LAN-2-LAN, with inside the NAT
Hi all
I have a LAN LAN 2 return VPN connection to HO from a remote location. This router also has some NAT set to allow RDP access on the internet etc.
Is there a way to allow RDP by using the internal address of the server once the NAT in place? Currently, I can only access the server using RDP via its public address.
Thanks in advance
IP nat inside source static tcp 172.28.9.1 3389 3389 Dialer0 interface
Thank you
Hi Glen,
It works, and why you should use ACB (the policy-based routing). Assuming that the remote end subnet is 192.168.1.0/24.
Here are the steps that you must follow:
1: create an access list to identify traffic:
access-list 101 permit ip 172.28.9.1 host 192.168.1.0 0.0.0.255
2: create a loopback interface:
Loopback int 1
IP 1.1.1.1 255.255.255.0
output
3: create a roadmap for CPR:
pol_nat allowed 10 route map
corresponds to the IP 101
set ip next-hop 1.1.1.2
output
4: apply the road map to the LAN interface:
int fasteth0/0
IP policy route map pol_nat
output
That should do it!
* Please rate if helped.
-Kanishka
Tags: Cisco Security
Similar Questions
-
Link inside the declaration of nat in outermost interface ERROR
Hi all
I'm having a problem with my PIX501 w / "Cisco PIX Firewall Version 6.3 (4)", when ordering I get this caveat, is that normal? because it works perfectly fine in version 7.2 (2)...
THE ERROR:
PIX1 (config) # nat (outside) 1 222.127.244.52 255.255.255.252
WARNING: Link inside the nat in outermost interface declaration.
WARNING: Keyword 'outside' is probably missing.
REFERENCE:
# Sh nameif PIX1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
In addition,
Here is information on the 'outside' of the order PIX 6.3 setting
outdoors
If this interface is on a lower security interface that you identify by the corresponding overall statement, you must enter on the outside. This feature is called outside NAT or bidirectional NAT.
Note
from firewall PIX 6.3.2 source translation is performed before the translation of destination. For this reason, if the political source NAT allows the connection, the xlate will create, even if the traffic is denied by the policy of destination.Source:
http://www.Cisco.com/en/us/docs/security/PIX/pix63/command/reference/Mr.html#wp1032129
Don't forget to mark the answer as the correct answer or useful rate answers
-Jouni
-
DMZ web server-> inside the database server
Suppose that a network topology looks like this:
A PIX with 3 interfaces:
interface (private public static IP 10.10.10.1) interface (public static IP of 69.110.38.35) interface (static IP private address of the 30.30.30.1) --------------------------------------------
The internal network has a {server} with the IP address of 10.10.10.2.
The DMZ has a {web server} with the IP address of 30.30.30.2.
I will welcome external guests (outside) access to the web server (30.30.30.2) via port 80.
This web server access turn the database server (10.10.10.2).
Assume that all other commands are issued. Then, I'll create an access list that allows server WWW DMZ to communicate with inside the database server.
access-list dmz-to-inside permit tcp host 30.30.30.2 host 10.10.10.2 eq 1521
Should I publish the following, too:
(1) access-list dmz permit tcp host 30.30.30.2 no matter what 80 eq
(2) access-group in interface dmz dmz
(3) static (inside the dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
xlate clear 4)
If so, what each of them do?
Thank you for helping.
Scott
1. Yes, the static statement "10.10.10.0 static (inside, dmz) 10.10.10.0 netmask 255.255.255.0" will disable NAT. Although it is not necessary to disable nat, however, it saves money and simple to manage. the reason for this is the traffic between the dmz and inside is private, there is therefore not necessary to apply the public ip address.
2 pix receives the package intended to 30.30.30.2 10.10.10.2. PIX examines the static statement and based on the static above statement, pix will not nat package (i.e. pix will leave the soruce address be) and send it to 30.30.30.2 via the interface of the demilitarized zone.
for example
original package - source 10.10.10.2, destination 30.30.30.2
After pix - source 10.10.10.2, destination 30.30.30.2
3. the "Clear xlate" command must be issued whenever the nat/global or static has been added/deleted/modified. This command is to force the pix to clear the existing ip translation.
for example, before you add the command "static 1.1.1.1 (indoor, outdoor) 192.168.1.100 netmask 255.255.255.255", the pix may already have an ip 192.168.1.100 translation (it might come from the nat/global). now, after you apply the static command, the pix will keep the existing translation for a certain period time. 'clear xlate' is needed to erase the old translation and so to activate the new static statement.
-
Can not handle the ASA inside the interface of Site to Site VPN
Hi all
I was deploying new site to site between ASA 8.0 (HQ) and ASA 8.4 (branch). Everything works fine but I have a problem on the ASA-reach remote that I can't manage branch ASA with inside the interface IP address.
My setup on remote ASA
management-access inside
ICMP allow any inside
SSH 0.0.0.0 0.0.0.0 inside
SNMP-server host inside 10.0.1.101 communitry test-snmp version 2 c
My Test
-ping of the AC for inside the interface of remote ASA
- Client time-out see demand
- When debug icmp on ASA remote then ASA show only ICMP request to HQ no response back from remote ASA
I'm not sure whether it's a bug on ASA 8.4 or not because I can manage a remote other ASA what version 8.0 software HQ
Thanks in advance
Do not know what 8.4 version you use, but it is broken in the 8.4 (2), I stumbled upon the upgrade from same problem. SSH and ASDM will not connect through a VPN L2L interface inside. This worked well in 8.4 (1).
-
WRT54GL cannot transmit from inside the LAN port?
Hello
I have a Server servers running several (HTTP, SVN, FTP,...) inside my network.
I used to have a SMC router in the past, and of course I had to use port forwarding.
This is why I realized that when we "talk" to the server, I can 'talk' to the router that will forward requests to the right compurer, based on the NAT table. If, for example, that if I move the SVN server, I don't have to change the path to the repository, change the NAT entry is OK in this case.
If this is not understandable, here 's another report.
However, I discovered that even if my new WRT54GL seems to be much more advanced, it cannot do this. Requests made to the router from within the local network are not transferred to the right place.
Is there a way to accomplish what we need, or at least a road map? It's sad that the SMC products otherwise is not very reliable can do...
Kind regards
Matej
Well, I have it solved.
I tried to convey the SVN, HTTP, FTP, and SSH.
However, it was not working when the server IP assigned by DHCP.
When I set up (the server within the LAN) to use the static IP address, not only that port forwarding began to make sense, but I have seen web pages by typing my public IP address in the browser on a computer inside the LAN.
What surprised me, is that it only worked when the server had assigned auto private IP address. I know that these addresses change so it would not very long work, but it did not work even before that t has changed...
-
Explain to me how a multi-level security strategy can be deployed domain LAN-to-WAN and the LAN domain to the domain of the workstation with the use of internal firewalls.
Hello
Your Windows XP question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please ask your question in the following forum.
http://social.technet.Microsoft.com/forums/en-us/itproxpsp/threads -
Hello, I followed the steps in the previous thread... Thank you.
Im getting the message "no operation can be performed on LAN with its media disconnected in CMD"... help.
My wireless will open any Web pages, although it seems to be connected and trouble shooter saying "DNS does not.
original title: "DNS does not.
Hello
1. don't you make changes on the computer before this problem?
Step 1: Make sure that switch WLAN is not turned off. To do this, you may need to consult the manual of the computer.
Step 2: Reset the TCP/IP and WINSOCK stack.
1. Click Start and type cmd in the box start the search.
2. right click on cmd in the list programs and then click Run as administrator.
If you are prompted for an administrator password or a confirmation, type your password or click on continue
3. at the command prompt, the following line, and then press ENTER:
netsh winsock reset catalog
netsh int ipv4 reset reset.log
netsh int ipv6 reset reset.log
-
Inside Source NAT from the remote host and VPN from Site to Site
Hi all
I was in charge of the construction of a vpn tunnel with a firewall PIX of our business partner company and ASA of the other company of the firewall. Traffic will be A partner business users will access my company Citrix server. I want to source-pat the user traffic partner company to PIX of my business within the interface to its entry in my LAN to access my company Citrix server. The partner company will be PAT'ing their traffic from users to a single ip address - Let's say for discussion end is 65.99.100.101. There is the site to site vpn configuration, and configure nat be performed to allow this traffic in accordance with the above provisions.
I'm more concerned about the accuracy of the configuration of the domain encryption because NAT is involved in this whole upward. My goal is to NAT (of the other company company a) ip address to a routable ip address in my company network.
The fundamental question here is should I include the ip address of real source (65.99.100.101) of the company the user or IP natted (10.200.11.9) in the field of encryption.
In other words should the encryption field looks like this
OPTION A.
permit ip host 10.200.11.103 65.99.100.101
OR
OPTION B
permit ip host 10.200.11.103 10.200.11.9
I'm inclined to think it should look like OPTION A. Here's the part of MY complete SOCIETY of the VPN configuration. I've also attached a diagram illustrating this topology.
Thanks in advance,
Adil
CONFIG BELOW
------------------------------------------------
#################################################
Object-group Config:
#################################################
the COMPANY_A_NETWORK object-group network
Description company network access my company A firm Citrix
host of the object-Network 65.99.100.101
the MYCOMPANY_CITRIX_FARM object-group network
Description farm Citrix accessible Takata by Genpact
host of the object-Network 10.200.11.103
################################################
Config of encryption:
################################################
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
********************************
CRYPTO MAP
********************************
crypto Outside_map 561 card matches the address Outside_561_cryptomap
card crypto Outside_map 561 set peer 55.5.245.21
Outside_map 561 transform-set ESP-3DES-SHA crypto card game
********************************
TUNNEL GROUP
********************************
tunnel-group 55.5.245.21 type ipsec-l2l
IPSec-attributes tunnel-group 55.5.245.21
pre-shared-key * 55.5.245.21
*******************************
FIELD OF CRYPTO
*******************************
Outside_561_cryptomap list extended access permitted ip object-group MYCOMPANY_CITRIX_FARM-group of objects COMPANY_A_NETWORK
###########################################
NAT'ing
###########################################
Global (inside) 9 10.200.11.9
NAT (9 genpact_source_nat list of outdoor outdoor access)
genpact_source_nat list extended access permit ip host 65.99.100.101 all
genpact_source_nat list extended access permit ip host 65.99.100.102 all
! For not natting ip address of the Citrix server
Inside_nat0 list extended access permitted ip object-group MYCOMPANY_CITRIX_FARM-group of objects COMPANY_A_NETWORK
You must include pre - nat ip 65.99.x.x in your crypto-card, like you did.
For me, config you provided here looks good and meets your needs.
One thing, I do not see here the nat rule real 0, but there is the ACL that NAT. probably, you just forgot this rule.
65.99.100.101 #sthash.mQm0FIOM.dpuf
-
Computer format Microtour HP Pro 3010: Hp Support Assistant and LAN with Proxy authentication
Dear friends,
I would only know if and how I can 'use' Hp Support Assistant in my office desktop pc, because my desktop pc itself works in the breast of a LAN with proxy authentication.
Thank you, Paolo ([Personal Information Removed)
Hello
Welcome to the HP Support forum!
Yes, you can use it as long as the desktop PC is HP branded.
-
No driver LAN detected on the Satellite Pro U400 and Tecra A10 Win Server 2008
Hello
We use in our coupany a Windows Server deployment with Windows Server 2008 boot.wim to the installation of our computers.
I have ad driver marvell netwok our Boot.wim, but after starting the network, I have an error message because the network adapter does not work.
We install workstations HP, VMware servers with it without problem, but we can't to install computers of latest toshia!
We have 10 to 15 computers to install a week and we need to use this tool.
I try to ad Intelshipset utility drivers without success.
We have this problem with all models of just sitting Pro U400 PSU45E 10 years!
Is there any other driver to install?
ANYTHINK to set up?Best regards
Hello
As far as I know, Toshiba offers a few drivers are included in the recovery image and it is unclear to me that there are different drivers LAN for the specific model of laptop.
All these drivers are available if someone wants to install a clean version of the operating system and do not want to use the factory settings.Have you created your own ghost image to SP U400 with all the necessary applications for the company's employees?
-
HP pavilion n003sq 15: I can reach 1 Gbps (lan) with my hp Pavilion n003sq 15?
Hello!
For the last few days I tried to connect to the internet pit LAN.
the maximum speed I achieve via Wi - Fi is 100 Mbps, and currently in lan it's the same. (don't know why)The thing is that I pay for 1 Gbps speeds that I can achieve that on the other PC (an office).
Is this a hardware problem?
Thank you!
Hello
Your machine has
Integrated 10/100 BASE-T Ethernet LAN
Source: http://support.hp.com/au-en/document/c03944557
This explains why. No hardware problem, but its limit. This card is integrated (welded means) on the motherboard.
Option: If you want, you can buy USB - adapter 1 Gbps.
Update: for WiFi, no way you can get to 1 Gbps with the current configuration and your machine has
802.11b/g/n -
Cannot access a remote LAN with Cisco Client
Hello
IAM using an ASA 5505 and connect with the Cisco Client 5.0.02.0090. The Client connects to the Remote LAN and get an IP of the SAA.
But I can't access the Remote LAN or ping the Interface of the ASA trainee.
Can someone help me with this problem?
If the client computer is in the same subnet as the other PC, then its dislikes a question ASA.
Just make sure that the client computer is in the subnet, default gateway of 192.168.20.100 192.168.20./24 and connected to a switchport on vlan 1.
Finally, check whether the DNS resolution works, or if you can browse the internet with the ip address.
-
PIX501 customer VPN - cannot access inside the network with VPN Session
What follows is based on the config on the attached link:
PIX Ver 6.2 (3) - VPN Client 3.3.6(A) - Windows XP Client PC
We can establish the VPN to the PIX501 session, but we cannot access the network private behind the pix.
Here is the config - I can't determine why it does not work, we are desperate to get there as soon as POSSIBLE!
We have the same problem with the customer 4.0.3(c)
Thanks in advance for any help!
=======================================
AKCPIX00 # sh run
: Saved
:
6.2 (3) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
hostname AKCPIX00
domain.com domain name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
fixup protocol sip udp 5060
names of
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
external IP address #. #. #. # 255.255.240.0
IP address inside 192.168.1.5 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool akcpool 10.0.0.1 - 10.0.0.10
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 #. #. #. # 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp - esp-md5-hmac RIGHT
Crypto-map dynamic dynmap 10 transform-set RIGHT
map mymap 10-isakmp ipsec crypto dynamic dynmap
mymap outside crypto map interface
ISAKMP allows outside
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup address akcpool pool akcgroup
vpngroup dns 192.168.1.10 Server akcgroup
vpngroup akcgroup by default-domain domain.com
vpngroup split tunnel 101 akcgroup
vpngroup idle 1800 akcgroup-time
vpngroup password akcgroup *.
vpngroup idle 1800 akc-time
Telnet timeout 5
SSH #. #. #. # 255.255.255.255 outside
SSH timeout 15
dhcpd address 192.168.1.100 - 192.168.1.130 inside
dhcpd dns 192.168.1.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd allow inside
Terminal width 80
Cryptochecksum:XXXXX
: end
AKCPIX00 #.
Config looks good - just as domestic mine to my local network. The only thing I can think is that you may have entered commands in the wrong order - which means, you could have isakmp or encryption before the config map was complete. Write memory, then reloading the pix is a way to reset everything. If you do not want downtime:
mymap outside crypto map interface
ISAKMP allows outside
Enter these two commands should be enough to reset the ipsec and isakmp.
-
Windows 7 - LAN connection in the start menu, speed indicator bar not there
I use Windows 7 on several machines (64 and 32-bit). The LAN icon is visible in the taskbar. Under XP, LAN icon showed the name of the local network and its connection speed. Windows 7 does not seem to indicate the name of the LAN - no speed.
Can I get the speed is displayed on the icon (for example, 1.0 Gbps speed)? If Yes... How?
Thanks in advance for any help.
This feature has been removed with Vista. Start the Task Manager and go to the network tab, there you can see the speed of the network connection.
André "a programmer is just a tool that converts the caffeine in code" Deputy CLIP - http://www.winvistaside.de/
-
How to configure the VPN LAN to access the internet from the remote network
I have set up for our project site to another Office VPN. Please join.
Now I have already configured Site to site vpn between ASA 5510 and 1841 router.HQ LAN
Branch of the LAN
10.2.1.0/24 > ASA 5510 1841 > > INTERNET < 1841=""> <> 10.30.3.0/24
^
^
^
^
Call Manager
No. 2851
Now access from branch LAN LAN of HQ each other.I face problems that are
(1) in the direction of LAN, they can access HQ LAN & resource, but cannot access the internet. I did not configure NAT on the router PH
(2) can I access internet BRANCH LAN via HQ LAN INTERNET. Where can I access the Internet of general management of the LAN of the PH router directly while access to the VPN to the local network of HQ?
(3) in the Site of the Directorate, phone hard cannot work but phone on PC can call to Headquarters. Hard IP phone are same in remote network (172.16.1.0/24 ). What's the problem? How can I configure separately?Please give advise me how should I do.
Hello
(1) in the direction of LAN, they can access HQ LAN & resource, but cannot access the internet. I did not configure NAT on the router PH
Answer:
You must configure the NAT and crossed to the ASA HQ so that the VPN branch router provides LAN and u-Turn, access to Internet of the SAA. You must first seup NAT for the branch on the SAA router subnet, then you must type the command:
permit same-security-traffic intra-interface
Here's a great example for VPN client hairpining.
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
(2) can I access internet BRANCH LAN via HQ LAN INTERNET. Where can I access the Internet of general management of the LAN of the PH router directly while access to the VPN to the local network of HQ?
Yes, you can
(3) in the Site of the Directorate, phone hard cannot work but phone on PC can call to Headquarters. Hard IP phone are same in remote network (172.16.1.0/24 ). What's the problem? How can I configure separately?
You must change your subnet VLANS to be different from the subnet HQ voice phone IP VOice VLAn, it should be fine.
Kind regards
Mohamed
Maybe you are looking for
-
38 Firefox slow to respond or crashes without other options?
After the latest Firefox 38.0.1, it became unusable. I tried several different suggestions found on the forum and through Google searches, but noting seems to cure my problem. I use MSN as my home page and at first thought it was the root cause, but
-
I bought a music download, but it will not itialize; should I change something in my settings?
I bought a CD Baby music download, but nothing happens when I click on the download button, they sent me. What can I do about it? Is there a problem in my browser settings?
-
Satellite U940 - 12 c: how to make recovery USB pendrive having only 2 DVD
Hello. I have a netbook Satellite U940 - 12 c, a software problem causing a HARD drive format and the SSD. Finally, I got the free Toshiba Recovery DVD (as it was not my fault, but a software one), two recovery DVDs. And that's all I've got: an own S
-
Hello I tried to upgrade to Windows 10 64 - bit on my computer HP ZBook Workstation 17 G2 Portable under 64-bit Windows 7 and HP Client Security, but it did not work. I think the HP Client Security prevents the installation of window 10. How can I so
-
When you open a video all the getting is sound and green screen
When to open a video all them get is sound, and how green screen I can see the video?