip

    route No. - NAT allowed 10 map

    corresponds to the IP no. - NAT

    With the above configuration, we can get to the Internet 10.160.8.5, but cannot cross it over the VPN tunnel (from 10.200.0.0/16).  If I remove the two commands «ip nat inside source static...» ', then the opposite that happens - I can get then to 10.160.8.5 it VPN tunnel but I now can't get to it from the Internet.

    How can I get both?  It seems that when I hit the first NAT instruction (overload Gig2) that 'decline' in the list of ACL-NAT-outgoing punts me out of this statement of NAT.  It can process the following statement of NAT (one of the 'ip nat inside source static... ") but does not seem to"deny"it in the NON - NAT ACL me punt out of this statement of NAT.  That's my theory anyway (maybe something is happening?)

    If this work like that or I understand something correctly?  It's on a router Cisco's Cloud Services (CSR 1000v).

    Thank you!

    Your netmask is bad for your 10.0.0.0/8. I worry not about the port/protocol or since that can screw you up. A better way to do it would be to deny all IP vpn traffic.

    NAT-outgoing extended IP access list

    deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

    ...

    No. - NAT extended IP access list

    deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

    allow an ip

    Doc:

    Router to router IPSec with NAT and Cisco Secure VPN Client overload

    Thank you

    Brendan

  • AIP SSM-10 - how to check traffic being passed for inspection?

    Hello

    I've implemented an AIP - SSM on our ASA5510 for the first time, as a result of this excellent guide, http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml.

    The difference between the environment used in the doco and ours are the specifications of our ASA and module, the following IOS version 8.0 (4), version ASDM is 6.1 (3), the version of the application of SSM is 5,0000 E2.

    I have followed all the steps to enable connectivity to the module of the ASDM, created the access list to allow all ip traffic to be transmitted to the inspection module, map of the class and the political map indicating promiscous mode, relief. The service policy is applied throughout the world.

    The problem I'm having is that when I try to check as indicated on the guide to the alert of events see the command on the CLI module I don't get any output, so I don't know if the traffic is passed to the module. Can someone plese help me clarify this?

    Kind regards

    Esteban

    Run 'show conf' on your AIP SSM CLI. Check interface GigabitEthernet0/1 basket of the MSS background assigned to sensor virtual vs0.

    If it does not, then run "setup" and towards the end of the installation wizard, there will be an option to change the interface and the virtual sensor configuration. Use this option to change the configuration for sensor virtual vs0 and in the interface.

    You can also run "show stat vs0 virtual sensor" to see the number of packets being crawled by vs0.

  • flow of traffic between virtual machines

    If I had 2 machines virtual on the same slide in a M3 of b200 on the same vswitch, is communication on traffic between the 2 vms strictly inside the m3 Server?

    What if I had a virtual machines on a b200m3 and another virtual machine to another b200m3?

    same chassis and the chassis is connected to the FI

    Traffic between virtual machines will stay on the FI or it will mount the switch to basic?

    so, if is blade1 VM1 and VM2 is Blade2 and both on the same vlan
    Traffic will remain within FI or it will go up North to core?

    Both is possible! as I said above: If the entry and exit are on the fabric a RESP. B, it is switched.

    However, it could also be A penetration, exit on B or vice versa and then must go to the North (and get switched L2)

    What if

    Blade1 is VM1 and VM2 is on blade2 but on different VLANS, the traffic will have to hit the correct base gateway?

    Yes!

  • This allows traffic between two interfaces ethernet on a PIX

    I have a PIX with interface inside, IP 10.198.16.1. It also has an interface called WTS, IP 10.12.60.1. I'm having difficulty to allow traffic from the 10.198.16.0 network to cross the PIX in 10.12.60.0. I'm trying specifically to allow access to a server with an IP address of 10.12.60.2.

    I enclose my config. Any help would be greatly appreciated!

    OK, so the inside interface has a security level of 100, WTS has a security level of 75, so traffic from inside to WTS is considered outbound traffic, which is allowed by default. All you need is a pair of nat/global (or static) between both interfaces so that the PIX knows how NAT traffic between two interfaces (remember, the PIX do NAT).

    You have this in your config file:

    NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

    who says all traffic inside, interface with the IP 10.x.x.x address will be NAT would have, but you must then a global for the interface WTS define what those IPS will be NAT would.

    Adding:

    Global (WTS) 1 interface

    will be PAT all inside resolves the IP address of the interface WTS and allow traffic to flow between the interfaces. If you prefer the hosts inside the interface to appear as their own IP address on the WTS network, then you can use a static command and NAT addresses themselves, actually doing NAT, but not actually change addresses:

    static (inside, WTS) 10.198.16.1 10.198.16.1 netmask 255.255.240.0

    Hope that helps.

  • Overlapping address space question - how to NAT inside the traffic to one address different range on SAA for comms with 3rd party VPN?

    We already have a connectivity of IPSEC VPN site to site with a 3rd party.

    They must be able to access a couple of servers on our internal network but the problem, it's the subnet these servers are hosted on clashes with the address space they already used elsewhere. Thus, they asked if we can put in place a new subnet and have our firewall (running v7.2) ASA NAT the traffic to and from our servers ' real' internal addresses.

    for example

    • 3rd party 10.10.10.0/24 subnet
    • Our subnet 10.20.20.0/24 (but this clashes with the 3rd part of the address elsewhwere space)
    • Our 'real' internal server addresses are 10.20.20.1 and 10.20.20.2

    How do we setup NAT on our ASA translating internal addresses 'real' of these servers for some other addresses that don't clash?

    that is that the 3rd party is concerned, they would simply have to communicate with this 'new' subnet, say, 192.168.20.0/24 and our ASA firewall NAT traffic accordingly to allow some comms unfold?

    (And it should affect only comms on these servers for the 3rd party - NOT for one of our other multiple VPN connections! "And should not affect the other comms from the servers themselves!).

    That's what I've tried so far, for one of the servers, without success:

    On ASA:

    !

    access-list 1 permit line 3rdpartysite extended ip host 192.168.20.1 10.10.10.0 255.255.255.0
    !
    access-list SERVER-NAT line 1 permit extended ip host 10.20.20.1 10.10.10.0 255.255.255.0
    !
    static (inside, outside) 192.168.20.1 public - access NAT SERVER list

    "sh xlate" indicates:

    192.168.20.1 global local 10.20.20.1

    Can someone help with the necessary NAT configurations on the ASA?

    Thank you!

    'Clear xlate' after you have configured NAT statements?

    When you try to ping from the 10.20.20.1, get it to the ASA? You have an ACL on this interface that would block the ping? Also, can you run capture packets on the ASA to see if the ASA receives even the traffic?

    What is the subnet mask of the 10.20.20.1 host? I guess it's 255.255.255.0?

    You don't need something specific on the ASA with regard to the delivery of the 192.168.20.1.

  • The traffic between a host ESXi and vCenter Server is secure?

    Dear team,

    You pray let me know is traffic between a host ESXi and vCenter server (vice versa) is secure?

    The VC and ESXi version is 5.1U1a

    concerning

    Mr. VMware

    Default SSL certificates are installed automatically. However, you can configure the third-party SSL certificates to make the environment more secure.

    Please see:

    VSphere Documentation Centre

    http://pubs.VMware.com/vSphere-51/topic/com.VMware.ICbase/PDF/vSphere-ESXi-vCenter-Server-51-Security-Guide.PDF

  • VPN site to Site with NAT (PIX 7.2)

    Hi all

    I hope for more help with config PIX.  TBH I would classify myself as a newb on PIX, only dabbling in it every 6 months or so...

    I have to configure a VPN site-to site between our UK and US Office, to replace our frame relay link.  I have configured multiple VPN site to site on the before PIX, so am reasonably okay with the appearance of the config of who.  What is a new concept for me is the needs of NAT'ing between the IPSEC tunnel.

    The U.S. Agency requires us to NAT source addresses (i.e. 192.168.1.0) usable on their side address (i.e. 143.102.89.0).  The tunnel must then be set to encrypt traffic between 143.102.89.0/24 and 172.24.0.0/14.

    I added the following config and hoping to test it at the U.S. office happens online today.

    If I Ping from 192.168.1.0 to 172.24.x.x source and run a SH NAT inside, the NAT translation seems good.

    is the intellectual property inside 192.168.1.0 255.255.255.0 outside 172.24.0.0 255.252.0.0
    static translation at 143.102.89.0
    translate_hits = 4, untranslate_hits = 0

    Could someone please go through the following lines of config and comment if there is no error?

    Thank you very much

    Kevin

    / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

    IP 143.102.89.0 allow Access-list ipsec - dallas extended 255.255.255.0 172.24.0.0 255.252.0.0

    policy-nat-dallas-list of allowed extensive access ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0

    public static 143.102.89.0 (inside, outside) - list of access policy-nat-dallas

    Crypto ipsec transform-set esp-3des esp-md5-hmac 3desmd5set

    card crypto map dyn 40 correspondence address ipsec - dallas

    set dyn-map 40 crypto map peer 143.101.6.141

    card crypto dyn-map 40 transform-set 3desmd5set

    dyn-map interface card crypto outside

    crypto isakmp identity address

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    tunnel-group 143.101.6.141 type ipsec-l2l

    IPSec-attributes tunnel-group 143.101.6.141

    pre-shared-key *.

    You can configure NAT/Global pair for the rest of the users.

    For example:

    You can use the initially configured ACL:

    policy-nat-dallas-list of allowed extensive access ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0
    NAT (inside) 1 access list policy-nat-dallas

    Global 1 143.102.89.x (outside)

    The static statement that you configured previously will take precedence over the above. So the printer gets statically using a NAT to 143.102.89.10, and the rest can do another ip address 143.102.89.x PATed.

    Please note that for PAT, traffic can only be initiated from 192.168.1.0/24 LAN to 172.24.0.0/14, not the other way around.

    Hope that helps.

  • VPN site to Site with a side PAT

    Hi all

    I created a VPN site-to site between two ASA 5505 s, with one side having a static public IP address and one side behind a device with PAT. UDP 500 is sent to the ASA.

    The tunnel works very well if the launched of the side behind the PAT, but may not be brought after on the other side.

    Here's what I see in the system log during initialization of the 'wrong' side:

    Is it still a problem with PAT?

    Best regards

    Tobias

    Hello

    To be honest, these are sometimes a little hard the problems especially when you do not have access to actual devices.

    For me the newspapers you shared seem to indicate a problem with the negotiation of Phase 1 where this local line sends proposals of Phase 1 to the remote device until he returned their enough responsible for negotiating to complete.

    So, I would try to confirm the device to remote site that this traffic is indeed allowed. For example, you can check the remote via a management connection VPN device when the VPN is NOT upward and see if there is no sign of VPN negotiating taking place when you start the other site traffic. That said if he still sees the initial messages in the direction that has problems with the opening of the tunnel.

    When you launch the negotiation this site VPN, what you see with the release of

    ISAKMP crypto to show his

    or with the latest software

    See ikev1 crypto his

    Try to take out several times while you generate the traffic to the VPN

    If the remote device does not respond at all you would see probably something like MM_WAIT_MSG2, which means that the local VPN device awaits the first response (second message to trading) of the remote VPN device.

    Maybe this will help you narrow down the problem a bit.

    -Jouni

  • local host to access the vpn site to site with nat static configured

    I have two 881 routers with vpn site to site between them. I have a static nat on the router for a Web server that is accessible from the internet. I can't access the Web server through the vpn. All other traffic is fine its VPN. I think that there is a problem with the NAT. Here are the relevant configuration lines.

    IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
    IP nat inside source static 192.168.150.2 bonnefin map route SDM_RMAP_1

    allowed SDM_RMAP_1 1 route map
    corresponds to the IP 100

    access-list 100 deny ip 192.168.150.0 0.0.0.255 192.168.123.0 0.0.0.255
    access-list 100 permit ip 192.168.150.0 0.0.0.255 any

    You should be able to access the web server with its IP private (192.168.150.2) through the VPN connection.

    If you just add the VPN and the road map, try to clear the existing translation and see if you can access it via its private of the Remote LAN VPN ip address.

Maybe you are looking for