NAT and vpn acl

Similar Questions

• NAT and VPN site-2-Site

  Hello world.

  I have question about Site 2 Site VPN and NAT.

  HQ is connected to the partner and the co-location through site to site VPN (with two different tunnels). Co-location is connected to the HQ with the site 2 site VPN.

  HQ:
  Co-location:
  Partner:

  Basically, what I want to achieve is to do the following:

  All traffic from the combination with destination partner should switch from AC and source what IP must be changed. So it seems that the traffic originated in the DMZ HQ on the side of the partner.

  How can I achieve that?

  HW: Cisco ASA

  Hello Roger,.

  The configuration you need will be on the ASA HQ.

  First configure the ASA so that it would allow the traffic to leave through the same interface it came through:

  permit same-security-traffic intra-interface

  Then, you create a nat that an IP address of this beach (it will work if the partner does not need to go to the apartment, just camp to the partner):

  policy-based-nat1 permit ip access list

  NAT () to access list policy-based-nat1

  (Global)

  That is asuming that you already have a rule of traffic interesting (crypto ACL map) allowed your DMZ for flatsharing.

  For a more specific example, see below:

  Colocation network: 192.168.1.0/24

  Network DMZ HQ: 10.10.10.0/24

  Network partner: 172.16.10.0/24

  permit same-security-traffic intra-interface

  access list policy-based-nat1 permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
  

  NAT (outdoor) 100 access list policy-based-nat1

  global (outside) 100 10.10.10.253

  vpn10 10.10.10.0 ip access list allow 255.255.255.0 172.16.10.0 255.255.255.0

  10 correspondence address vpn vpn crypto card

  If the partner needs to access the apartment so (two-way access) you may not use the DMZ network as there must be a translation from one to the other and you have the same amount of addresses to be translated you have on the apartment.

  However, it would be possible if your DMZ network is greater than the apartment (like DMZ being a 16 and colo in 24) and you can isolate a subnet just for NAT.

  Hope this helps to solve the problem.

• Access to services: conflict NAT and VPN

  Hi people!

  I encountered a problem with external access to local services of:
  (a) remote clients (port open on the side WAN)
  (b) the remote sites (through IPsec tunnels)

  Here's a topology:

  

  EXPLANATIONS

  FW1 (actually from TMG 2010) overload NAT of preforms.

  The service in question (for example tcp 9999) is published on 192.168.100.0/24 via static NAT translation, which is accessible from the network.

  HQ1 is a border router (cisco 2921). It also performs NAT overload for public addresses. (Other than cisco) Branch1 also performs NAT overload.

  All traffic between the headquarters and the remote site is allowed. The service is accessible from the remote site.

  PROBLEM

  I want to allow access to the service for an external user (remote user). I do the following configuration:

  IP nat inside source static tcp 192.168.100.2 2.2.2.2 9999 9999 extensible

  After this command remote user is able to access the service by public IP, BUT the site's users remote losing it. If I roll back with

  No nat ip inside the source static tcp 192.168.100.2 2.2.2.2 9999 9999 extensible

  then access to the remote site is restored, and remote user lose again. Seems that it is connected with the static NAT translations.

  How can I make it work in both cases of simulteniously? Both for the remote site and the remote user.

  Thank you!

  You must use a map of the route with your static NAT configuration.

  Recently answered a question for the same thing, please visit this link and if you have any questions please come back.

  https://supportforums.Cisco.com/discussion/12544291/IPSec-IP-NAT-inside-source-static

  Jon

• Help without NAT and VPN Config DMZ.

  Before VPN, we miss with 'nonatdmz '. Recently, we tried to implement the solution VPN using "VPNRA".

  ASA IOS would only you are using a "NAT 0" at a time, how do you get around that.

  TIA

  nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0

  NAT (inside) 0-list of access nonatdmz

  Access extensive list ip 172.0.0.0 VPNRA allow 255.0.0.0 10.17.70.0 255.255.255.0

  NAT (inside) 0-list of access VPNRA

  You can add several lines to you nonatdmz access-list: for example:

  nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0

  access extensive list ip 172.0.0.0 nonatdmz allow 255.0.0.0 10.17.70.0 255.255.255.0

  NAT (inside) 0-list of access nonatdmz

• PAT/NAT and VPN through a PIX

  "PPTP through the PIX with Port address translation (PAT) does not work because there is no concept of ports in GRE"-this is an excerpt from a config PIX version 6.2 and below.

  1. how this problem has been fixed in 6.3? GRE is encapsulated in udp or tcp to use ports to follow the connection?

  2. is it "fixup protocol esp-ike" use the same technology - the source port created by the IKE protocol? -ISAKMP cannot be enabled when you use this command

  3. What is "isakmp nat-traversal? How is this different from fixup protocol esp-ike"

  Thank you

  RJ

  1. when the PIX sees outgoing PPTP (TCP 1723 port) packets it now opens holes for them to return, as well as opening a hole for the GRE packets, it has never done this before. The PPTP TCP packets can be PAT would be fine because they are TCP packets. GRE packets, I believe, are followed by the id field only tunnel in the package.

  2. we use the source port of the ISAKMP packet for ESP packets as well. The current limitation is that if you have this option, you cannot use the PIX to close the IPSec sessions, so you can not turn on ISAKMP any interface. You can also have only a single IPSec client internal to use this feature.

  3 NAT - T is a new standard for IPSec to work through a NAT device peers, because they detect changes of address during the negotiation of tunnel and automatically encapsulate packets in UDP 4500. This market allows the PIX and the other device (if it supports it) to automatically detect a NAT/PAT device between them. This differs from the "esp - ike correction '' that the PIX ends not in fact the IPSec tunnel with esp - ike, but it is the endpoint in nat - t.

• How to configure NAT for Hyper-V on laptop with wifi, wired and vpn connectivity

  Me, as I suspect a lot of people, I have a laptop with WiFi connection, cable connection and VPN connection (Cisco AnyConnect), which

  also uses a virtual adapter (activated when active). I searched for some time a way to be able to move to

  Hyper-V in VirtualBox. Blocker full for me is the need for a lot of my virtual machines to be able to connect to the

  Internet through 'the connection active' in the way that VirtualBox and VMWare Workstation/Player through their NAT feature.

  I'm not a networking wait, but after looking around, can't seem to find something that is simple enough for me to configure,

  with a minimum of resources, which allows me to connect a Hyper-V virtual network via a simple NAT device adapter

  all three potential network connections - most seem to not assume that one connection out of the machine, which of course does not

  me what I want.

  Three questions:

  1. is there a Windows application available that an adapter (like loopback) internal which acts as a real NAT device to one of the surfaces

  external access via the active network connections and through the Windows Firewall and any other antivirus, components etc. for

  the road to (i.e. behaves like a "normal app" inside Windows for internet access)? It would be the best option, because it would be

  "always there" when I run virtual machines

  2. display of my lack of knowledge around this feature, don't RRAS (and I know that this is not an option "minimum contact") allow you to

  Connect an internal network adapter to several external network adapters?

  3. on the Linux/OpenBSD various base/NAT routers, are everything that allow several external adapters and who are

  relatively easy to set up (by an independent expert of the network)?

  Really, we could do with this feature for Hyper-V on the desktop, but willing to work around him, if there is a way to at least the

  use virtual machines, once it is easy to install.

  Hello

  The question is more suited in the TechNet forums. So I would say you mention the link and send the request in this forum for better support.

  http://social.technet.Microsoft.com/forums/en-us/w8itpronetworking/threads

  For any information related to Windows, feel free to get back to us. We will be happy to help you.

• Policy NAT for VPN L2L

  Summary:

  We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.

  My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.

  Here is the config:

  # #List of OUR guests

  the OURHosts object-group network

  network-host 192.168.x.y object

  # Hosts PARTNER #List

  the PARTNERHosts object-group network

  network-host 10.2.a.b object

  ###ACL for NAT

  # Many - to - many outgoing

  access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts

  # One - to - many incoming

  VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group

  # #NAT

  NAT (INSIDE) 2-list of access NAT2

  NAT (OUTSIDE) 2 172.20.n.0

  NAT (INSIDE) 3 access-list VIH3

  NAT (OUTSIDE) 3 172.20.n.1

  # #ACL for VPN

  access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group

  access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list

  # #Tunnel

  tunnel-group type ipsec-l2l

  card <#>crypto is the VPN address

  card crypto <#>the value transform-set VPN

  card <#>crypto defined peer

  I realize that the ACL for the VPN should read:

  access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list

  access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list

  .. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.

  What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?

  Thanks in advance.

  Patrick

  Here is the order of operations for NAT on the firewall:

  1 nat 0-list of access (free from nat)

  2. match the existing xlates

  3. match the static controls

  a. static NAT with no access list

  b. static PAT with no access list

  4. match orders nat

  a. nat [id] access-list (first match)

  b. nat [id] [address] [mask] (best match)

  i. If the ID is 0, create an xlate identity

  II. use global pool for dynamic NAT

  III. use global dynamic pool for PAT

  If you can try

  (1) a static NAT with an access list that will have priority on instruction of dynamic NAT

  (2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.

  I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.

  Jon

• problem with Ezvpn and VPN from Site to Site

  Hello

  I want to set Ezvpn and VPN Site to another but the problem is that the EasyVpn that would only work at the Site to the Site does not at all

  I have set up 1 card for two VPN with different tagged crypto

  I had execlude the traffice to NOT be natted to, and when I remove the Ezvpn site to another work well

  crypto ISAKMP policy 100
  BA aes
  md5 hash
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 10000
  BA aes 256
  preshared authentication
  Group 5
  key address 123456 crypto isakmp (deleted)

  ISAKMP crypto client configuration group easyvpn
  easyvpn key
  domain ezvpn
  pool easyvpn
  ACL easyvpn
  Save-password
  Split-dns cme
  MAX User 9
  netmask 255.255.255.0
  !

  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac vpn

  Crypto-map dynamic easyvpn 10
  Set transform-set dmvpn
  market arriere-route
  !
  !
  address-card crypto easyvpn local Dialer1
  card crypto client easyvpn of authentication list easyvpn
  card crypto isakmp authorization list easyvpn easyvpn
  client configuration address card crypto easyvpn answer
  easyvpn 100 card crypto ipsec-isakmp dynamic easyvpn
  easyvpn 1000 ipsec-isakmp crypto map
  defined by the peers (deleted)
  Set transform-set vpn
  game site address

  interface Dialer1
  the negotiated IP address
  IP mtu 1492
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  PPP authentication chap callin pap
  PPP chap hostname
  PPP chap password
  PPP pap sent-name to user
  easyVPN card crypto

  DSL_ACCESSLIST extended IP access list
  deny ip 100.0.0.0 0.0.0.255 101.1.1.0 0.0.0.255
  deny ip 100.0.0.0 0.0.0.255 70.0.0.0 0.0.0.255
  IP 100.0.0.0 allow 0.0.0.255 any
  refuse an entire ip
  easyvpn extended IP access list
  IP 100.0.0.0 allow 0.0.0.255 70.0.0.0 0.0.0.255
  IP extended site access list
  IP 100.0.0.0 allow 0.0.0.255 101.1.1.0 0.0.0.255

  Best regards

  The sequence number of card crypto for the static mapping crypto (site to site vpn) should be higher (ie: sequence number must be lower) than the ezvpn (map dynamic crypto).

  In your case, you must configure as follows:

  map easyvpn 10 ipsec-isakmp crypto
  defined by the peers (deleted)
  Set transform-set vpn
  game site address

  map easyvpn 150 - ipsec-isakmp crypto dynamic easyvpn

  Hope that solves this problem.

• Wireless and VPN RV042 router WRT54G

  Respected member, please help if you can! I have an ADSL with dynamic connected with the wrt54g router, I recently bought RV042 and want to connect the wire coming from wireless with ports. so, basically, I want to use RV042VPN for help after the router, is there a way I can use vpn behind with port using RV042 router wireless

  I can't be able to connect to the vpn as he seeks is not an ip or WAN/LAN.

  It may be possible if you're lucky. But I highly recommend not to connect the RV042 after the WRT. A VPN server must always have a public IP address. Running a VPN server behind a router NAT (such as WRT) makes it extremely difficult and often it won't work at all. Connect the RV042 directly to your modem, configure it to your internet connection. In this way the RV042 has the public IP and VPN should become much easier. Then implement the WRT as simple access point in your network by changing the address LAN IP of 192.168.1.1 to 192.168.1.2, disable the DHCP server, and connect a LAN port of the WRT on a LAN on the RV042 port.

• Order of procedure SonicWALL for routing, NAT and policies

  I'm confused on the prescription that the sonicwall verifies a package.  The way I heard the order, it will:

  (1) check against the access rules,

  (2) check against NAT Polies

  (3) check the routing.

  Installation program:

  Subnet point of VPN endpoint - Internet - SW NSA 2400 (VPN) - sub-network B (from C subnet)

  A subnet is 10.1.100.x/24

  Subnet B is consists of three IPs, 192.168.99.4,.50, and 109.

  Subnet C is contains the host IPs 192.168.13.4,.50, and 109.

  I VPN configured to allow traffic from 10.1.100.x to the hosts on the subnet B, what NAT and the host subnet C.  This method works more large, is not a problem.

  I need to reduce access to certain ports.  Once I set access restrictions in the port, the firewall blocks ALL.

  When I look at a screenshot of packets when traffic is blocked, I see the following:

  Source 10.1.100.5--> 192.168.99.4 accepted

  Source 10.1.100.5--> 192.168.13.4 refused.

  Block of code indicates that it is because of politics.  However the policy review should have been checked and checked already.  If I change the VPN policy to represent both sides of the NAT (ie. 192.168.99.4 and 192.168.13.4) then passes the traffic.

  If anyone can explain what is happening?

  I tried to look through some KB SonicWall has publicly available articles. But I did not see anything that doesn't seem to help. In this case, I think you might want to give SonicWall support a call.

  https://support.software.Dell.com/manage-service-request

  They can help to look over your configurations and see if we have to make changes. They should also be able to answer your technical questions about how the packets are received or managed.

• IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

  Hello

  My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

  "Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

  NAT takes place before the encryption verification!

  In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

  Thanks for any help

  Best regards

  Heiko

  Hello

  Try to change your static NAT with static NAT based policy.

  That is to say the static NAT should not be applicable for VPN traffic

  permissible static route map 1

  corresponds to the IP 104

  access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

  access-list 104 allow the host ip 10.1.110.10 all

  IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

  HTH

  Kind regards

  GE.

• Static NAT enable VPN site-to-site.

  Hello

  We plan to build VPN site to site, but, we have a single public routerable internet IP address to assign VPN on Site A, but Site B is ok.

  in this case, I think that we must use static NAT on the router, the simple diagram is as below.

  internal a subnet - router VPN - router for Internet of the Site - to - VPN - B B Site internal subnet.

  the final goal is to make the communication between internal a subnet and subnet B on IPSEC tunnel.

  OK, as I said, Site A having a public IP address, then it must use the static NAT and need to apply on the Site router.

  Router

  interface x/x

  Head of ESCR to the internet

  NAT outside IP

  !

  interface x/x

  Head of DESC to internal (VPN)

  IP nat inside

  !

  IP nat inside source static (like IP address x.x.x.x) public (as private VPN interface IP x.x.x.x)

  so, wouldn't be work without any problem? I think it will work, but I would find other one just in case.

  Hey,.

  Is that what you try to achieve:

  subnet A - A = vpn router = router B - Sub-B network

  and you need communicate between Subnet A and subnet via ipsec vpn b?

  Concerning

• Making the NAT for VPN through L2L tunnel clients

  Hi.I has the following situation in my network. We need for users who log on our site with the VPN clients to connect to another site via a tunnel L2L. The problem is that I need NAT addresses from the pool of VPN client in another beach before going on the L2L tunnel because on the other side, we have duplication of networks.

  I tried to do NAT with little success as follows:

  ACL for pool NAT of VPN:

  Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.0.0 255.255.255.0

  Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.5.0 255.255.255.0

  NAT:

  Global 172.20.105.1 - 172.20.105.254 15 (outdoor)

  NAT (inside) 15 TEST access-list

  CRYPTO ACL:

  allowed ro access list extended LAN ip 255.255.0.0 192.168.0.0 255.255.255.0

  allowed ro access list extended LAN ip 255.255.0.0 192.168.5.0 255.255.255.0

  IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.0.0 255.255.255.0

  IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.5.0 255.255.255.0

  permit same-security-traffic intra-interface

  Am I missing something here? Something like this is possible at all?

  Thanks in advance for any help.

  We use the ASA 5510 with software version 8.0 (3) 6.

  You need nat to the outside, not the inside.

  NAT (outside) 15 TEST access-list

• remote VPN and vpn site to site vpn remote users unable to access the local network

  As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config

  The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.

  ASA Version 8.2 (2)
  !
  host name
  domain kunchevrolet
  activate r8xwsBuKsSP7kABz encrypted password
  r8xwsBuKsSP7kABz encrypted passwd
  names of
  !
  interface Ethernet0/0
  nameif outside
  security-level 0
  PPPoE client vpdn group dataone
  IP address pppoe
  !
  interface Ethernet0/1
  nameif inside
  security-level 50
  IP 192.168.215.2 255.255.255.0
  !
  interface Ethernet0/2
  nameif Internet
  security-level 0
  IP address dhcp setroute
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  Shutdown
  No nameif
  no level of security
  no ip address
  management only
  !
  passive FTP mode
  clock timezone IST 5 30
  DNS server-group DefaultDNS
  domain kunchevrolet
  permit same-security-traffic intra-interface
  object-group network GM-DC-VPN-Gateway
  object-group, net-LAN
  access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
  192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
  tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  MTU 1500 Internet
  IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
  ICMP unreachable rate-limit 1 burst-size 1
  enable ASDM history
  ARP timeout 14400
  NAT-control
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  the ssh LOCAL console AAA authentication
  AAA authentication LOCAL telnet console
  AAA authentication http LOCAL console
  AAA authentication enable LOCAL console
  LOCAL AAA authentication serial console
  Enable http server
  x.x.x.x 255.255.255.252 out http
  http 192.168.215.0 255.255.255.252 inside
  http 192.168.215.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic dynmap 65500 transform-set RIGHT
  card crypto 10 VPN ipsec-isakmp dynamic dynmap
  card crypto VPN outside interface
  card crypto 10 ASA-01 set peer 221.135.138.130
  card crypto 10 ASA - 01 the transform-set RIGHT value
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  the Encryption
  sha hash
  Group 2
  lifetime 28800
  Telnet 192.168.215.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  Console timeout 0
  management-access inside
  VPDN group dataone request dialout pppoe
  VPDN group dataone localname bb4027654187_scdrid
  VPDN group dataone ppp authentication chap
  VPDN username bb4027654187_scdrid password * local store
  interface for identifying DHCP-client Internet customer
  dhcpd dns 218.248.255.141 218.248.245.1
  !
  dhcpd address 192.168.215.11 - 192.168.215.254 inside
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  Des-sha1 encryption SSL
  WebVPN
  allow outside
  tunnel-group-list activate
  internal kun group policy
  kun group policy attributes
  VPN - connections 8
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value split tunnel
  kunchevrolet value by default-field
  test P4ttSyrm33SV8TYp encrypted password username
  username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
  username kunauto attributes
  Strategy Group-VPN-kun
  Protocol-tunnel-VPN IPSec
  tunnel-group vpngroup type remote access
  tunnel-group vpngroup General attributes
  address pool VPN_Users
  Group Policy - by default-kun
  tunnel-group vpngroup webvpn-attributes
  the vpngroup group alias activation
  vpngroup group tunnel ipsec-attributes
  pre-shared key *.
  type tunnel-group test remote access
  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group ipsec-attributes x.x.x.x
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  Review the ip options
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  inspect the icmp
  !
  global service-policy global_policy
  context of prompt hostname
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
  : end
  kunauto #.

  Hello

  Looking at the configuration, there is an access list this nat exemption: -.

  192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0

  But it is not applied in the States of nat.

  Send the following command to the nat exemption to apply: -.

  NAT (inside) 0 access-list sheep

  Kind regards

  Dinesh Moudgil

  P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

• Router vpn site to site PIX and vpn client

  I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.

  ISAKMP crypto RTR #show its
  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
  66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVE

  IPv6 Crypto ISAKMP Security Association

  local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
  current_peer 66.x.x.x port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
  #pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 40, #recv errors 0

  local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
  Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
  current outbound SPI: 0xC4BAC5E (206285918)

  SAS of the esp on arrival:
  SPI: 0xD7848FB (225986811)
  transform: aes - esp esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
  calendar of his: service life remaining (k/s) key: (4573083/78319)
  Size IV: 16 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xC4BAC5E (206285918)
  transform: aes - esp esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
  calendar of his: service life remaining (k/s) key: (4572001/78319)
  Size IV: 16 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Expand the IP NAT access list
  10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
  20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
  Expand the IP VPN_ACCESS access list
  10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)

  I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.

  is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.

  If it's just ping, then activate pls what follows on the PIX:

  If it is version 6.3 and below: fixup protocol icmp

  If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.

  Config complete hand and on the other could help determine if it's a configuration problem or another problem.