NAT before VPN - ASA L2L 8.3?

Hello

I have the following scenario: -.

A net - network 172.20.82.0/24 (under my control)

B ' net - network audience (beyond my control)

I have a lot of servers on the Net (172.20.82.0/24) network I would PAT behind a public IP address before it is sent over a virtual private network to the remote site (Net (B). By some read far quickly, my understanding is that I'm going to need to: -.

(a) conduct an "indoor/outdoor" PAT on the Net 'interesting' traffic to my address of PAT Public front I then...

(b) apply the new address Public PAT crypto and ACL "NAT 0".

i.e.

one)

access-list allowed NET_A_PAT 172.20.82.0 255.255.255.0 NET_B_NETWORK NET_B_NETMASK

NAT (inside) 20 access-list NET_A_PAT

MY_PUBLIC_PAT overall, 20 (outdoor)

then (b)

NO_NAT list extended access permit ip host MY_PUBLIC_PAT NET_B_NETWORK NET_B_NETMASK

CRYPTO_MAP list extended access permit ip host MY_PUBLIC_PAT NET_B_NETWORK NET_B_NETMASK

First question is - is it good? I think it is, but I'm just wanting clarification.

Second question is: I is also launching a 'standard' CARESS on the 'outside' of the SAA for internet traffic normal (Internet) interface - navigation etc. If I play a PAT inside and outside as shown above, not then try and pass packets encrypted using my 'new' PAT instead of the IP Address of the remote VPN endpoint interface? Or take it to process my first PAT crypto then re - wrap by using the 'real' outside interface IP PAT?

Hope I'm reasonably clear - thanks in advance.

(a) correct

(b) in part reason, crypto ACL is correct, however, you don't need NAT 0 ACL like you do a PAT.

Second question - no, PAT comes first, then it will encrypt the packet with the IP Address of the interface that is the VPN endpoint.

Tags: Cisco Security

Similar Questions

Making the NAT for VPN through L2L tunnel clients

Hi.I has the following situation in my network. We need for users who log on our site with the VPN clients to connect to another site via a tunnel L2L. The problem is that I need NAT addresses from the pool of VPN client in another beach before going on the L2L tunnel because on the other side, we have duplication of networks.

I tried to do NAT with little success as follows:

ACL for pool NAT of VPN:

Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.0.0 255.255.255.0

Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.5.0 255.255.255.0

NAT:

Global 172.20.105.1 - 172.20.105.254 15 (outdoor)

NAT (inside) 15 TEST access-list

CRYPTO ACL:

allowed ro access list extended LAN ip 255.255.0.0 192.168.0.0 255.255.255.0

allowed ro access list extended LAN ip 255.255.0.0 192.168.5.0 255.255.255.0

IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.0.0 255.255.255.0

IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.5.0 255.255.255.0

permit same-security-traffic intra-interface

Am I missing something here? Something like this is possible at all?

Thanks in advance for any help.

We use the ASA 5510 with software version 8.0 (3) 6.

You need nat to the outside, not the inside.

NAT (outside) 15 TEST access-list

Disconnecting from the VPN ASA L2L - CheckPoint

Hello...

Please your help...

I configured a L2L VPN between an ASA5505 and CP2070.

The tunnel is working, we have conectivity between sites, but the tunnel is disconnect periodically.

When the tunnel fails, we have a 'clear crypto isakmp his "to retrieve the connection."

I tested changing the parameters of life expectancy in IKE and IPSec configurations, but the problems persist.

Any suggestion?

The ASA configuration file is attached.

Hello

If solve you the problem by disabling the tunnel on the side of the ASA, I think that there is a loss of connectivity on the side of control point when this happens?

I mean... the ASA still belives the tunnel is mounted, but it is not because that is not upward on the side of the checkpoint.

Once you have disabled the SAs on the SAA, the tunnel to renegotiate and restores.

There are DPD packets that can be sent to monitor the health of the peer VPN and KeepAlive, but they work a lot between Cisco devices. (I don't know if there are problems of incompatibility with other brands).

Can you verify if this is the problem?

In addition, is the ISAKMP phase 1 and phase 2 lives the same value two units?

Federico.

NAT before going on a VPN Tunnel Cisco ASA or SA520

I have a friend who asked me to try to help. We are established VPN site to site with a customer. Our camp is a Cisco sa520 and side there is a control point. The tunnel is up, we checked the phase 1 and 2 are good. The question is through the tunnel to traffic, our LAN ip address are private addresses 10.10.1.0/24 but the client says must have a public IP address for our local network in order to access that server on local network there. So, in all forums, I see that you cannot NAT before crossing the VPN tunnel, but our problem is that our site has only 6 assigned IP addresses and the comcast router, on the side of the firewall SA520 WAN. So we were wondering was there a way we can use the WAN on the SA520 interface or use another available 6 who were assigned to the NAT traffic and passes through the tunnel. That sounds confusing to you? Sorry, but it's rarely have I a customer say that I must have a public IP address on my side of the LAN. Now, I say this is a SA520 firewall, but if it is not possible to do with who he is a way were able with an ASA5505?

Help or direction would be very useful.

Hello

I guess I could quickly write a basic configuration. Can't be sure I remember all correctly. But should be the biggest part of it.

Some of the course settings may be different depending on the type of VPN L2L connection settings, you have chosen.

Naturally, there are also a lot of the basic configuration which is not mentioned below.

For example
- Configurations management and AAA
- DHCP for LAN
- Logging
- Interface "nonstop."
- etc.
Information for parameters below
- x.x.x.x = ASA 'outside' of the public IP interface
- y.y.y.y = ASA "outside" network mask
- z.z.z.z = ASA "outside" IP address of the default gateway
- a.a.a.a = the address of the remote site VPN L2L network
- b.b.b.b = mask of network to the remote site VPN L2L
- c.c.c.c = IP address of the public peer device VPN VPN L2L remote site
- PSK = The Pre Shared Key to connect VPN L2L
Interfaces - Default - Access-list Route

interface Vlan2

WAN description

nameif outside

security-level 0

Add IP x.x.x.x y.y.y.y

Route outside 0.0.0.0 0.0.0.0 z.z.z.z

interface Ethernet0

Description WAN access

switchport access vlan 2
- All interfaces are on default Vlan1 so their ' switchport access vlan x "will not need to be configured
interface Vlan1

LAN description

nameif inside

security-level 100

10.10.1.0 add IP 255.255.255.0

Note to access the INSIDE-IN list allow all local network traffic

access to the INTERIOR-IN ip 10.10.1.0 list allow 255.255.255.0 any

group-access INTERIOR-IN in the interface inside

Configuring NAT and VPN L2L - ASA 8.2 software and versions prior

Global 1 interface (outside)

NAT (inside) 1 10.10.1.0 255.255.255.0

Crypto ipsec transform-set AES-256 aes-256-esp esp-sha-hmac

crypto ISAKMP policy 10

preshared authentication

aes-256 encryption

sha hash

Group 2

lifetime 28800

L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host

card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address

card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c

card crypto WAN-CRYPTOMAP 10 the value transform-set AES-256

card crypto WAN-CRYPTOMAP 10 set security-association second life 3600

CRYPTOMAP WAN interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

tunnel-group c.c.c.c type ipsec-l2l

tunnel-group c.c.c.c ipsec-attributes

pre-shared key, PSK

NAT and VPN L2L - ASA 8.3 software configuration and after

NAT source auto after (indoor, outdoor) dynamic one interface

Crypto ipsec transform-set ikev1 AES-256 aes-256-esp esp-sha-hmac

IKEv1 crypto policy 10

preshared authentication

aes-256 encryption

sha hash

Group 2

lifetime 28800

L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host

card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address

card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c

card crypto WAN-CRYPTOMAP 10 set transform-set AES-256 ikev1

card crypto WAN-CRYPTOMAP 10 set security-association second life 3600

CRYPTOMAP WAN interface card crypto outside

crypto isakmp identity address

Crypto ikev1 allow outside

tunnel-group c.c.c.c type ipsec-l2l

tunnel-group c.c.c.c ipsec-attributes

IKEv1 pre-shared key, PSK

I hope that the above information was useful please note if you found it useful

If it boils down to the configuration of the connection with the ASA5505 and does not cut the above configuration, feel free to ask for more

-Jouni

IOS - help with VPN IPsec L2L with NAT

Hello guys

I tried to get VPN to work for a specific scenario where I do NAT for VPN traffic to avoid the duplication of subnet.

I found several guides on cisco.com, but all the ones I found does not (or how) overload NAT (for internet traffic), I need for my setup.

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b07ed.shtml

http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

Basically, I need to know how the configuration looks like when make you static NAT in a VPN tunnel as well as provide internet connectivity using NAT in the same router?

I have attached a drawing that needs to better explain my needs.

Someone knows a guide that shows how to do this?

Best regards

Jesper

You can use a static policy NAT NAT the traffic:

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255

access-list 102 deny ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

policy-NAT allowed 10 route map

corresponds to the IP 101

internet-NAT allowed 10 route map

corresponds to the IP 102

IP nat inside source static network 10.0.0.0 road policy-NAT 10.30.10.0/24-feuille

IP nat inside source map route internet-NAT interface overloading

Hope that helps.

Help without NAT and VPN Config DMZ.

Before VPN, we miss with 'nonatdmz '. Recently, we tried to implement the solution VPN using "VPNRA".

ASA IOS would only you are using a "NAT 0" at a time, how do you get around that.

TIA

nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0

NAT (inside) 0-list of access nonatdmz

Access extensive list ip 172.0.0.0 VPNRA allow 255.0.0.0 10.17.70.0 255.255.255.0

NAT (inside) 0-list of access VPNRA

You can add several lines to you nonatdmz access-list: for example:

nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0

access extensive list ip 172.0.0.0 nonatdmz allow 255.0.0.0 10.17.70.0 255.255.255.0

NAT (inside) 0-list of access nonatdmz

ASA L2L VPN NAT

We have a partner that we set up a VPN L2L with. Their internal host IP infringes on our internal IP range. Unfortunately, they are not offer NAT on their side. Is it possible on the SAA to configure a NAT device for my internal hosts will say 1.1.1.1 and ASA changes the internal address of the remote end overlapping?

If this is the scenario

192.168.5.0 ASA1 <---> <-- internet="" --="">ASA2<-->

ASA1 (NAT will be applied)

ASA2 (without nat will be applied)

You want to do something like that on ASA1

Change your source host or network to be 192.168.7.0 when communicating with the remote network. Change the remote network to come as long as 192.168.8.0 coming to your network on the SAA.

ACL soccer match:!-match-list ACLaccess acl_match_VPN ip 192.168.7.0 allow 255.255.255.0 192.168.5.0 255.255.255.0

! - NAT ACL

vpn_nat 192.168.5.0 ip access list allow 255.255.255.0 192.168.8.0 255.255.255.0

! - Translations

public static 192.168.7.0 (exterior, Interior) 192.168.5.0 netmask 255.255.255.0 0 0

static (inside, outside) 192.168.8.0 public - access policy-nat list

Complete the VPN configuration using acl_match_VPN as the ACL match. Your inside host will have to use the 192.168.7.0 network when you talk to the remote end.

I hope this helps.

ASA L2L VPN UP with incoming traffic

Hello

I need help with this one, I have two identical VPN tunnel with two different customers who need access to one of our internal server, one of them (customer) works well, but the other (CustomerB) I can only see traffic from the remote peer (ok, RX but no TX). I put a sniffer on ports where the ASA and the server are connected and saw that traffic is to reach the server and traffic to reach the ASA of the server then nothing...

See the result of sh crypto ipsec his below and part of the config for both clients

------------------

address:

local peer 100.100.100.178

local network 10.10.10.0 / 24

local server they need access to the 10.10.10.10

Customer counterpart remote 200.200.200.200

Customer remote network 172.16.200.0 / 20

CustomerB peer remote 160.160.143.4

CustomerB remote network 10.15.160.0 / 21

---------------------------

Output of the command: "SH crypto ipsec its peer 160.160.143.4 det".

address of the peers: 160.160.143.4
Tag crypto map: outside_map, seq num: 3, local addr: 100.100.100.178

outside_cryptomap list of allowed access host ip 10.10.10.10 10.15.160.0 255.255.248.0
local ident (addr, mask, prot, port): (10.10.10.10/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (10.15.160.0/255.255.248.0/0/0)
current_peer: 160.160.143.4

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 827, #pkts decrypt: 827, #pkts check: 827
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#pkts not his (send): 0, invalid #pkts his (RRs): 0
#pkts program failed (send): 0, #pkts decaps failed (RRs): 0
#pkts invalid prot (RRs): 0, #pkts check failed: 0
invalid identity #pkts (RRs): 0, #pkts invalid len (RRs): 0
#pkts incorrect key (RRs): 0,
#pkts invalid ip version (RRs): 0,
replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0
#pkts replay failed (RRs): 0
#pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0
#pkts internal err (send): 0, #pkts internal err (RRs): 0

local crypto endpt. : 100.100.100.178, remote Start crypto. : 160.160.143.4

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C2AC8AAE

SAS of the esp on arrival:
SPI: 0xD88DC8A9 (3633170601)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4373959/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xC2AC8AAE (3266087598)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

-The configuration framework

ASA Version 8.2 (1)

!

172.16.200.0 customer name

name 10.15.160.0 CustomerB

!

interface Ethernet0/0

nameif outside

security-level 0

IP 100.100.100.178 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

10.10.10.0 IP address 255.255.255.0

!

outside_1_cryptomap list extended access allowed host ip 10.10.10.10 customer 255.255.240.0

inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 customer 255.255.240.0

inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0

outside_cryptomap list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0

NAT-control

Overall 101 (external) interface

NAT (inside) 0-list of access inside_nat0_outbound_1

NAT (inside) 101 0.0.0.0 0.0.0.0

Route outside 0.0.0.0 0.0.0.0 100.100.100.177

Route inside 10.10.10.0 255.255.255.0 10.10.10.254 1

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 200.200.200.200

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

card crypto outside_map 3 match address outside_cryptomap

peer set card crypto outside_map 3 160.160.143.4

card crypto outside_map 3 game of transformation-ESP-3DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 20

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP ipsec-over-tcp port 10000

attributes of Group Policy DfltGrpPolicy

Protocol-tunnel-VPN IPSec svc

internal customer group strategy

Customer group policy attributes

Protocol-tunnel-VPN IPSec svc

internal CustomerB group strategy

attributes of Group Policy CustomerB

Protocol-tunnel-VPN IPSec

tunnel-group 160.160.143.4 type ipsec-l2l

tunnel-group 160.160.143.4 General-attributes

Group Policy - by default-CustomerB

IPSec-attributes tunnel-group 160.160.143.4

pre-shared key xxx

tunnel-group 200.200.200.200 type ipsec-l2l

tunnel-group 200.200.200.200 General attributes

Customer by default-group-policy

IPSec-attributes tunnel-group 200.200.200.200

pre-shared key yyy

Thank you

A.

Hello

It seems that the ASA is not Encrypting traffic to the second peer (However there is no problem of routing).

I saw this 7.x code behaviors not on code 8.x

However you can do a test?

You can change the order of cryptographic cards?

card crypto outside_map 1 match address outside_cryptomap

peer set card crypto outside_map 1 160.160.143.4

map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

card crypto outside_map 3 match address outside_1_cryptomap

card crypto outside_map 3 set pfs

peer set card crypto outside_map 3 200.200.200.200

card crypto outside_map 3 game of transformation-ESP-3DES-SHA

I just want to see if by setting the peer nonworking time to be the first, it works...

I know it should work the way you have it, I just want to see if this is the same behavior I've seen.

Thank you.

Federico.

Cannot find the next jump - ASA 5505 VPN routing l2l

We have a 5505 (soon to be replaced by two 5515-x) firewall with two VPN l2l.

"Were trying to allow a remote site traffic flow through the other remote site but the syslog shows."

10.5.25.4

172.16.10.10

Could not locate the next hop for ICMP outside:10.5.25.4/1 to inside:172.16.10.10/0 routing

Config is less than

ASA Version 8.4 (3)

names of

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

<--- more="" ---="">

interface Ethernet0/7

switchport access vlan 10

interface Vlan1

nameif inside

security-level 100

allow-ssc-mgmt

IP 10.5.19.254 255.255.255.0

interface Vlan2

WIMAX Interface Description

nameif outside

security-level 0

IP address x.247.x.18 255.255.255.248

passive FTP mode

clock timezone GMT 1

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

network guestwifi object

10.1.110.0 subnet 255.255.255.0

<--- more="" ---="">

network of the NETWORK_OBJ_10.5.19.0_24 object

10.5.19.0 subnet 255.255.255.0

network of the NETWORK_OBJ_10.5.31.0_24 object

10.5.31.0 subnet 255.255.255.0

network of the NETWORK_OBJ_172.16.0.0_16 object

subnet 172.16.0.0 255.255.0.0

the object DS365-Cloud network

172.16.10.0 subnet 255.255.255.0

Description DS365-Cloud

network of the object to the inside-network-16

10.5.0.0 subnet 255.255.0.0

atanta network object

10.5.16.0 subnet 255.255.255.0

Atanta description

network guest_dyn_nat object

10.5.29.0 subnet 255.255.255.0

network of the NETWORK_OBJ_172.16.254.0_25 object

subnet 172.16.254.0 255.255.255.128

network of the NETWORK_OBJ_10.5.16.0_20 object

subnet 10.5.16.0 255.255.240.0

network of the NETWORK_OBJ_10.5.16.0_26 object

255.255.255.192 subnet 10.5.16.0

network of the LDAP_DC7 object

Home 10.5.21.1

<--- more="" ---="">

LDAP description

network c2si object

range 10.5.21.180 10.5.21.200

network of the NETWORK_OBJ_10.5.25.0_24 object

10.5.25.0 subnet 255.255.255.0

object-group network rfc1918

object-network 192.168.0.0 255.255.0.0

object-network 172.16.0.0 255.255.240.0

object-network 10.0.0.0 255.0.0.0

the DM_INLINE_NETWORK_1 object-group network

object-network 10.5.19.0 255.255.255.0

network-object 10.5.20.0 255.255.254.0

object-network 10.5.22.0 255.255.255.0

object-network 10.5.30.0 255.255.255.0

object-network 192.168.100.0 255.255.255.0

the Sure_Signal object-group network

network-object x.183.x.128 255.255.255.192

network-host x.183.133.177 object

network-host x.183.133.178 object

network-host x.183.133.179 object

network-host x.183.133.181 object

network-host x.183.133.182 object

the LDAP_source_networks object-group network

network-object 135.196.24.192 255.255.255.240

<--- more="" ---="">

object-network 195.130.x.0 255.255.255.0

network-object x.2.3.128 255.255.255.192

network-object 213.235.63.64 255.255.255.192

object-network 91.220.42.0 255.255.255.0

object-network 94.x.240.0 255.255.255.0

object-network 94.x.x.0 255.255.255.0

the c2si_Allow object-group network

host of the object-Network 10.5.16.1

host of the object-Network 10.5.21.1

network-object object c2si

the DM_INLINE_NETWORK_2 object-group network

network-object 10.5.20.0 255.255.254.0

object-network 10.5.21.0 255.255.255.0

object-network 10.5.22.0 255.255.255.0

object-network 10.5.29.0 255.255.255.0

network-object, object NETWORK_OBJ_10.5.19.0_24

the DM_INLINE_NETWORK_3 object-group network

object-network 10.5.19.0 255.255.255.0

network-object 10.5.20.0 255.255.254.0

object-network 10.5.21.0 255.255.255.0

object-network 10.5.22.0 255.255.255.0

atanta network-object

the DM_INLINE_NETWORK_4 object-group network

network-object 10.5.20.0 255.255.254.0

<--- more="" ---="">

object-network 10.5.21.0 255.255.255.0

object-network 10.5.22.0 255.255.255.0

object-network 10.5.23.0 255.255.255.0

object-network 10.5.30.0 255.255.255.0

network-object, object NETWORK_OBJ_10.5.19.0_24

atanta network-object

network-object DS365-Cloud

inside_access_in list extended access permit tcp any eq 50 Sure_Signal object-group

inside_access_in list extended access permit tcp any object-group Sure_Signal eq pptp

inside_access_in list extended access permits will all object-group Sure_Signal

inside_access_in list extended access permit udp any eq ntp Sure_Signal object-group

inside_access_in access list extended icmp permitted no echo of Sure_Signal object-group

inside_access_in list extended access permit udp any eq 50 Sure_Signal object-group

inside_access_in list extended access permit udp any eq Sure_Signal object-group 4500

inside_access_in list extended access permit udp any eq isakmp Sure_Signal object-group

inside_access_in of access allowed any ip an extended list

255.255.0.0 allow access list extended ip 10.5.0.0 clientvpn 10.5.30.0 255.255.255.0

access-list extended BerkeleyAdmin-clientvpn ip 10.5.0.0 allow 255.255.0.0 10.5.30.0 255.255.255.0

IP 10.5.21.0 allow to Access-list BerkeleyUser-clientvpn extended 255.255.255.0 10.5.30.0 255.255.255.0

outside_cryptomap extended access list permit ip object inside-network-16 10.5.25.0 255.255.255.0

access extensive list ip 10.5.29.0 guest_access_in allow 255.255.255.0 any

state_bypass allowed extended access list tcp 192.168.100.0 255.255.255.0 10.5.30.0 255.255.255.0 connect

state_bypass allowed extended access list tcp 10.5.30.0 255.255.255.0 192.168.100.0 255.255.255.0 connect

state_bypass allowed extended access list tcp 10.5.29.0 255.255.255.0 10.5.30.0 255.255.255.0 connect

<--- more="" ---="">

state_bypass allowed extended access list tcp 10.5.30.0 255.255.255.0 10.5.29.0 255.255.255.0 connect

outside_access_in list extended access permit icmp any one

access extensive list ip 10.5.16.0 outside_cryptomap_1 allow 255.255.240.0 10.5.16.0 255.255.255.192

access-list extended global_access permitted tcp object-group LDAP_source_networks host 10.5.21.1 eq ldap

access extensive list 10.5.0.0 ip outside_cryptomap_2 255.255.0.0 allow object DS365-Cloud

outside_cryptomap_3 list extended access allowed object-group ip DM_INLINE_NETWORK_4 10.5.25.0 255.255.255.0

pager lines 24

Enable logging

exploitation forest-size of the buffer of 100000

recording of debug console

debug logging in buffered memory

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool clientvpn 10.5.30.1 - 10.5.30.100

mask 172.16.254.1 - 172.16.254.100 255.255.255.0 IP local pool VPN_IP_Pool

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ICMP allow all outside

don't allow no asdm history

ARP timeout 14400

NAT (inside, outside) source static rfc1918 rfc1918 destination rfc1918 static rfc1918

NAT (inside, outside) static source NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.31.0_24 NETWORK_OBJ_10.5.31.0_24 non-proxy-arp-search of route static destination

<--- more="" ---="">

NAT (inside, outside) static source NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source to the static inside-network-16 inside-network-16 destination DS365-DS365-cloud no-proxy-arp-route search

NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_172.16.254.0_25 NETWORK_OBJ_172.16.254.0_25 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_10.5.16.0_20 NETWORK_OBJ_10.5.16.0_20 NETWORK_OBJ_10.5.16.0_26 NETWORK_OBJ_10.5.16.0_26 non-proxy-arp-search of route static destination

NAT (inside, outside) source static c2si_Allow c2si_Allow NETWORK_OBJ_172.16.254.0_25 NETWORK_OBJ_172.16.254.0_25 non-proxy-arp-search of route static destination

NAT (inside, outside) source static atanta atanta static destination NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary

NAT (inside, outside) static source DS365-DS365-cloud static destination NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary

NAT (inside, outside) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 static destination DS365-DS365-cloud no-proxy-arp-route search

NAT (inside, outside) static source DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 static destination DS365-DS365-cloud no-proxy-arp-route search

NAT (inside, outside) static source to the inside-network-16 inside-network-16 destination static NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary

NAT (inside, outside) static source DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search of route static destination

network obj_any object

NAT dynamic interface (indoor, outdoor)

network of the LDAP_DC7 object

NAT 194.247.x.19 static (inside, outside) tcp ldap ldap service

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Access-Group global global_access

Router eigrp 143

No Auto-resume

Network 10.5.19.0 255.255.255.0

<--- more="" ---="">

Network 10.5.29.0 255.255.255.0

Network 10.5.30.0 255.255.255.0

redistribute static

Route outside 0.0.0.0 0.0.0.0 194.247.x.17 1 track 1

Route inside 10.5.16.0 255.255.255.0 10.5.19.252 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

RADIUS protocol for AAA-server group

AAA (inside) 10.5.21.1 host server group

key *.

AAA (inside) 10.5.16.1 host server group

key *.

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

AAA authentication LOCAL telnet console

Enable http server

<--- more="" ---="">

http 192.168.1.0 255.255.255.0 inside

http 10.5.16.0 255.255.240.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Sysopt connection tcpmss 1350

SLA 1 monitor

type echo protocol ipIcmpEcho 8.8.4.4 outside interface

SLA monitor Appendix 1 point of life to always start-time now

Crypto ipsec transform-set ikev1 strong-comp esp-aes-256 esp-sha-hmac

Crypto ipsec ikev1 transform-set strong aes-256-esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec ikev2 strong ipsec proposal

Protocol esp encryption aes-256

Esp integrity sha-1 protocol

<--- more="" ---="">

Crypto ipsec ikev2 AES256 ipsec-proposal

Protocol esp encryption aes-256

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES192

Protocol esp encryption aes-192

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES

Esp aes encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 proposal ipsec 3DES

Esp 3des encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal OF

encryption protocol esp

Esp integrity sha - 1, md5 Protocol

Crypto-map dynamic dyn1 1 set transform-set ikev1 strong

1 correspondence address outside_cryptomap_1 outside crypto map

crypto card outside pfs set 1

1 set 83.x.172.68 counterpart outside crypto map

Crypto card outside 1 set transform-set ESP-AES-256-SHA ikev1

1 set ikev2 AES256 ipsec-proposal outside crypto map

card crypto off game 2 address outside_cryptomap_3

map external crypto 2 peers set 23.100.x.177

card external crypto 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5

<--- more="" ---="">

map external crypto 2 set AES256 AES192 AES strong proposal ipsec ikev2

Crypto card outside 2 kilobytes of life of security association set 102400000

card crypto outside match 3 address outside_cryptomap_2

3 set pfs outside crypto map

map external crypto 3 peers set 91.x.3.39

crypto card outside ikev1 set 3 transform-set ESP-3DES-SHA

map external crypto 3 3DES ipsec-ikev2 set proposal

dynamic outdoor 100 dyn1 ipsec-isakmp crypto map

card crypto outside interface outside

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

IKEv2 crypto policy 1

aes-256 encryption

integrity sha

Group 2

FRP sha

second life 86400

IKEv2 crypto policy 10

aes-192 encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 20

aes encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 30

3des encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 40

the Encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

Crypto ikev2 allow outside

Crypto ikev1 allow outside

IKEv1 crypto policy 1

preshared authentication

aes-256 encryption

sha hash

Group 2

lifetime 28800

IKEv1 crypto policy 2

preshared authentication

3des encryption

sha hash

Group 2

life 86400

track 1 rtr 1 accessibility

Telnet 10.5.16.0 255.255.240.0 inside

Telnet timeout 5

SSH 83.x.x.90 255.255.255.255 outside

SSH timeout 5

Console timeout 0

dhcpd outside auto_config

dhcprelay Server 10.5.21.1 on the inside

time-out of 60 dhcprelay

a basic threat threat detection

statistical threat detection port

<--- more="" ---="">

Statistical threat detection Protocol

Statistics-list of access threat detection

no statistical threat detection tcp-interception

NTP 10.5.19.253 Server prefer

WebVPN

allow outside

AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

AnyConnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 2

AnyConnect enable

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client

internal GroupPolicy_c2si group strategy

attributes of Group Policy GroupPolicy_c2si

WINS server no

value of 10.5.16.1 DNS server 10.5.21.1

client ssl-VPN-tunnel-Protocol

by default no

internal GroupPolicy_91.x.3.39 group strategy

attributes of Group Policy GroupPolicy_91.x.3.39

VPN-tunnel-Protocol ikev1, ikev2

internal GroupPolicy_83.x.172.68 group strategy

attributes of Group Policy GroupPolicy_83.x.172.68

VPN-tunnel-Protocol ikev1, ikev2

<--- more="" ---="">

internal GroupPolicy_23.100.x.177 group strategy

attributes of Group Policy GroupPolicy_23.100.x.177

VPN-tunnel-Protocol ikev1, ikev2

internal GroupPolicy_user group strategy

attributes of Group Policy GroupPolicy_user

WINS server no

value of 10.5.21.1 DNS server 10.5.16.1

client ssl-VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value BerkeleyAdmin-clientvpn

myberkeley.local value by default-field

internal GroupPolicy_23.101.x.122 group strategy

attributes of Group Policy GroupPolicy_23.101.x.122

VPN-tunnel-Protocol ikev1, ikev2

internal GroupPolicy1 group strategy

attributes of Group Policy GroupPolicy1

VPN-tunnel-Protocol ikev1, ikev2

internal BerkeleyUser group strategy

attributes of Group Policy BerkeleyUser

value of 10.5.21.1 DNS server 10.5.16.1

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value BerkeleyUser-clientvpn

myberkeley.local value by default-field

internal DS365 group policy

<--- more="" ---="">

DS365 group policy attributes

VPN-idle-timeout no

VPN-filter no

IPv6-vpn-filter no

VPN-tunnel-Protocol ikev1, ikev2

internal BerkeleyAdmin group strategy

attributes of Group Policy BerkeleyAdmin

value of 10.5.21.1 DNS server 10.5.16.1

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value BerkeleyAdmin-clientvpn

myberkeley.local value by default-field

acsadmin encrypted V6hUzNl366K37eiV privilege 15 password username

atlanta uxelpvEvM3I7tw.Z encrypted privilege 15 password username

username of berkeley Kj.RBvUp5dtyLw5T encrypted password

type tunnel-group BerkeleyUser remote access

attributes global-tunnel-group BerkeleyUser

address clientvpn pool

authentication-server-group

Group Policy - by default-BerkeleyUser

IPSec-attributes tunnel-group BerkeleyUser

IKEv1 pre-shared-key *.

type tunnel-group BerkeleyAdmin remote access

attributes global-tunnel-group BerkeleyAdmin

address clientvpn pool

<--- more="" ---="">

authentication-server-group

Group Policy - by default-BerkeleyAdmin

IPSec-attributes tunnel-group BerkeleyAdmin

IKEv1 pre-shared-key *.

type tunnel-group user remote access

tunnel-group user General attributes

address pool VPN_IP_Pool

authentication-server-group

Group Policy - by default-GroupPolicy_user

tunnel-group user webvpn-attributes

enable-alias of user group

type tunnel-group c2si remote access

tunnel-group c2si-global attributes

address pool VPN_IP_Pool

authentication-server-group

Group Policy - by default-GroupPolicy_c2si

tunnel-group c2si webvpn-attributes

Group-alias c2si enable

tunnel-group 83.x.172.68 type ipsec-l2l

tunnel-group 83.x.172.68 General-attributes

Group - default policy - GroupPolicy_83.x.172.68

83.x.172.68 group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

<--- more="" ---="">

pre-shared-key authentication local IKEv2 *.

tunnel-group 23.101.x.122 type ipsec-l2l

tunnel-group 23.101.x.122 General-attributes

Group - default policy - GroupPolicy_23.101.x.122

23.101.x.122 group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

pre-shared-key authentication local IKEv2 *.

tunnel-group 91.x.3.39 type ipsec-l2l

tunnel-group 91.x.3.39 general-attributes

Group - default policy - GroupPolicy_91.x.3.39

91.x.3.39 group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

pre-shared-key authentication local IKEv2 *.

tunnel-group 23.100.x.177 type ipsec-l2l

tunnel-group 23.100.x.177 General-attributes

Group - default policy - GroupPolicy_23.100.63.177

23.100.x.177 group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

pre-shared-key authentication local IKEv2 *.

class-map state_bypass

corresponds to the state_bypass access list

Policy-map state_bypass_policy

class state_bypass

set the advanced options of the tcp-State-bypass connection

service-policy state_bypass_policy to the inside interface

context of prompt hostname

anonymous reporting remote call

Cryptochecksum:bbc6f2ec2db9b09a1b6eb90270ddfeea

: end

PTB-ch-asa5505 #.

Ah OK I see now.

Your cryptomap for the cloud of DS365 is:

access extensive list 10.5.0.0 ip outside_cryptomap_2 255.255.0.0 allow object DS365-Cloud

so, which covers interesting traffic.

However, your NAT statement is:

NAT (inside, outside) static source NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 static destination DS365-DS365-cloud no-proxy-arp-route search

Network 10.5.25.0 is remote, then it will actually appear to be an "outside" network so I think you need this statement to begin "nat (outside, outside).

ASA 8.4 (1) source-nat over vpn site-to-site

I'm setting up a tunnel vpn site-to-site and require nat for the local and remote side. The remote side will be nat to

10.2.255.128/25 on their face before they reach our network, so I have to only source-nat our servers via the tunnel to them. Should I just do the static NAT, then let the whole subnet through the acl of valuable traffic as the config below? I don't think I should use twice a nat because I'm not trying to make the destination nat on the firewall. Servers with us will 10.2.255.128/25 and I would like to preserve it through the ASA.

network of the ServerA object

host 10.1.0.1

NAT 10.2.255.1 static (inside, outside)

network of the object server b

host 10.1.0.2

NAT 10.2.255.2 static (inside, outside)

the object server c network

host 10.1.0.3

NAT 10.2.255.3 static (inside, outside)

the LOCAL_SUBNET object-group network

object-network 10.2.255.0 255.255.255.128

the REMOTE_SUBNET object-group network

object-network 10.2.255.128 255.255.255.128

VPN_ACL list extended access permitted ip object-group LOCAL_SUBNET-group of objects REMOTE_SUBNET

Thank you

Your configuration is correct, but I have a few comments. Remember that NAT occurs before the delivery of your servers will be translated into 10.2.255.2 and 10.2.255.3 and then sent through the tunnel, so your encryption field is correct.

Is your internet firewall as well? What your servers out of the internet? They will be translated to 10.2.255.2 and 10.2.255.3 and who will fail in internet routing is. If these servers access the internet through the firewall, I would recommend a configuration like this for each of your servers:

network of the ServerA_NAT object

Home 10.2.255.1

NAT static ServerA ServerA_NAT destination (indoor, outdoor) static source REMOTE_SUBNET REMOTE_SUBNET

This will use destination basic NAT for traffic VPN and NAT everything to a public IP address for the internet traffic. Of course, if this is not your internet connection firewall can do abstraction.

NAT IPSEC site to site VPN ASA 8.4

My goal is to create a VPN to me (61.227.106.64) to a seller (9.105.8.204) using an ASA 5510 with 8.4 on it. Local private networks of the seller is 10.134.115.0/24 and 10.135.115.0/24. My private LAN is 10.11.102.0/24 but I want NAT it to 61.227.106.70.

The following configuration is correct?

ASA Version 8.4 (2)

interface Ethernet0/0

nameif LAN

security-level 0

IP 10.241.1.61 255.255.255.0

!

interface Ethernet0/1

nameif WAN

security-level 0

IP 61.227.106.64 255.255.255.0

!

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

network of the CareOneTSFarm object

10.11.102.0 subnet 255.255.255.0

network of the Core_NAT object

Home 61.227.106.70

network of the NAT_to_outside object

subnet 0.0.0.0 0.0.0.0

the Core_LAN object-group network

object-network 10.134.115.0 255.255.255.0

object-network 10.135.115.0 255.255.255.0

VPNCore list extended access permitted ip object CareOneTSFarm object-group Core_LAN

public static CareOneTSFarm Core_NAT destination NAT (LAN, WAN) static source Core_LAN Core_LAN

!

network of the NAT_to_outside object

dynamic interface of NAT (LAN, WAN)

Route WAN 0.0.0.0 0.0.0.0 61.227.106.1 1

Route LAN 10.11.0.0 255.255.0.0 10.241.1.1 1

Crypto ipsec transform-set esp-aes-256 AES256_SHA, esp-sha-hmac ikev1

3600 seconds, duration of life crypto ipsec security association

card crypto VPN 50 corresponds to the address VPNCore

card crypto VPN 50 set peer 9.105.8.204

card crypto VPN 50 set transform-set AES256_SHA ikev1

IKEv1 crypto policy 10

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

card crypto VPN WAN interface

tunnel-group 9.105.8.204 type ipsec-l2l

IPSec-attributes tunnel-Group 9.105.8.204

IKEv1 pre-shared-key *.

This NAT line:

public static CareOneTSFarm Core_NAT destination NAT (LAN, WAN) static source Core_LAN Core_LAN

must be:

destination NAT (LAN, WAN) CareOneTSFarm Core_NAT Core_LAN Core_LAN static dynamic source

And the ACL VPNCore must correspond to the NATed IP instead of the real IP:

VPNCore list extended access permitted ip object Core_NAT object-group Core_LAN

I can NAT before the VPN Tunnel?

Hello

I want to add servers in a configuration in ipsec tunnel site to another for transportation.

However, I have to NAT these machines for the presentation of the other side.

For a Cisco 1760 (vpn termination point) running on 12.3 code, is it possible?

If it's possible, could I get a link to a config? Or maybe an excerpt here?

We use two interfaces ethernet for this:

Ethernet1/0 is inside

ethernet0/0 is outside

Can't seem to find any documentation for it.

Thank you

Paul

It is "NAT order of operation" used by Cisco devices, it seems that NAT is anyway before the crypto control

http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Concerning

Farrukh

VPN - ASA 5510 L2L: internal error...

Hello

I'm trying to connect an astaro by l2l - vpn firewall to an asa5510.

I still have the following message.

Who is wrong? (checked the settings already)

Concerning

Marc

ASA % ASA-4-713903: Group = x.x.x.x, IP = x.x.x.x, memory previously allocated release for authorization-dn-attributes

ASA % ASA-3-713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

ASA % ASA-5-713904: Group = x.x.x.x, IP = x.x.x.x, IPSec security association proposals found unacceptable.

ASA % ASA-3-713902: Group = x.x.x.x IP x.x.x.x, QM WSF error = (P2 struct & 0x7bc32f0, mess id 0xc5da78b7).

ASA % ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, removing counterpart of correlator table failed, no match!

ASA % ASA-3-713231: Group = x.x.x.x, IP = x.x.x.x, Internal Error, ike_lock try to unlock the little that it is not locked for type SA_LOCK_P1_SA_CREATE

ASA % ASA-3-713232: Group = x.x.x.x, IP = x.x.x.x, ITS lock refCnt = 0, the bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 1, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0

ASA % ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, removing counterpart of correlator table failed, no match!

ASA % ASA-4-113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, disconnected Session. Session type: IPSecLAN2LAN, duration: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: Phase 2 Mismatch

Thanks Marc.

Eric

214.298.7610

Policy NAT for VPN L2L

Summary:

We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.

My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.

Here is the config:

# #List of OUR guests

the OURHosts object-group network

network-host 192.168.x.y object

# Hosts PARTNER #List

the PARTNERHosts object-group network

network-host 10.2.a.b object

###ACL for NAT

# Many - to - many outgoing

access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts

# One - to - many incoming

VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group

# #NAT

NAT (INSIDE) 2-list of access NAT2

NAT (OUTSIDE) 2 172.20.n.0

NAT (INSIDE) 3 access-list VIH3

NAT (OUTSIDE) 3 172.20.n.1

# #ACL for VPN

access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group

access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list

# #Tunnel

tunnel-group type ipsec-l2l

card <#>crypto is the VPN address

card crypto <#>the value transform-set VPN

card <#>crypto defined peer

I realize that the ACL for the VPN should read:

access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list

access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list

.. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.

What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?

Thanks in advance.

Patrick

Here is the order of operations for NAT on the firewall:

1 nat 0-list of access (free from nat)

2. match the existing xlates

3. match the static controls

a. static NAT with no access list

b. static PAT with no access list

4. match orders nat

a. nat [id] access-list (first match)

b. nat [id] [address] [mask] (best match)

i. If the ID is 0, create an xlate identity

II. use global pool for dynamic NAT

III. use global dynamic pool for PAT

If you can try

(1) a static NAT with an access list that will have priority on instruction of dynamic NAT

(2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.

I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.

Jon

ASA L2L filter-VPN Tunnels

I need help to understand how the vpn-filter command is applied to the traffic tunnel. Until very recently, I was under the command of printing the vpn-filter (applied in Group Policy) provided an access control incoming (outside to inside) for VPN traffic after decryption. Recently I change any of my VPN connections (add a phase access list entry 2) which causes questioning me how the vpn-filter.

Example-

original vpn connection - my side hosted the server and the clients were on the other side. My vpn-filter rule has allowed customers to come to my server.

more - (above the original setting still in place) - the other side is now hosting a server and on my side has clients.

Without any changes to vpn-filter, I have lived: phase 2 built tunnel but no packet encryption or decryption and no error in syslog.

Using packet - trace, I discovered a list of access (vpn-user subtype) blocked access. "vpn-user" must be a Cisco term because it is not in my config. I added an entry to my vpn-filter acl allowing their server to talk to my clients. Adding to the vpn-filter enabled that the tunnel started working.

I would have thought

vpn-filter acl was dynamic and not required an entry

or

the without the vpn-filter acl, the phase would have shown his encryption/decryption and perhaps an acl deny message in the system log. Basically, the traffic is encrypted, returns server, decrypted and then dropped access policy.

Have a further explanation or documentation?

Thank you

Rick

Rick,

The problem is that the ACL applied through the vpn-filter is not dynamic.

A vpn-filter command applies to traffic after decrypted once it comes out a tunnel and the previously encrypted traffic before entering a tunnel. An ACL that is used for a vpn-filter should NOT also be used to access interface group. When a vpn-filter command is applied to a group policy which governs customer connections access remote VPN, the ACL must be configured with the assigned client IP addresses in the position of src_ip of the ACL and the LAN in the position of dest_ip of the ACL.

When a vpn-filter command is applied to a political group that governs a connection VPN from LAN to LAN, the ACL must be configured with the remote network in the position of src_ip of the ACL and the LAN in the position of dest_ip of the ACL.

Caution when the construction of the ACL for use with the vpn-filter feature. The ACL are built with traffic after decrypted in mind. However, ACL also apply to the oncoming traffic. For this previously encrypted traffic that is intended for the tunnel, the ACL are built with exchanged src_ip and dest_ip positions.

More information here:

http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/vpn_groups.html

It will be useful.

Federico.

NAT before VPN - ASA L2L 8.3?

Similar Questions

Maybe you are looking for