Issue of 8.3 to 8.2 NAT VPN SSL

In the study and test SSL VPN on a SAA, I have the network as shown in the attached diagram. The configuration is the result of an ASA with 8.3 but our ASA is 8.2 and at this time I am not familiar with the new NAT configuration and controls in 8.3 or later and wondering if anyone can translate the

«nat source (indoor, outdoor) static ' for me at a 8.2 version.»

Appreciate any help.

Jeff

NAT (inside, outside) static static source NETWORK_OBJ_192.168.100.0_RemotePool destination NETWORK_OBJ_192.168.3.0_Net1 NETWORK_OBJ_192.168.3.0_Net1 NETWORK_OBJ_192.168.100.0_RemotePool

Hello

This seems to be a NAT0 / NAT exempt in the new 8.3 + NAT format configuration

And I guess it would make sense that we are talking about VPN connections.

It should be something like this

the INTERIOR-NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.100.0 255.255.255.0

NAT (inside) 0-list of access to the INTERIOR-NAT0

Naturally the names/networks used in the configuration can be different depending on your existing actual configurations on the firewall.

-Jouni

Tags: Cisco Security

Similar Questions

Bizzare vShield Edge-NAT/VPN problem Post - 5.1 upgrade

Hoping someone can shed some light on this issue for us - the TLDR is that NAT rules seem to be causing unexpected behavior on the VPN traffic after a vCloud 1.5 to 5.1 upgrade.
Background: We work with a hosting provider to manage our vCloud environment. Quite simple - 2 ESXi hosts, a few NFS data stores. They have recently updated us of 1.5 and 5.1. For most of our committees, we have just one network of vSE/Routed that connects a subnet to a network of "WAN" and pulls a public IP address from a pool. Send us (NAT network address) and leave (firewall) ports (for example port 3389 for RDP) to the virtual machines selected. Most of these networks also have a VPN tunnel from site to site with a physical Firewall through the internet. After the upgrade, we went and converted our rules to match the period of initial and active INVESTIGATION "multiple interfaces" - effectively subtracts to compatibility mode. Everything was going well (even for devices of vSE always in compatibility mode)
Question: We first noticed this, when a customer reported that they are unable to access a virtual machine via RDP using it is internal (protected VSE) IP through a VPN tunnel but could access the virtual machine via RDP using its public hostname/IP address. Allow us all traffic between the VPN (firewall has a whole: a rule for VPN traffic). When we connected to troubleshoot (just thinking that the VPN was down), we found that we could connect to any port on the computer through the VPN tunnel except 3389remote virtual. I can ping from the local subnet to the VM troubled on the VAPP network without problem. I was able to connect to other ports that have been opened on the remote virtual machine without problem. I couldn't connect to 3389 through the VPN.
We thought he could be isolated, but found the question on each VSE we have: If there were a the DNAT rule to translate the inbound for a particular port, this port would be insensitive when traffic through the VPN tunnel that is meant to be the target of the DNAT rule.
Someone has an idea what could be the cause?

Looks like it is a problem experienced during the upgrade. These hidden firewall rules will not disappear until the firewall configuration is updated in some way. So go as - upgrade

(1) upgrade VCD

(2) update VSM

(3) to redeploy the entry door to upgrade the edge of the gateway to version 5.1

(4) convert the firewall rules to the new format (where firewall rules have no management interface or traffic)

(5) to change the properties of the bridge and the multiple interface mode

(6) change the specification of the firewall somehow, that is to add a dummy firewall and remove it, turn off, then turn on the firewall, etc..

Which should cause the deny rule go away

8.4 ASA using NAT VPN issue.

Hello

I'm working on a customer site and they have a problem with one of their VPN (we have other works well), but it is a major issue and I think it's because we use manual NAT and NAT of the object on the same server for different things.

Traffic between indoors and outdoors:

It works with a specific manual NAT rule of source from the server 10.10.10.10 object

Inside

SRC-> DST

10.10.10.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 SNAT = VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">

It works with a specific using the NAT on the server of 10.10.10.10 object

Remote

SRC-> DST

1.1.1.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">= VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> DNAT 10.10.10.10

If we have the manual NAT and NAT object it does anyway.

So the question is (as I am new to zip code 8.3 ASA) should not mix the 2 types of NAt and look at configuring it all with manual NAT or NAT object?

With the NAT object out it does not work as it is taken in ouside NAT inside all:

Dynamic NAT (inside, outside) source no matter what interface (this NAT to 1.1.1.1 then does not match the card encryption for VPN)

and I tried a no - nat above that, but that does not work either.

Straws and hugging come to mind try to configure a different config. Any pointers in the right direction would be great.

Kind regards

Z

Hello

I'm not sure that installing even with the explanation. Each NAT configuration I did for VPN used Section 1 Manual / NAT twice.

You have configured the rule by default PAT that you use as Section 1 NAT rule. NAT rules in the new software are divided into 3 sections
- Section 1: Manual / twice by NAT
- Section 2: Purpose NAT
- Section 3: Manual / double NAT (moved to section 3 using the setting "auto after")
- The Sections are passed by from 1 to 2 and 3 in order to find a match.
You should also notice that the Section 1 and Section 3 NAT has "line number" similar to the ACL parameter type. So if you have a default existing PAT rule configured for Section 1 and just add another Section 1 NAT rule without line/order number (VPN NAT) then it will just fall under the existing rule, making the new useless rule.

I would advice against the use of the rule by default PAT as Section 1 NAT rule. Finally, this means that you be constantly watch and edit its configuration when you try to configure more specific rules.

As a general rule 3 of the Section the PAT above default configuration would be the following

NAT (inside, outside) after the automatic termination of dynamic source no matter what interface

This would mean that you need to remove the old. That would mean as naturally as the change would temporarily dismantling all the current connections through "inside", "Outside" while you change the NAT rule format.

If after this configure a NAT twice to the VPN (wihtout the setting "auto after"), it will be the rule in article 1 while the default PAT will be Section 3. Of course, Section 1 will be matched first.

I'm not quite sure of what your setup of the foregoing have understood.

You're just source NAT?

I guess that the configuration you do is something like this?

network of the LAN-REAL object

10.10.10.0 subnet 255.255.255.0

purpose of the MAPPED in LAN network

1.1.1.0 subnet 255.255.255.0

being REMOTE-LAN network

1.1.2.0 subnet 255.255.255.0

NAT static destination of LAN LAN-REAL-MAPPED Shared source (indoor, outdoor) REMOTE - LAN LAN

If the network 1.1.1.0/24 is supposed to be one that is connected directly to your "external" to the format interface may need to be anything else.

-Jouni

Issue of Cisco ASA 5505 Anyconnect Client NAT'ing

Hello

We have a split_tunnel RA Vpn configuration in a branch that works very well in all areas except the destinged of traffic for a specific website using https. This provider does not allow HTTPS connections to bring some outside IP addresses.

Essentially, this should work like this:

RAVPN_client (10.4.4.0/27)--> https request to the (208.x.x.x) vendor_ip---> ASA55XX--> NAT_to_outside_ip--> to the vendor_ip (208.x.x.x) https request

I need to understand how you would approach from ONLY this https traffic specific to the RA VPN without having to change the installer otherwise.

Internal hosts (aka behind the ASA physically) have not any question at this site, as would his nat ip address outside that we expect.

Here is what we use for the NAT Exemption it list 10.2.2.x, 192.168.100.x, and 172.23.2.x are other remote sites we have. The 10.4.4.0/27 RA VPN users don't have no problems connecting to them, regardless of the Protocol:

Note to inside_nat0_outbound access-list of things that should not be Nat would

access extensive list ip 10.12.1.0 inside_nat0_outbound allow 255.255.255.0 10.2.2.0 255.255.255.0

access extensive list ip 10.12.1.0 inside_nat0_outbound allow 255.255.255.0 192.168.100.0 255.255.255.0

access extensive list ip 10.12.1.0 inside_nat0_outbound allow 255.255.255.0 172.23.2.0 255.255.255.0

access extensive list ip 10.12.1.0 inside_nat0_outbound allow 255.255.255.0 10.4.4.0 255.255.255.224

access extensive list ip 10.4.4.0 inside_nat0_outbound allow 255.255.255.224 192.168.100.0 255.255.255.0

access extensive list ip 10.4.4.0 inside_nat0_outbound allow 255.255.255.224 10.2.2.0 255.255.255.0

access extensive list ip 10.4.4.0 inside_nat0_outbound allow 255.255.255.224 172.23.2.0 255.255.255.192

Here is the list of interesting traffic that we push to the customers through the tunnel of the VPN connection.

VPN_splitunnel to access extended list ip 192.168.100.0 allow 255.255.255.0 any

VPN_splitunnel of access list scope 10.2.2.0 ip allow 255.255.255.0 any

Access extensive list ip 10.12.1.0 VPN_splitunnel allow 255.255.255.0 any

Access extensive list ip 172.23.2.0 VPN_splitunnel allow 255.255.255.192 all

Access extensive list ip 10.4.4.0 VPN_splitunnel allow 255.255.255.224 all

VPN_splitunnel list extended access permit ip host 208.x.x.x any newspaper<- this="" is="" the="" vendors="" external="" ip="" address="" (obfuscated="" for="" security="" but="" you="" get="" the="">

Here's the rest of the nat configuration:

NAT-control

Overall 101 (external) interface

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 101 0.0.0.0 0.0.0.0

Configuring VPN RA:

IP mask 255.255.255.224 local pool VPNPool 10.4.4.5 - 10.4.4.30

WebVPN

allow outside

AnyConnect essentials

SVC disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1 image

SVC disk0:/anyconnect-macosx-i386-2.5.2001-k9.pkg.zip 2 image

enable SVC

tunnel-group-list activate

internal RAVPN group policy

RAVPN group policy attributes

value no unauthorized access to banner

value of banner that all connections and controls are saved

banner of value this system is the property of MYCOMPANY

banner value disconnect IMMEDIATELY if you are not an authorized user.

value of server WINS 10.12.1.11 10.2.2.11

value of 10.12.1.11 DNS server 10.2.2.11

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPN_splitunnel

type tunnel-group RAVPN remote access

attributes global-tunnel-group RAVPN

address pool VPNPool

authentication-server-group NHCGRPAD

Group Policy - by default-RAVPN

tunnel-group RAVPN webvpn-attributes

enable RAVPN group-alias

Can someone ' a Please direct me as to what I'm doing wrong? I was assuming that since I don't have Ip 208.x.x.x address in the list of inside_nat0_outbound that it would be NAT had, but appears not to be the case (out of packet - trace below)

Packet-trace entry outside tcp 10.4.4.6 34567 208.x.x.x detailed https

*****************************************************************************

Phase: 1

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 0.0.0.0 0.0.0.0 outdoors

Phase: 2

Type: ACCESS-LIST

Subtype: Journal

Result: ALLOW

Config:

Access-group outside_access_in in interface outside

outside_access_in list extended access permitted ip VPN_ips 255.255.255.224 host 208.x.x.x Journal

Additional information:

Direct flow from returns search rule:

ID = 0xd7bd3b20, priority = 12, area = allowed, deny = false

Hits = 2, user_data is 0xd613bf80, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

SRC ip = VPN_ips, mask is 255.255.255.224, port = 0

IP = 208.x.x.x DST, mask = 255.255.255.255, port = 0, dscp = 0 x 0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xd7df8fa0, priority = 0, sector = inspect-ip-options, deny = true

hits = 2256686, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xd87c8fc8, priority = 12, area = ipsec-tunnel-flow, deny = true

hits = 550, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xd7dfbd28, priority = 0, domain = host-limit, deny = false

hits = 1194, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Reverse flow from returns search rule:

ID = 0xd7df8fa0, priority = 0, sector = inspect-ip-options, deny = true

hits = 2256688, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 7

Type: CREATING STREAMS

Subtype:

Result: ALLOW

Config:

Additional information:

New workflow created with the 2380213 id, package sent to the next module

Information module for forward flow...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Information for reverse flow...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input interface: outdoors

entry status: to the top

entry-line-status: to the top

output interface: outside

the status of the output: to the top

output-line-status: to the top

Action: allow

*****************************************************************************

Thank you

Jason

You are on the right track with you divided the tunnel configuration. You need to add is the pool of Client VPN to be coordinated to your external ip address, IE: same as your local users of the ASA when he tries to access the intellectual property of the provider (208.x.x.x), allowing more traffic in and out of the same interface for traffic of U-turn.

Here's what you need to set up:

permit same-security-traffic intra-interface

nat-to-vendor ip 10.4.4.0 access list permit 255.255.255.224 host 208.x.x.x

NAT (outside) 101-list of nat-to-vendor access

The foregoing will allow VPN pool to be coordinated to your ASA outside the ip address of the interface when accessing the seller (208.x.x.x).

1 small correction to your ACL split tunnel:

-The following line is incorrect and should be deleted in the tunnel of split ACL:

Access extensive list ip 10.4.4.0 VPN_splitunnel allow 255.255.255.224 all

(As 10.4.4.0/27 is your pool of Client VPN, you do not add these subnet to your list of split tunnel. List of Split tunnel are only the network that you are difficult to access and sent through your VPN tunnel).

Hope that helps.

By PAT and NAT VPN

We have a place where you want to set up a tunnel VPN to our headquarters.

In this place, there is a router that PAT (NAT overloading), and then a few jumps more, there is a firewall that makes the NAT.

Is this could pose a problem for the VPN tunnel?

Here's a "pattern" of what looks like the connection.

Customer--> PAT - router-->--> Internet--> CVPN3005 NAT firewall

I hope you can provide me with an answer.

VPN tunnel will not work in your scenario. NAT second change address and the ports you want to use for the vpn tunnel. So the port 500 wil be translated to top port and will be rejected at HQ.

With NAT VPN tunnels

I have read on several posts on the topic and still think I'm missing something, I'm looking for help.

Basically, I'm now implementing multiple VPN tunnels for external connections. We strive to keep the external "private addresses" our basic using NAT network.

I can get the Tunnel to work without problems using the ACL SHEEP; However, this technique requires that our internal network is aware of their external addresses "private." Our goal is to enter an address on the inside that is NAT to the external address 'private' and then shipped via the VPN tunnel. Basically to hide the external address 'private' of our internal systems that they would appear as thought the connection was one of our own networks.

The reverse is true coming from their external 'private' network. Any information of "their" private network external origin would result in our 'private' on arrival address space.

Is this possible? I am attaching a schema, which could help.

Hello

Yes, this should be possible. Lets say you allocate 10.112.2.250 as the address that you use to present the external server 192.168.10.10.

On your ASA device

public static 10.112.2.250 (exterior, Interior) 192.168.10.10 netmask 255.255.255.255

You will need to make sure that when the system tries to connect to 10.112.2.250 it is routed to the device of the SAA.

HTH

Jon

Pool of dhcp NAT VPN to the LAN on router 2911

I need nat the ips assigned by dhcp vpn to my LAN pool. My problem is that I do not know which interface to set my nat statement on since there is no interface that is in the same subnet as my dhcp pool. Any help would be appreciated.

For remote client ipsec, you must have DVTI according to configuration described here:

http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm...

'use ip nat inside' on the virtual model and 'ip nat outside' on the inside of the interface.

HTH

Averroès.

NAT VPN tunnel and still access Internet traffic

Hello

Thank you in advance for any help you can provide.

I have a server with the IP 192.168.1.9 that needs to access a subnet remote from 192.168.50.0/24, through the Internet. However, before the server can access the remote subnet, the server IP must be NAT'ed to 10.1.0.1 because the VPN gateway remote (which is not under my control) allows access to other customers who have the same subnet address that we do on our local network.

We have a 2801 Cisco (running c2801-advsecurityk9 - mz.124 - 15.T9.bin) set up to make the NAT. It is the only gateway on our network.

I have configured the Cisco 2801 with the following statements of NAT and the relevant access lists:

access-list 106 allow host ip 192.168.1.9 192.168.50.0 0.0.0.255

NAT extended IP access list
refuse the host ip 192.168.1.9 192.168.50.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip permit 192.168.1.0 0.0.0.255 any

route allowed ISP 10 map
corresponds to the IP NAT

IP nat EMDVPN 10.1.0.1 pool 10.1.0.1 netmask 255.255.255.0
IP nat inside source list 106 pool EMDVPN
IP nat inside source map route ISP interface FastEthernet0/1 overload

When the server (192.168.1.9) attempts to ping on the subnet of 192.168.50.0/24 devices, the VPN tunnel is established successfully. However, after that, the server is no longer able to access the Internet because the NAT translation for 192.168.1.9 has changed since the external IP address of the router (FastEthernet0/1) at 10.1.0.1.

The documentation I've seen on the site of Cisco says that this type of Setup allows only host subnet communication. Internet access is not possible. However, maybe I missed something, or one of you experts can help me. Is it possible to configure the NAT router traffic destined to the VPN tunnel and still access the Internet by using the dynamic NAT on FastEthernet0/1?

Once again, thank you for any help you can give.

Alex

Hello

Rather than use a pool for NAT

192.168.1.9 - 10.1.0.1 > 192.168.50.x

ACL 102 permit ip 192.168.1.9 host 192.168.50.0 0.0.0.255

RM-STATIC-NAT route map permit 10
corresponds to the IP 102

IP nat inside source static 192.168.1.9 10.1.0.1 card expandable RM-STATIC-NAT route

ACL 101 deny host ip 192.168.1.9 192.168.50.0 0.0.0.255
ACL 101 by ip 192.168.1.0 0.0.0.255 any
overload of IP nat inside source list 101 interface FastEthernet0/1

VPN access list will use the source as 10.1.0.1... *.

Let me know if it works.

Concerning

M

8.2 policy-nat VPN port (5) ASA5510 of ASA5515 8.6 (1)

I have this existing config (which works) on ASA5510 v8.2 (5)
Need this port above ASA5515 v8.6 (1) running
ASA5510 inside the net: 192.168.1.0/24
On the remote VPN peer network: 172.16.21.192/28
!
InsideGlobal-2-OutsideNetwork to the list of allowed access host ip 10.0.200.211 172.16.21.192 255.255.255.240
InsideGlobal-2-OutsideNetwork to the list of allowed access host ip 10.0.202.39 172.16.21.192 255.255.255.240
!
InsideLocal.1 - 2-OutsideNetwork from the list of allowed access host ip 192.168.1.1 172.16.21.192 255.255.255.240
InsideLocal.191 - 2-OutsideNetwork to the list of allowed access host ip 192.168.1.191 172.16.21.192 255.255.255.240
!
public static 10.0.200.211 (inside, outside) access-list InsideLocal.1 - 2-OutsideNetwork
public static 10.0.202.39 (inside, outside) access-list InsideLocal.191 - 2-OutsideNetwork
!
correspondence address 1 card crypto outside_map InsideGlobal-2-OutsideNetwork
!

I think what I need is the following:
!
network of the OBJ_172.16.21.192_28 object
subnet 172.16.21.192 255.255.255.240
!
network of the OBJ_10.0.200.211_32 object
Home 10.0.200.211
!
network of the OBJ_10.0.202.39_32 object
Home 10.0.202.39
!
network of the OBJ_192.168.1.1_32 object
host 192.168.1.1
!
network of the OBJ_192.168.1.191_32 object
Home 192.168.1.191
!
InsideGlobal-2-OutsideNetwork of the ip object OBJ_10.0.200.211_32 object OBJ_172.16.21.192_28 allowed extended access list
InsideGlobal-2-OutsideNetwork of the ip object OBJ_10.0.202.39_32 object OBJ_172.16.21.192_28 allowed extended access list
!
NAT (inside, outside) static source OBJ_192.168.1.1_32 OBJ_10.0.200.211_32 OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 non-proxy-arp-search of route static destination
NAT (inside, outside) static source OBJ_192.168.1.191_32 OBJ_10.0.200.39_32 OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 non-proxy-arp-search of route static destination
!
correspondence address 1 card crypto outside_map InsideGlobal-2-OutsideNetwork

THX - Phil

Hi Phil,

The converted 8.6.x 8.2.x configuration is correct. Go with him.

Vishnu

% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; Connection refused because of the failure of the path opposite. NAT VPN clients problems after that put 8.3.2 to level.

I've recently updated to 8.3.2 and I have been informed of these NAT changes, but even after reading the https://supportforums.cisco.com/docs/DOC-12569 I am still unable to rectify the communication network 192.168.100.0 VPN with hosts on 172.16.1.0 and 172.16.9.0. VPN clients connect to the external interface, and I try to ping inside and the demilitarized zone, respectable 172.16.1.0 and 172.16.9.0 hosts. VPN client shows that the two previously mentioned networks such as roads of security, but still not to the ping pong.

# sh nat

Manual NAT policies (Section 1)

1 (inside) to the (whole) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

2 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

3 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0

translate_hits = 0, untranslate_hits = 0

4 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

5 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0

translate_hits = 0, untranslate_hits = 0

Auto NAT policies (Section 2)

1 (dmz), to the source (external) static obj - 172.16.9.5 interface tcp www www service

translate_hits = 0, untranslate_hits = 142

2 (dmz) (outdoor) source static obj - 172.16.9.5 - 01 interface service tcp 3389 3389

translate_hits = 0, untranslate_hits = 2

3 (dmz) (outdoor) source static obj - 172.16.9.5 - 02 interface tcp ldap ldap service

translate_hits = 0, untranslate_hits = 0

4 (dmz) (outdoor) source static obj interface - 172.16.9.5 - 03 service ftp ftp tcp

translate_hits = 0, untranslate_hits = 0

5 (dmz) to (outside) of the source static obj - 172.16.9.5 - 04 interface tcp smtp smtp service

translate_hits = 0, untranslate_hits = 267

6 (inside) source static obj - 172.16.9.0 172.16.9.0 (dmz)

translate_hits = 4070, untranslate_hits = 224

7 (inside) to (dmz) source static obj - 10.1.0.0 10.1.0.0

translate_hits = 0, untranslate_hits = 0

8 (inside) to (dmz) source static obj - 172.16.0.0 172.16.0.0

translate_hits = 152, untranslate_hits = 4082

9 (dmz) to dynamic interface of the obj - 172.16.9.0 - 01 source (outdoor)

translate_hits = 69, untranslate_hits = 0

10 (inside) to the obj_any interface dynamic source (external)

translate_hits = 196, untranslate_hits = 32

I think you must following two NAT config

NAT (inside, outside) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
NAT (dmz, external) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 192.168.100.0 obj - 192.168.100.0

Please configure them and remove any additional NAT configuration and then try again.

NAT VPN

I'm havening problems with NAT over VPN. with current configs below it will complete the first phase of the tunnel and then stop because the ip address is not natted. If I put a permit in the statement of the permits it will be nat to internet host, but not via the vpn. If I put in a static nat statement it will nat and attempt to create a tunnel but I get the error (increment the count of errors on his, try 1 5: retransmit the phase 1)

version 12.3

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname BatsVpnRouter

!

boot-start-marker

start the system flash c1700-k9o3sy7 - mz.122 - 13.T.bin

boot-end-marker

!

no console logging

Select the secret xxx

activate the password xxx

!

MMI-60 polling interval

No mmi self-configuring

No pvc mmi

MMI snmp-timeout 180

No aaa new-model

no ip subnet zero

!

IP cef

Max-events of po verification IP 100

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key xxx address 190.0.0.1

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac bats

!

bats_map 2 ipsec-isakmp crypto map

defined by peer 190.0.0.1

transformation-BALD-MOUSE game

-More - match address BATSACL

!

!

!

interface Ethernet0

IP address 11.0.x.x.255.255.224

NAT outside IP

full-duplex

bats_map card crypto

!

interface FastEthernet0

IP 192.168.1.2 255.255.255.0

IP nat inside

Speed 100

full-duplex

!

IP nat inside source list bats-nat interface Ethernet0 overload

IP classless

IP route 0.0.0.0 0.0.0.0 11.0.0.1

no ip address of the http server

no ip http secure server

!

BATSACL extended IP access list

permit ip host 11.0.0.5 200.0.0.1

192.168.1.100 ip permit host 200.0.0.1

permit ip host 11.0.0.5 200.0.0.2

192.168.1.100 ip permit host 200.0.0.2

permit ip host 11.0.0.5 200.0.0.3

192.168.1.100 ip permit host 200.0.0.3

IP extended access-list of the bats-nat

permit log host 200.0.0.1 host 192.168.1.100 ip

192.168.1.100 ip permit host 200.0.0.2

192.168.1.100 ip permit host 200.0.0.3

!

public RO SNMP-server community

Enable SNMP-Server intercepts ATS

alias exec clip claire rou ip *.

alias exec crs copy run start

alias exec deb187 debug ip pack det 187

alias exec ospfnei sh ip ospf nei

alias exec ship sho ip route

alias exec shr sho run

alias exec Ibis show ip brief inter

alias exec ip sip sho pro

alias exec tr traceroute

alias exec ss sho sess

sho alias exec sl online

alias exec cl clear line

!

Line con 0

line to 0

line vty 0 4

password xxx

opening of session

Ok. You must make sure that the ACl:s are the same (but in reverse) on both sides, which means that you probably need to remove a few lines on the Router 1. The ACL should look like this:

BATSACL extended IP access list

permit ip host 11.0.0.5 200.0.0.1

permit ip host 11.0.0.5 200.0.0.2

permit ip host 11.0.0.5 200.0.0.3

Remove the keyword "log" of this line:

IP extended access-list of the bats-nat

permit log host 200.0.0.1 host 192.168.1.100 ip

OK, now you've cleaned it, trying to make appear the tunnel again, try it with 200.0.0.1 and 200.0.0.2.

Then, check the remote debugging.

Public static political static NAT in conflict with NAT VPN

I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.

The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:

interface Vlan1

IP 192.168.10.1 255.255.255.0

access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0

list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0

public static 192.168.24.0 (inside, outside) - list of VPN access

card crypto outside_map 1 match address outside_1_cryptomap

In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:

public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255

The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.

So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.

What Miss me?

Hello

I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.

I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.

I guess you could choose any way seems best for you.

Let me know if get you it working. I always find it strange that the original configuration did not work.

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary

-Jouni

nat VPN question.

Try to find what happened. I had the remote end raise the tunnel, as they can ping resources on my side. I am unable to ping 10.90.238.148 through this tunnel. I used to be able to until the interface of K_Inc has been added. The network behind this interface is 10/8.

I asked a question earlier in another post and advises him to play opposite road of Cryptography. And who did it. I was able to ping 10.90.238.148 of 192.168.141.10, with the config below.

I am at a loss to why I can't all of a sudden. A bit of history, given routes have not changed. By adding the command set opposite road to cryptography, I find myself with a static entry for the 10.90.238.0 network is what fixed it initially so I don't think it's a problem of route. The remote end had an overlap with the 192.168.141.0/24 that is why my side is natted on the 10.40.27.0. None of the nats have changed so if adding the reverse route worked for a day, it should still work. Any thoughts?

interface GigabitEthernet0/3.10

VLAN 10

nameif K_Inc

security-level 100

IP address 192.168.10.254 255.255.255.0

interface GigabitEthernet0/3.141

VLAN 141

cold nameif

security-level 100

IP 192.168.141.254 255.255.255.0

(Cold) NAT 0 access-list sheep

NAT (cold) 1 192.168.141.0 255.255.255.0

Access extensive list ip 192.168.141.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0

Access extensive list ip 10.40.27.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0

Access extensive list ip 192.168.141.0 CSVPNNAT allow 255.255.255.0 10.90.238.0 255.255.255.0

IP 10.40.27.0 allow Access-list extended sheep 255.255.255.0 10.90.238.0 255.255.255.0

static 10.40.27.0 (cold, outside) - CSVPNNAT access list

card crypto Outside_map 5 corresponds to the address CSVPNOFFSITE

card crypto Outside_map 5 the value reverse-road

card crypto Outside_map 5 set pfs

card crypto Outside_map 5 set peer 20.x.x.3

Outside_map 5 transform-set ESP-3DES-MD5 crypto card game

card crypto Outside_map 5 defined security-association life seconds 28800

card crypto Outside_map 5 set security-association kilobytes of life 4608000

tunnel-group 20.x.x.3 type ipsec-l2l

20.x.x.3 Group of tunnel ipsec-attributes

pre-shared-key *.

Route outside 0.0.0.0 0.0.0.0 7.x.x.1 1

Route 10.0.0.0 K_Inc 255.192.0.0 192.168.10.252 1

Route K_Inc 10.64.0.0 255.224.0.0 192.168.10.252 1

Route K_Inc 10.100.100.0 255.255.255.0 192.168.10.252 1

Route K_Inc 10.128.0.0 255.128.0.0 192.168.10.252 1

Tunnel is up:

14 peer IKE: 20.x.x.243

Type: L2L role: answering machine

Generate a new key: no State: MM_ACTIVE

EDIT:

I just noticed when tracer packet i run I don't get a phase VPN or encrypt:

Packet-trace entry cold tcp 192.168.141.10 80 80 10.90.238.148 det

Phase: 1

Type: FLOW-SEARCH

Subtype:

Result: ALLOW

Config:

Additional information:

Not found no corresponding stream, creating a new stream

Phase: 2

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 10.90.238.0 255.255.255.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xad048d08, priority = 0, sector = option-ip-enabled, deny = true

hits = 2954624, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 4

Type: QOS

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xb2ed4b80, priority = 72, domain = qos by class, deny = false

hits = 2954687, user_data = 0xb2ed49d8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 5

Type: FOVER

Subtype: Eve-updated

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xad090180, priority = 20, area = read, deny = false

hits = 618776, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0, Protocol = 6

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

static (ColdSpring, external) 74.x.x.50 192.168.141.10 netmask 255.255.255.255

match ip host 192.168.141.10 ColdSpring outside of any

static translation at 74.x.x.50

translate_hits = 610710, untranslate_hits = 188039

Additional information:

Definition of static 192.168.141.10/0 to 74.112.122.50/0 using subnet mask 255.255.255.255

Direct flow from returns search rule:

ID = 0xac541e50, priority = 5, area = nat, deny = false

hits = 610742, user_data = 0xac541c08, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

SRC ip = 192.168.141.10, mask is 255.255.255.255, port = 0

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (ColdSpring, dmz) 192.168.141.0 192.168.141.0 netmask 255.255.255.0

match ip ColdSpring 192.168.141.0 255.255.255.0 dmz all

static translation at 192.168.141.0

translate_hits = 4194, untranslate_hits = 20032

Additional information:

Direct flow from returns search rule:

ID = 0xace2c1a0, priority = 5, area = host, deny = false

hits = 2954683, user_data = 0xace2ce68, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 192.168.141.0, mask is 255.255.255.0, port = 0

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Reverse flow from returns search rule:

ID = 0xaacbcb90, priority = 0, sector = option-ip-enabled, deny = true

hits = 282827537, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 9

Type: QOS

Subtype:

Result: ALLOW

Config:

Additional information:

Reverse flow from returns search rule:

ID = 0xb2ed5c78, priority = 72, domain = qos by class, deny = false

hits = 4749562, user_data = 0xb2ed5ad0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 10

Type: CREATING STREAMS

Subtype:

Result: ALLOW

Config:

Additional information:

New workflow created with the 339487904 id, package sent to the next module

Information module for forward flow...

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Information for reverse flow...

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Phase: 11

Type:-ROUTE SEARCH

Subtype: output and contiguity

Result: ALLOW

Config:

Additional information:

found 7.x.x.1 of next hop using ifc of evacuation outside

contiguity Active

0007.B400.1402 address of stretch following mac typo 51982146

Result:

input interface: cold

entry status: to the top

entry-line-status: to the top

output interface: outside

the status of the output: to the top

output-line-status: to the top

Action: allow

What version are you running to ASA?

My guess is that your two static NAT is configured above policy nat you have configured for the VPN? If this is the case, move your above these static NAT NAT policy and you should see the traffic start to flow properly.

--

Please note all useful posts

Rule NAT VPN problem

Hello people, I had a lot of trouble trying to solve this problem, but hoping someone here can enlighten me.

I have a remote site that hosts a number of services that we manage remotely with an IPSec VPN connection. When connecting to the site connect us very well and can make most of the actions like RDP and connect to servers for maintenance, but a service fails to connect unless I have add a NAT rule exempt to the configuration of the router (ASA 5505).

Once this rule in place service work, but other services that initially worked work stoppage. In short, this rule must be in place while doing a single task, but then contracted for other tasks. I hope that there is some sort of rule or behavior, I can add to the ASDM configuration makes it so I don't have to manually add this rule whenever I connect.

Here are the details of the rule:

access-list 1 permit line outside_nat0_outbound extended ip 192.168.15.192 255.255.255.192 192.168.15.0 255.255.255.0

NAT (outside) 0 outside_nat0_outbound list access outside tcp udp 0 0 0

When the connection is established without the rule in place the ASDM syslog shows these warnings:

Deny tcp src inside: outside:10.100.32.203/135 dst61745 by access-group "inside_access_in" [0x0, 0x0]

The strange thing is 10.100.32.203 is IP internal my host computer. This is not yet the external IP address of the network I connect from.

Is it possible a problem with the VPN pool using a subset of the subnet of the VIRTUAL LAN inside? Inside VLAN is 192.168.15.0/24 and the VPN is 192.168.15.200 - 250. I am ready to reconfigure the VPN address pool but need to do remotely, and am unaware of how to do this reconfiguration safely without losing my remote access, since physical access to the router itself is currently very difficult.

If more details are needed, I am happy to give them.

Hi GrahamB,

Yes, the problem with too much running in subnet.

There are a lot of private-address available, so please create a new group policy and tunnel-group and fill

pool separate to value ip address and remote with it, when the new cluster to solve your problem, can safely remove the old one.

I hope this helps.

Thank you

Rizwan Muhammed.

Remote access via NAT VPN client

I currently have a PIX506e configured to provide access to the Cisco VPN Clients remote vpn. A single client can connect successfully and have access to the planned network. However, as soon as I connect an additional client to the firewall from the same place (the two addresses are translated under the same address) the two tunnels will stop working or could not connect.

Is the problem that I face, because two customers have the same address public after NAT, or is - it something else? Is there a way to get around this?

Hello

A lot of THAT NAT will not work if you use ESP.

The solution for this is to allow NAT - t on PIX and VPN client.

PIX:

The following command active NAT - T (for codes plus late 6.3)

ISAKMP nat-traversal

The VPN Client:

On the Transport tab, under the tab "Enable Transport Tunneling" & select "IPSec over UDP (NAT/PAT).

HTH

Kind regards

GE.

Issue of 8.3 to 8.2 NAT VPN SSL

Similar Questions

Maybe you are looking for