NAT inside Site to Site VPN

Hi all

How can I get NAT my internal to the range of IP addresses different before reaching destination LAN network

Hello

No, you no longer have need of NAT0 and actully, it is mandatory to remove it as NAT0 prevails over the other statements of NAT.

You should translate all subnet to a single IP address in NAT rules-based help

NAT (inside) 10-list of access VPN - NAT

overall 10 172.16.20.1 (outside)

access VPN - NAT ip 192.168.10.0 list allow 255.255.255.255 192.50.100.32 255.255.255.240

The card crypto access list:

host ip 172.16.20.1 allowed VPN access list 192.50.100.32 255.255.255.240

To check the NAT:

SH xlate

To test the complete configuration use the command "packet - trace", which generates a bunch of fake with the features you want and spends the entire process internal SAA and shows you the result.

Please rate if this helped.

Kind regards

Daniel

Tags: Cisco Security

Similar Questions

CLIENT-TO-SITE VPN

Hi all

I need a big favor, I configured a cisco 1841 for a VPN Client-to-site, but I can't get a connection with a client of Linux (Ubuntu). I don't understand where is the problem if on the router or the customer. Now I have reported setting up, is there anybody can check whether or not it is fair? Thank you very much for your support.

The plan of the network is the following

REMOTE LAN (192.168.1.0/24) <->ROUTER-A (X.X.X.X) <->VPN <->SOHO NETWORKING <->CLIENT UBUNTU (192.168.2.1/24)

and the Conference is the following

username username password 0 USER12345

!

crypto ISAKMP policy 3

BA 3des-md5 hash

preshared authentication

Group 2

!

ISAKMP crypto client configuration group to remote vpn client

banner ^ C * you are connected to the IOS router with VPN Client-to-Site * ^ C

key 54321

netmask 255.255.255.0

masociete.com field

remote control-vpn-pool

10 Max-users

Max-connections 10

ACL 150

!

Crypto ipsec transform-set VPN - SET esp-3des esp-md5-hmac

!

Crypto-map dynamic dynmap 10

Description * Client to users VPN Site *.

transformation-VPN-SET game

market arriere-route

!

map clientmap 65535-isakmp ipsec crypto dynamic dynmap

!

interface FastEthernet0/0

Description * ROUTER - has--> LAN *.

IP 192.168.1.254 255.255.255.0

IP nat inside

IP virtual-reassembly

automatic duplex

automatic speed

No keepalive

!

interface Serial0/0/0

no ip address

frame relay IETF encapsulation

event logging subif-link-status

dlci-change of status event logging

IP access-group 103 to

load-interval 30

no fair queue

frame-relay lmi-type ansi

!

point-to-point interface Serial0/0/0.1

Description * ROUTER - has--> WAN *.

address IP X.X.X.X 255.255.255.252

NAT outside IP

IP virtual-reassembly

SNMP trap-the link status

No cdp enable

No frame relay frames arp

interface-dlci 100 IETF

clientmap card crypto

!

Local IP 192.168.1.1 to remote vpn-pool pool 192.168.1.10

!

IP route 0.0.0.0 0.0.0.0 Serial0/0/0.1

!

IP nat inside source map route VPN - NAT interface overloading Serial0/0/0.1

!

Access-list 100 * ACL NAT note *.

access-list 100 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 10.10.10.0 0.0.0.255 any

!

Note access-list 103 * OPEN THE PORTS for SSH/TELNET SERVICES ON THE ROUTER *.

access list 103 permit tcp any any eq 22

access list 103 permit tcp any any eq telnet

access list 103 permit tcp any any eq 443

Note access-list 103 *.

Note access-list 103 * CLOSE THE PORTS to BLOCK THE REST OF THE ACCESS *.

access-list 103 deny ip any any newspaper

Note access-list 103 *.

!

Note access-list 150 * ACL VPN SITE-to-SITE *.

access-list 150 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

Note access-list 150 *.

!

route VPN - NAT allowed 10 map

corresponds to the IP 100

I think that the configuration is correct, but there is no need to specify a subnet mask to "crypto isakmp configuration group to remote vpn client." customer In addition, you must change your 103 ACL. Add the following statements before refusing:

permit udp and host X.X.X.X eq 500

permit udp and host X.X.X.X eq 4500

esp permits and host X.X.X.X

---

HTH. Please rate this post if this has been helpful. If it solves your problem, please mark this message as "right answer".

NAT Ports inaccessible over the site to site VPN

We have a series of 2900 SRI at HQ and several of Cisco WRVS4400N VPN routers to small branch offices. The branch offices are connected to HQ via IPSec site-to-site. Everything seems to work fine, except users in the box executive offices not access all the services on servers HQ where the port was NAT'd to the outside. For example, we organize Office services remotely via https, port 443 is NAT made appeal to the outside, but users in the branch offices cannot access this port. They receive a time-out error. I tried searching but all I can find is info on crossing IPSec NAT. thank you...

With this config-NAT, your router ensures that the internal server has to be accessible by the public IP address. You can add a roadmap to your NAT static entry exempt of NAT VPN traffic. Which might look like the following:
```
ip nat inside source static tcp 10.0.0.11 443 xxx.xxx.xxx.165 443 route-map SERVER-NAT extendable!ip access-list extended SERVER-NAT-ACL deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 permit ip any any!route-map SERVER-NAT permit 10 match ip address SERVER-NAT-ACL
```

NAT-XLATE-FAILURE on the VPN from Site to site connection.

I had configured a VPN of Site to new site on my network, once I created Tunnel appears, but there is no traffic when I made trace packet its gave me error "(NAT-XLATE-FAILED), NAT has failed."

Here is the configuration runing.

ASA 9.1 Version 2
!
ciscoasa hostname
activate 2KFQnbNIdI.2KYOU encrypted password
names of
IP local pool kecdr 10.100.1.1 - 10.100.1.50 mask 255.255.255.0
local pool KECVPN 10.2.1.200 - 10.2.1.225 255.255.255.0 IP mask
!
interface GigabitEthernet0/0
nameif outside
security-level 0
IP 168.187.199.66 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
10.2.1.1 IP address 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
IP 10.60.1.2 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
passive FTP mode
DNS domain-lookup outside
DNS lookup field inside
management of the DNS domain-lookup service
DNS server-group DefaultDNS
Name-Server 8.8.8.8
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_10.100.1.0_26 object
255.255.255.192 subnet 10.100.1.0
network of the NETWORK_OBJ_10.2.1.192_26 object
255.255.255.192 subnet 10.2.1.192
network of the NETWORK_OBJ_10.13.0.0 object
Home 10.13.0.0
network of the NETWORK_OBJ_10.2.0.0 object
host 10.2.0.0
network of the NETWORK_OBJ_10.3.0.0 object
Home 10.3.0.0
the DM_INLINE_NETWORK_1 object-group network
host object-network 10.2.0.0
object-network 10.60.1.0 255.255.255.0
inside_access_in list extended access permitted ip any4 any4
inside_access_in list of allowed ip extended access all 10.60.1.0 255.255.255.0
outside_access_in list extended access permitted ip any4 any4
allow global_access to access extensive ip list a whole
DMZ_access_in of access allowed any ip an extended list
DMZ_access_in list extended access permit ip any interface inside
outside_cryptomap list extended access allowed host ip DM_INLINE_NETWORK_1 10.3.0.0 object-group
permit access ip host 10.2.0.0 extended list outside_cryptomap_1 10.11.0.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
MTU 1500 DMZ
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow any response echo inside
ICMP allow any echo inside
ICMP allow all DMZ
ICMP allow any echo DMZ
ICMP allow any response to echo DMZ
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.2.1.192_26 NETWORK_OBJ_10.2.1.192_26 non-proxy-arp-search to itinerary
NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.100.1.0_26 NETWORK_OBJ_10.100.1.0_26 non-proxy-arp-search to itinerary
NAT (inside DMZ) static source a whole
NAT (inside, outside) static source NETWORK_OBJ_10.2.0.0 NETWORK_OBJ_10.2.0.0 NETWORK_OBJ_10.13.0.0 NETWORK_OBJ_10.13.0.0 non-proxy-arp-search of route static destination
NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_10.3.0.0 NETWORK_OBJ_10.3.0.0 non-proxy-arp-search of route static destination
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Access-group DMZ_access_in in DMZ interface
Access-Group global global_access
Route outside 0.0.0.0 0.0.0.0 168.187.199.65 1
Route DMZ 10.1.0.0 255.255.0.0 10.60.1.1 1
Route DMZ 10.2.0.0 255.255.0.0 10.60.1.1 1
Route DMZ 10.60.0.0 255.255.0.0 10.60.1.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.0.0.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 196.219.202.197
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 2 match address outside_cryptomap_1
peer set card crypto outside_map 2 185.52.118.67
card crypto outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
trustpool crypto ca policy
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet 0.0.0.0 0.0.0.0 outdoors
Telnet 10.0.0.0 255.0.0.0 inside
Telnet 10.2.0.0 255.255.0.0 inside
Telnet 10.1.0.0 255.255.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 10.0.0.0 255.0.0.0 inside
SSH 10.2.0.0 255.255.0.0 inside
SSH 10.1.0.0 255.255.0.0 inside
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
internal GroupPolicy_185.52.118.67 group strategy
attributes of Group Policy GroupPolicy_185.52.118.67
Ikev1 VPN-tunnel-Protocol
internal GroupPolicy_196.219.202.197 group strategy
attributes of Group Policy GroupPolicy_196.219.202.197
Ikev1 VPN-tunnel-Protocol
internal kecdr group policy
attributes of the strategy of group kecdr
value of server DNS 8.8.8.8
Ikev1 VPN-tunnel-Protocol
internal KECCISCO group policy
KECCISCO group policy attributes
value of server DNS 8.8.8.8
Ikev1 VPN-tunnel-Protocol
internal KECVPN group policy
KECVPN group policy attributes
value of server DNS 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
cisco 3USUcOPFUiMCO4Jk encrypted password username
username privilege 15 encrypted password 3ofqMXhysxFRHhoQ keccisco
type tunnel-group kecdr remote access
tunnel-group kecdr General-attributes
address kecdr pool
Group Policy - by default-kecdr
kecdr group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group KECVPN remote access
attributes global-tunnel-group KECVPN
address kecdr pool
Group Policy - by default-KECVPN
IPSec-attributes tunnel-group KECVPN
IKEv1 pre-shared-key *.
type tunnel-group KECCISCO remote access
attributes global-tunnel-group KECCISCO
address KECVPN pool
Group Policy - by default-KECCISCO
IPSec-attributes tunnel-group KECCISCO
IKEv1 pre-shared-key *.
tunnel-group 196.219.202.197 type ipsec-l2l
tunnel-group 196.219.202.197 General-attributes
Group - default policy - GroupPolicy_196.219.202.197
IPSec-attributes tunnel-group 196.219.202.197
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
tunnel-group 185.52.118.67 type ipsec-l2l
tunnel-group 185.52.118.67 General-attributes
Group - default policy - GroupPolicy_185.52.118.67
IPSec-attributes tunnel-group 185.52.118.67
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
HPM topN enable
Cryptochecksum:8156993fef96da73dedfaacd7a14e767
: end

My local IP address: 10.2.X.X

My remote IP address: 10.3.X.X

Can anyone support me for the error

Hello

Your self after dynamic PAT takes the static NAT...

NAT source auto after (indoor, outdoor) dynamic one interface

You must reconfigure you NAT or PAT rule defined in your firewall.

no nat source auto after (indoor, outdoor) dynamic one interface

network local-lan-pat1 object

10.2.0.0 subnet 255.255.255.0

NAT dynamic interface (indoor, outdoor)

!

network local-lan-pat2 object

10.60.1.0 subnet 255.255.255.0

NAT dynamic interface (indoor, outdoor)

!

no nat source (indoor, outdoor) public static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_10.3.0.0 NETWORK_OBJ_10.3.0.0 non-proxy-arp-search of route static destination
!

outside_cryptomap to access extended list ip 10.2.0.0 allow 255.255.255.0 host 10.3.0.0 255.255.255.0

No list of extended outside_cryptomap access not allowed host ip DM_INLINE_NETWORK_1 10.3.0.0 object-group

!

We hope that you do this between subnets... not for the host at the other end.

Concerning

Knockaert

NAT and Site to site VPN

Hi all

We currently have a PIX in our local network. There is a Site to site VPN tunnel between this PIX and another network abroad.

We have several networks in our local network.

The VPN tunnel is on a single network: 192.50.175.0 / 24.

and the network of the other site is:

192.100.24.0 21

Part of the configuration:

inside_nat0_outbound ip 192.50.175.0 access list allow 255.255.255.0 192.100.24.0 255.255.248.0

NAT (inside) 0-list of access inside_nat0_outbound

As I said before, we have several networks.

In particular, we have 192.50.160.0/24 too.

And we would like that this network can use the VPN tunnel also.

But the other site does not want to carry our another network in their LAN.

They suggest we 192.50.160.0 NAT / 24 to an IP address on the 192.50.175.0 / 24, users in a network 192.50.160.0 / 24 can also use the VPN tunnel.

Do you know if it is possible to do it with my PIX? And how?

It's a PIX-515-DMZ, v6.3 (5).

Any help would be appreciated!

Thank you

Good point. You can be good then.

Site to SIte VPN through a NAT device

I have, I am having trouble running a vpn site-to site between two 3725 routers running c3725-advsecurityk9-mz124 - 15 T 1, that I hope I can get some help with, I am probably missing something here. The VPN ran very well when both VPN routers were connected directly to the internet and had on WAN interfaces public IP addresses, but I had to move one of the firewall inside on a private IP address. Installation is now as below

Router VPN one (192.168.248.253) - internal company network - Fortigate FW - internet-(217.155.113.179) router VPN B

The fortigate FW is doing some translations address
-traffic between 192.168.248.253 and 217.155.113.179 has its source in 37.205.62.5
-traffic between 217.155.113.179 and 37.205.62.5 has its destination translated to 192.168.248.253
-Firewall rules allow all traffic between the 2 devices, no port locking enabled.

-The 37.205.62.5 address is used by anything else.

I basically have a GRE tunnel between two routers, and I'm trying to encrypt it.

The router shows below

Card crypto SERVER-RTR #show
"S2S_VPN" 10 ipsec-isakmp crypto map
Peer = 217.155.113.179
Expand the access IP 101 list
access-list 101 permit gre 192.168.248.253 host 217.155.113.179
Current counterpart: 217.155.113.179
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
STRONG,
}
Interfaces using crypto card S2S_VPN:
FastEthernet0/1

SERVER-RTR #show crypto sessio
Current state of the session crypto

Interface: FastEthernet0/1
The session state: down
Peer: 217.155.113.179 port 500
FLOW IPSEC: allowed 47 192.168.248.253 host 217.155.113.179
Active sAs: 0, origin: card crypto

Interface: FastEthernet0/1
The session state: IDLE-UP
Peer: 217.155.113.179 port 4500
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Active
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 inactive
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 inactive

Router B shows below

Card crypto BSU - RTR #show
"S2S_VPN" 10 ipsec-isakmp crypto map
Peer = 37.205.62.5
Expand the access IP 101 list
access-list 101 permit gre 217.155.113.179 host 37.205.62.5
Current counterpart: 37.205.62.5
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
STRONG,
}
Interfaces using crypto card S2S_VPN:
FastEthernet0/1

BSU - RTR #show sess crypto
Current state of the session crypto

Interface: FastEthernet0/1
The session state: down
Peer: 37.205.62.5 port 500
FLOW IPSEC: allowed 47 217.155.113.179 host 37.205.62.5
Active sAs: 0, origin: card crypto

Interface: FastEthernet0/1
The session state: IDLE-UP
Peer: 37.205.62.5 port 4500
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Active
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 inactive
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 inactive

I can see counters incrementing on the ACL on both routers, so I don't know the traffic free WILL is interesting.

Here are a few debugs too
--------------
Router

Debug crypto ISAKMP

* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node 940426884
* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node 1837874301
* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node-475409474
* 23:07:20.794 Mar 2: ISAKMP (0:0): received 217.155.113.179 packet dport 500 sport 500 SA NEW Global (N)
* 23:07:20.794 Mar 2: ISAKMP: created a struct peer 217.155.113.179, peer port 500
* 23:07:20.794 Mar 2: ISAKMP: new position created post = 0x64960C04 peer_handle = 0x80000F0E
* 23:07:20.794 Mar 2: ISAKMP: lock struct 0x64960C04, refcount 1 to peer crypto_isakmp_process_block
* 23:07:20.794 Mar 2: ISAKMP: 500 local port, remote port 500
* 23:07:20.794 Mar 2: ISAKMP: find a dup her to the tree during the isadb_insert his 6464D3F0 = call BVA
* 23:07:20.794 Mar 2: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.794 Mar 2: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1

* 2 Mar 23:07:20.794: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 2 Mar 23:07:20.794: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.794: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T RFC 3947
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T v7
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v3
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v2
* 23:07:20.798 Mar 2: ISAKMP: (0): pair found pre-shared key matching 217.155.113.179
* 2 Mar 23:07:20.798: ISAKMP: (0): pre-shared key local found
* 23:07:20.798 Mar 2: ISAKMP: analysis of the profiles for xauth...
* 23:07:20.798 Mar 2: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
* 23:07:20.798 Mar 2: ISAKMP: DES-CBC encryption
* 23:07:20.798 Mar 2: ISAKMP: SHA hash
* 23:07:20.798 Mar 2: ISAKMP: default group 1
* 23:07:20.798 Mar 2: ISAKMP: pre-shared key auth
* 23:07:20.798 Mar 2: ISAKMP: type of life in seconds
* 23:07:20.798 Mar 2: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
* 23:07:20.798 Mar 2: ISAKMP: (0): atts are acceptable. Next payload is 0
* 23:07:20.798 Mar 2: ISAKMP: (0): Acceptable atts: real life: 0
* 23:07:20.798 Mar 2: ISAKMP: (0): Acceptable atts:life: 0
* 23:07:20.798 Mar 2: ISAKMP: (0): fill atts in his vpi_length:4
* 23:07:20.798 Mar 2: ISAKMP: (0): fill atts in his life_in_seconds:86400
* 23:07:20.798 Mar 2: ISAKMP: (0): return real life: 86400
* 23:07:20.798 Mar 2: ISAKMP: (0): timer life Started: 86400.

* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T RFC 3947
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T v7
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v3
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v2
* 23:07:20.798 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.798 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

* 2 Mar 23:07:20.802: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 2 Mar 23:07:20.802: ISAKMP: (0): lot of 217.155.113.179 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
* 23:07:20.802 Mar 2: ISAKMP: (0): sending a packet IPv4 IKE.
* 23:07:20.802 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.802 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

* 23:07:20.822 Mar 2: ISAKMP (0:0): received 217.155.113.179 packet 500 Global 500 (R) sport dport MM_SA_SETUP
* 23:07:20.822 Mar 2: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.822 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

* 2 Mar 23:07:20.822: ISAKMP: (0): processing KE payload. Message ID = 0
* 2 Mar 23:07:20.850: ISAKMP: (0): processing NONCE payload. Message ID = 0
* 23:07:20.854 Mar 2: ISAKMP: (0): pair found pre-shared key matching 217.155.113.179
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): provider ID is the unit
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): provider ID is DPD
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): addressing another box of IOS!
* 23:07:20.854 Mar 2: ISAKMP: receives the payload type 20
* 23:07:20.854 Mar 2: ISAKMP (0:1027): NAT found, the node inside the NAT
* 23:07:20.854 Mar 2: ISAKMP: receives the payload type 20
* 23:07:20.854 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.854 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM3 = IKE_R_MM3

* 2 Mar 23:07:20.854: ISAKMP: (1027): lot of 217.155.113.179 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
* 23:07:20.854 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.858 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.858 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM3 = IKE_R_MM4

* 23:07:20.898 Mar 2: ISAKMP: (1024): serving SA., his is 64D5723C, delme is 64D5723C
* 23:07:20.902 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
* 23:07:20.902 Mar 2: ISAKMP: (1027): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.902 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM4 = IKE_R_MM5

* 2 Mar 23:07:20.902: ISAKMP: (1027): payload ID for treatment. Message ID = 0
* 23:07:20.902 Mar 2: ISAKMP (0:1027): payload ID
next payload: 8
type: 1
address: 217.155.113.179
Protocol: 17
Port: 0
Length: 12
* 2 Mar 23:07:20.902: ISAKMP: (0): peer games * no * profiles
* 2 Mar 23:07:20.906: ISAKMP: (1027): HASH payload processing. Message ID = 0
* 2 Mar 23:07:20.906: ISAKMP: (1027): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID = 0, a = 6464D3F0
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA authentication status:
authenticated
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA has been authenticated with 217.155.113.179
* 23:07:20.906 Mar 2: ISAKMP: (1027): port detected floating port = 4500
* 23:07:20.906 Mar 2: ISAKMP: try to find found and existing peer 192.168.248.253/217.155.113.179/4500/ peer 648EAD00 to reuse existing, free 64960 04
* 23:07:20.906 Mar 2: ISAKMP: Unlocking counterpart struct 0x64960C04 Reuse existing peer count 0
* 23:07:20.906 Mar 2: ISAKMP: delete peer node by peer_reap for 217.155.113.179: 64960 04
* 23:07:20.906 Mar 2: ISAKMP: lock struct 0x648EAD00, refcount 2 for peer peer reuse existing
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA authentication status:
authenticated
* 2 Mar 23:07:20.906: ISAKMP: (1027): process of first contact.
lowering existing phase 1 and 2 with local 192.168.248.253 217.155.113.179 remote remote port 4500
* 23:07:20.906 Mar 2: ISAKMP: (1026): received first contact, delete SA
* 23:07:20.906 Mar 2: ISAKMP: (1026): peer does not paranoid KeepAlive.

* 23:07:20.906 Mar 2: ISAKMP: (1026): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 217.155.113.179)
* 23:07:20.906 Mar 2: ISAKMP: (0): cannot decrement IKE Call Admission Control incoming_active stat because he's already 0.
* 23:07:20.906 Mar 2: ISAKMP: (1027): UDP ENC parameter counterpart struct 0x0 his = 0x6464D3F0
* 23:07:20.906 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.906 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM5 = IKE_R_MM5

* 23:07:20.910 Mar 2: ISAKMP: node set-98987637 to QM_IDLE
* 2 Mar 23:07:20.910: ISAKMP: (1026): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:20.910 Mar 2: ISAKMP: (1026): sending a packet IPv4 IKE.
* 23:07:20.910 Mar 2: ISAKMP: (1026): purge the node-98987637
* 23:07:20.910 Mar 2: ISAKMP: (1026): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 23:07:20.910 Mar 2: ISAKMP: (1026): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

* 23:07:20.910 Mar 2: ISAKMP: (1027): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
* 23:07:20.910 Mar 2: ISAKMP (0:1027): payload ID
next payload: 8
type: 1
address: 192.168.248.253
Protocol: 17
Port: 0
Length: 12
* 23:07:20.910 Mar 2: ISAKMP: (1027): the total payload length: 12
* 2 Mar 23:07:20.914: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
* 23:07:20.914 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.914 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.914 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

* 23:07:20.914 Mar 2: ISAKMP: (1026): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 217.155.113.179)
* 23:07:20.914 Mar 2: ISAKMP: Unlocking counterpart struct 0x648EAD00 for isadb_mark_sa_deleted(), count 1
* 23:07:20.914 Mar 2: ISAKMP: (1026): error suppression node 334747020 FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): node-1580729900 error suppression FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): node-893929227 error suppression FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.914 Mar 2: ISAKMP: (1026): former State = new State IKE_DEST_SA = IKE_DEST_SA

* 23:07:20.914 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 23:07:20.914 Mar 2: ISAKMP: (1027): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 23:07:20.930 Mar 2: ISAKMP (0:1026): received 217.155.113.179 packet dport 4500 4500 Global (R) MM_NO_STATE sport
* 23:07:20.934 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) QM_IDLE sport
* 23:07:20.934 Mar 2: ISAKMP: node set 1860263019 to QM_IDLE
* 2 Mar 23:07:20.934: ISAKMP: (1027): HASH payload processing. Message ID = 1860263019
* 2 Mar 23:07:20.934: ISAKMP: (1027): treatment ITS payload. Message ID = 1860263019
* 23:07:20.934 Mar 2: ISAKMP: (1027): proposal of IPSec checking 1
* 23:07:20.934 Mar 2: ISAKMP: turn 1, ESP_AES
* 23:07:20.934 Mar 2: ISAKMP: attributes of transformation:
* 23:07:20.934 Mar 2: ISAKMP: program is 3 (Tunnel-UDP)
* 23:07:20.934 Mar 2: ISAKMP: type of life in seconds
* 23:07:20.934 Mar 2: ISAKMP: life of HIS (basic) 3600
* 23:07:20.934 Mar 2: ISAKMP: type of life in kilobytes
* 23:07:20.934 Mar 2: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
* 23:07:20.934 Mar 2: ISAKMP: key length is 128
* 23:07:20.934 Mar 2: ISAKMP: (1027): atts are acceptable.
* 2 Mar 23:07:20.934: ISAKMP: (1027): IPSec policy invalidated proposal with error 32
* 2 Mar 23:07:20.934: ISAKMP: (1027): politics of ITS phase 2 is not acceptable! (local 192.168.248.253 remote 217.155.113.179)
* 23:07:20.938 Mar 2: ISAKMP: node set 1961554007 to QM_IDLE
* 23:07:20.938 Mar 2: ISAKMP: (1027): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 1688526152, message ID = 1961554007
* 2 Mar 23:07:20.938: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:20.938 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.938 Mar 2: ISAKMP: (1027): purge the node 1961554007
* 23:07:20.938 Mar 2: ISAKMP: (1027): error suppression node 1860263019 REAL reason "QM rejected."
* 23:07:20.938 Mar 2: ISAKMP: (1027): entrance, node 1860263019 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
* 23:07:20.938 Mar 2: ISAKMP: (1027): former State = new State IKE_QM_READY = IKE_QM_READY
* 23:07:24.510 Mar 2: ISAKMP: set new node 0 to QM_IDLE
* 2 Mar 23:07:24.510: ITS a exceptional applications (100.100.213.56 local port 4500, 100.100.213.84 remote port 4500)
* 2 Mar 23:07:24.510: ISAKMP: (1027): sitting IDLE. From QM immediately (QM_IDLE)
* 23:07:24.510 Mar 2: ISAKMP: (1027): start Quick Mode Exchange, M - ID 670698820
* 23:07:24.510 Mar 2: ISAKMP: (1027): initiator QM gets spi
* 2 Mar 23:07:24.510: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:24.510 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:24.514 Mar 2: ISAKMP: (1027): entrance, node 670698820 = IKE_MESG_INTERNAL, IKE_INIT_QM
* 23:07:24.514 Mar 2: ISAKMP: (1027): former State = new State IKE_QM_READY = IKE_QM_I_QM1
* 23:07:24.530 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) QM_IDLE sport
* 23:07:24.534 Mar 2: ISAKMP: node set 1318257670 to QM_IDLE
* 2 Mar 23:07:24.534: ISAKMP: (1027): HASH payload processing. Message ID = 1318257670
* 2 Mar 23:07:24.534: ISAKMP: (1027): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 3268378219, message ID = 1318257670, a = 6464D3F0
* 2 Mar 23:07:24.534: ISAKMP: (1027): removal of spi 3268378219 message ID = 670698820
* 23:07:24.534 Mar 2: ISAKMP: (1027): node 670698820 REAL reason error suppression "remove larval.
* 23:07:24.534 Mar 2: ISAKMP: (1027): error suppression node 1318257670 FALSE reason 'informational (en) State 1.
* 23:07:24.534 Mar 2: ISAKMP: (1027): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
* 23:07:24.534 Mar 2: ISAKMP: (1027): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-238086324
* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-1899972726
* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-321906720

Router B
----------
Debug crypto ISAKMP

1d23h: ISAKMP: (0): profile of THE request is (NULL)
1d23h: ISAKMP: created a struct peer 37.205.62.5, peer port 500
1d23h: ISAKMP: new position created post = 0x652C3B54 peer_handle = 0x80000D8C
1d23h: ISAKMP: lock struct 0x652C3B54, refcount 1 to peer isakmp_initiator
1d23h: ISAKMP: 500 local port, remote port 500
1d23h: ISAKMP: set new node 0 to QM_IDLE
1d23h: ISAKMP: find a dup her to the tree during the isadb_insert his 652CBDC4 = call BVA
1d23h: ISAKMP: (0): cannot start aggressive mode, try the main mode.
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
1d23h: ISAKMP: (0): built the seller-07 ID NAT - t
1d23h: ISAKMP: (0): built of NAT - T of the seller-03 ID
1d23h: ISAKMP: (0): built the seller-02 ID NAT - t
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
1d23h: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

1d23h: ISAKMP: (0): Beginner Main Mode Exchange
1d23h: ISAKMP: (0): lot of 37.205.62.5 sending my_port 500 peer_port 500 (I) MM_NO_STATE
1d23h: ISAKMP: (0): sending a packet IPv4 IKE.
1d23h: ISAKMP (0:0): received 37.205.62.5 packet dport 500 sport Global 500 (I) MM_NO_STATE
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

1d23h: ISAKMP: (0): treatment ITS payload. Message ID = 0
1d23h: ISAKMP: (0): load useful vendor id of treatment
1d23h: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
1d23h: ISAKMP (0:0): provider ID is NAT - T RFC 3947
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (0): pre-shared key local found
1d23h: ISAKMP: analysis of the profiles for xauth...
1d23h: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
1d23h: ISAKMP: DES-CBC encryption
1d23h: ISAKMP: SHA hash
1d23h: ISAKMP: default group 1
1d23h: ISAKMP: pre-shared key auth
1d23h: ISAKMP: type of life in seconds
1d23h: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
1d23h: ISAKMP: (0): atts are acceptable. Next payload is 0
1d23h: ISAKMP: (0): Acceptable atts: real life: 0
1d23h: ISAKMP: (0): Acceptable atts:life: 0
1d23h: ISAKMP: (0): fill atts in his vpi_length:4
1d23h: ISAKMP: (0): fill atts in his life_in_seconds:86400
1d23h: ISAKMP: (0): return real life: 86400
1d23h: ISAKMP: (0): timer life Started: 86400.

1d23h: ISAKMP: (0): load useful vendor id of treatment
1d23h: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
1d23h: ISAKMP (0:0): provider ID is NAT - T RFC 3947
1d23h: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

1d23h: ISAKMP: (0): lot of 37.205.62.5 sending my_port 500 peer_port 500 (I) MM_SA_SETUP
1d23h: ISAKMP: (0): sending a packet IPv4 IKE.
1d23h: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

1d23h: ISAKMP (0:0): received 37.205.62.5 packet dport 500 sport Global 500 (I) MM_SA_SETUP
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

1d23h: ISAKMP: (0): processing KE payload. Message ID = 0
1d23h: ISAKMP: (0): processing NONCE payload. Message ID = 0
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): provider ID is the unit
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): provider ID is DPD
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): addressing another box of IOS!
1d23h: ISAKMP: receives the payload type 20
1d23h: ISAKMP: receives the payload type 20
1d23h: ISAKMP (0:1034): NAT found, the node outside NAT
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM4 = IKE_I_MM4

1d23h: ISAKMP: (1034): send initial contact
1d23h: ISAKMP: (1034): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
1d23h: ISAKMP (0:1034): payload ID
next payload: 8
type: 1
address: 217.155.113.179
Protocol: 17
Port: 0
Length: 12
1d23h: ISAKMP: (1034): the total payload length: 12
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) MM_KEY_EXCH
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM4 = IKE_I_MM5

1d23h: ISAKMP: (1031): serving SA., his is 652D60C8, delme is 652D60C8
1d23h: ISAKMP (0:1033): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set 33481563 to QM_IDLE
1d23h: ISAKMP: (1033): HASH payload processing. Message ID = 33481563
1d23h: ISAKMP: receives the payload type 18
1d23h: ISAKMP: (1033): treatment remove with load useful reason
1d23h: ISAKMP: (1033): remove the doi = 1
1d23h: ISAKMP: (1033): remove Protocol id = 1
1d23h: ISAKMP: (1033): remove spi_size = 16
1d23h: ISAKMP: (1033): remove the spis num = 1
1d23h: ISAKMP: (1033): delete_reason = 11
1d23h: ISAKMP: (1033): load DELETE_WITH_REASON, processing of message ID = 33481563, reason: Unknown delete reason!
1d23h: ISAKMP: (1033): peer does not paranoid KeepAlive.

1d23h: ISAKMP: (1033): deletion of 'Initial of receive Contact' State HIS reason (I) QM_IDLE (post 37.205.62.5)
1d23h: ISAKMP: (1033): error suppression node 33481563 FALSE reason 'informational (en) State 1.
1d23h: ISAKMP: node set 1618266182 to QM_IDLE
1d23h: ISAKMP: (1033): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1033): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1033): purge the node 1618266182
1d23h: ISAKMP: (1033): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
1d23h: ISAKMP: (1033): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) MM_KEY_EXCH
1d23h: ISAKMP: (1034): payload ID for treatment. Message ID = 0
1d23h: ISAKMP (0:1034): payload ID
next payload: 8
type: 1
address: 192.168.248.253
Protocol: 17
Port: 0
Length: 12
1d23h: ISAKMP: (0): peer games * no * profiles
1d23h: ISAKMP: (1034): HASH payload processing. Message ID = 0
1d23h: ISAKMP: (1034): SA authentication status:
authenticated
1d23h: ISAKMP: (1034): SA has been authenticated with 37.205.62.5
1d23h: ISAKMP: try to insert a 217.155.113.179/37.205.62.5/4500/ peer and found existing in a 643BCA10 to reuse, free 652C3B54
1d23h: ISAKMP: Unlocking counterpart struct 0x652C3B54 Reuse existing peer count 0
1d23h: ISAKMP: delete peer node by peer_reap for 37.205.62.5: 652C3B54
1d23h: ISAKMP: lock struct 0x643BCA10, refcount 2 for peer peer reuse existing
1d23h: ISAKMP: (1034): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM5 = IKE_I_MM6

1d23h: ISAKMP: (1033): deletion of 'Initial of receive Contact' State HIS reason (I) QM_IDLE (post 37.205.62.5)
1d23h: ISAKMP: (0): cannot decrement IKE Call Admission Control outgoing_active stat because he's already 0.
1d23h: ISAKMP: Unlocking counterpart struct 0x643BCA10 for isadb_mark_sa_deleted(), count 1
1d23h: ISAKMP: (1033): error suppression node 1267924911 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): error suppression node 1074093103 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): node-183194519 error suppression FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): error suppression node 33481563 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (1033): former State = new State IKE_DEST_SA = IKE_DEST_SA

1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM6 = IKE_I_MM6

1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE

1d23h: ISAKMP: (1034): start Quick Mode Exchange, M - ID 1297417008
1d23h: ISAKMP: (1034): initiator QM gets spi
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): entrance, node 1297417008 = IKE_MESG_INTERNAL, IKE_INIT_QM
1d23h: ISAKMP: (1034): former State = new State IKE_QM_READY = IKE_QM_I_QM1
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set-874376893 to QM_IDLE
1d23h: ISAKMP: (1034): HASH payload processing. Message ID =-874376893
1d23h: ISAKMP: (1034): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 56853244, message ID =-874376893, his 652CBDC4 =
1d23h: ISAKMP: (1034): removal of spi 56853244 message ID = 1297417008
1d23h: ISAKMP: (1034): node 1297417008 REAL reason error suppression "remove larval.
1d23h: ISAKMP: (1034): node-874376893 error suppression FALSE reason 'informational (en) State 1.
1d23h: ISAKMP: (1034): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
1d23h: ISAKMP: (1034): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set 439453045 to QM_IDLE
1d23h: ISAKMP: (1034): HASH payload processing. Message ID = 439453045
1d23h: ISAKMP: (1034): treatment ITS payload. Message ID = 439453045
1d23h: ISAKMP: (1034): proposal of IPSec checking 1
1d23h: ISAKMP: turn 1, ESP_AES
1d23h: ISAKMP: attributes of transformation:
1d23h: ISAKMP: program is 3 (Tunnel-UDP)
1d23h: ISAKMP: type of life in seconds
1d23h: ISAKMP: life of HIS (basic) 3600
1d23h: ISAKMP: type of life in kilobytes
1d23h: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
1d23h: ISAKMP: key length is 128
1d23h: ISAKMP: (1034): atts are acceptable.
1d23h: ISAKMP: (1034): IPSec policy invalidated proposal with error 32
1d23h: ISAKMP: (1034): politics of ITS phase 2 is not acceptable! (local 217.155.113.179 remote 37.205.62.5)
1d23h: ISAKMP: node set 1494356901 to QM_IDLE
1d23h: ISAKMP: (1034): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 1687353736, message ID = 1494356901
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): purge the node 1494356901
1d23h: ISAKMP: (1034): error suppression node 439453045 REAL reason "QM rejected."
1d23h: ISAKMP: (1034): entrance, node 439453045 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
1d23h: ISAKMP: (1034): former State = new State IKE_QM_READY = IKE_QM_READY
1d23h: ISAKMP: (1032): purge the node 1513722556
1d23h: ISAKMP: (1032): purge the node-643121396
1d23h: ISAKMP: (1032): purge the node 1350014243
1d23h: ISAKMP: (1032): purge the node 83247347

Hi Nav,

I'm happy it's working now. Your interpretation is correct. Transport mode IPSEC encrypts the payload, while tunnel mode figure the whole ip packet (original header / payload) and inserts a new ip header. Thus, the tunnel mode is used for ipsec site to site VPN and transport is used for point to point VPN ipsec. GRE is used with ipsec, all packages will be encapsulated with a GRE header first, so, essentially, this is a point to point VPN ipsec.

The problem that you are having with tunnel mode, the router's package is going to be wrapped with the header 192.168.248.253 GRE source 217.155.113.179 destination. The whole package is then encrypted and a new header is added with the same source/destination. This new header will be coordinated by the FW, but not incorporated or encrypted GRE header. When the packet arrives at Router B, after decrypt them the package, router B will see the GRE header, which is different from that of source/destination tunnel she uses. This breaks the GRE tunnel and the routing between router A and router B Protocol.

HTH,

Lei Tian

Site to Site VPN NAT conflicts

I have a site to site vpn between my main office and an office. Traffic between flow correctly with the exception of some protocols. My main router has static NAT configured for port 25 and a few others. For each of these protocols that have a static nat, I can't send the traffic from my office to the IP in the static nat

either I can't access port 25 on 172.16.1.1 of my office of the branch of the 172.17.1.1, but I have remote desktop access

It's like my list of NAT is excluding the static entries that follow. I have posted below the configs. Any help would be appreciated.

Main office: 2811

Branch: 1841

Two routers connected to the internet. VPN site to Site between them with the following config

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

isakmp encryption key * address *. ***. * *.116

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac VPN - TS

!

map VPN-map 10 ipsec-isakmp crypto

set peer *. ***. * *.116

game of transformation-VPN-TS

match address VPN-TRAFFIC

I have two IP addresses on the router principal.122 et.123

There is an installer from the list of the deny on the two routers - that's the main:

overload of IP nat inside source list 100 interface FastEthernet0/0

access-list 100 remark = [Service NAT] =-

access-list 100 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255

access-list 100 permit ip 172.16.0.0 0.0.255.255 everything

access-list 100 permit ip 172.24.0.0 0.0.255.255 everything

To serve clients vpn no internet, the following nat is configured to send e-mail to exchamge

IP nat inside source static tcp 172.16.1.1 25 *. ***. * expandable 25 *.122

Try to use the nat policy to exclude traffic from your servers to be natted when switching to the branch office network.

Sth like this

STATIC_NAT extended IP access list

deny ip 172.16.1.1 host 172.17.1.0 255.255.255.0 aka nat0 for traffic from the server

allow the ip 172.16.1.1 host a

policy-NAT route map

corresponds to the IP STATIC_NAT

IP nat inside source static tcp 172.16.1.1 25 *. ***. 25-card *.122 of extensible policy-NAT route

Site to Site VPN of IOS - impossible route after VPN + NAT

Hello

I have problems with a VPN on 2 routers access 8xx: I am trying to set up a quick and dirty VPN Site to Site with a source NAT VPN tunnel endpoint. This configuration is only intended to run from one day only inter. I managed to do the work of VPN and I traced the translations of NAT VPN tunnel endpoint, but I couldn't make these translated packages which must move outside the access router, because intended to be VPN traffic network is not directly connected to leave the router. However, I can ping the hosts directly connected to the router for access through the VPN.

Something done routing not to work, I don't think the NATing, because I tried to remove the NAT and I couldn't follow all outgoing packets that must be sent, so I suspect this feature is not included in the IOS of the range of routers Cisco 8xx.

I'm that extends the features VPN + NAT + routing too, or is there a configuration error in my setup?

This is the configuration on the router from Cisco 8xx (I provided only the VPN endpoint, as the works of VPN endpoint)

VPN endpoints: 10.20.1.2 and 10.10.1.2

routing to 192.168.2.0 is necessary to 192.168.1.2 to 192.168.1.254

From 172.31.0.x to 192.168.1.x

!

version 12.4

no service button

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname INSIDEVPN

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxx

!

No aaa new-model

!

!

dot11 syslog

no ip cef

!

!

!

!

IP domain name xxxx.xxxx

!

Authenticated MultiLink bundle-name Panel

!

!

username root password 7 xxxxxxxxxxxxxx

!

!

crypto ISAKMP policy 10

BA 3des

preshared authentication

ISAKMP crypto key address 10.20.1.2 xxxxxxxxxxxxx

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac VPN-TRANSFORMATIONS

!

CRYPTOMAP 10 ipsec-isakmp crypto map

defined by peer 10.20.1.2

game of transformation-VPN-TRANSFORMATIONS

match address 100

!

Archives

The config log

hidekeys

!

!

LAN controller 0

line-run cpe

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

Shutdown

!

interface FastEthernet0

switchport access vlan 12

No cdp enable

card crypto CRYPTOMAP

!

interface FastEthernet1

switchport access vlan 2

No cdp enable

!

interface FastEthernet2

switchport access vlan 2

No cdp enable

!

interface FastEthernet3

switchport access vlan 2

No cdp enable

!

interface Vlan1

no ip address

!

interface Vlan2

IP 192.168.1.1 255.255.255.248

NAT outside IP

IP virtual-reassembly

!

interface Vlan12

10.10.1.2 IP address 255.255.255.0

IP nat inside

IP virtual-reassembly

card crypto CRYPTOMAP

!

IP forward-Protocol ND

IP route 192.168.2.0 255.255.255.0 192.168.1.254

IP route 10.20.0.0 255.255.0.0 10.10.1.254

Route IP 172.31.0.0 255.255.0.0 Vlan12

!

!

no ip address of the http server

no ip http secure server

IP nat inside source static 172.31.0.2 192.168.1.11

IP nat inside source 172.31.0.3 static 192.168.1.12

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 172.31.0.0 0.0.255.255

!

!

control plan

!

!

Line con 0

no activation of the modem

line to 0

line vty 0 4

password 7 xxxxxxxxx

opening of session

!

max-task-time 5000 Planner

end

Hi Jürgen,

First of all, when I went through your config, I saw these lines,

!

interface Vlan2

IP 192.168.1.1 255.255.255.248

!

!

IP route 192.168.2.0 255.255.255.0 192.168.1.254

!

With 255.255.255.248 192.168.1.1 and 192.168.1.254 subnet will fall to different subnets. So I don't think you can join 192.168.2.0/24 subnet to the local router at this point. I think you should fix that first.

Maybe have 192.168.1.2 255.255.255. 248 on the router connected (instead of 192.168.1.254)

Once this has been done. We will have to look at routing.

You are 172.31.0.2-> 192.168.1.11 natting

Now, in order for that to work, make sure that a source addresses (192.168.1.11) NAT is outside the subnet router to router connected (if you go with 192.168.1.0/29 subnet router to router, with 192.168.1.1/29 on the local router and 192.168.1.2/29 on the connected router as suggested, it will be fine). So in this case 192.168.1.8/29 to the subnet that your NAT would be sources fall.

Have a static route on the router connected (192.168.1.2) for the network 192.168.1.8/29 pointing 192.168.1.1,

!

IP route 192.168.1.8 255.255.255.248 192.168.1.1

!

If return packets will be correctly routed toward our local router.

If you have an interface on the connected rotuer which includes the NAT would be source address range, let's say 192.168.1.254/24, even if you do your packages reach somehow 192.168.2.0/24, the package return never goes to the local router (192.168.1.1) because the connected router sees it as a connected subnet, so it will only expire

I hope I understood your scenario. Pleae make changes and let me know how you went with it.

Also, please don't forget to rate this post so useful.

Shamal

Cisco ASA Site to Site VPN IPSEC and NAT question

Hi people,

I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

Just an example:

N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

Grateful if someone can shed some light on this subject.

Hello

OK so went with the old format of NAT configuration

It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
  - access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
  - Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
  - the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
  - NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
  - ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.

Please rate if this was helpful

-Jouni

2 one-Site VPN Cisco 2801 and with crossing NAT

Hi guys,.

I would like to configure two Cisco 2801 using IPSEC/IKE. Both routers are connected to the internet through DSL lines. The DSL line have RFC1918 address side LAN where routers connected to the internet face. I can do NAT on DSL modems.

Cisco IOS 2801 routers allow to configure site-2-site VPN with NAT crossing?

Here is a model of physics/IP configuration:

LAN<->2801 Modem DSL<-Internet->DSL modem<-Priv ip-=""> 2801<-Priv ip-=""><-> LAN

Thank you

Gonçalo

Yes, you're good to go only if one or both of the sites has an IP address which is natted with private IP address statically. The implementation of IPSec on SRI NAT support in most crosses so that shouldn't be a concern

Design site to Site VPN w/NAT traversal issue

Hi, I have a number of site to site VPN that end on a PIX. I intend to migrate these VPN to a router that sits on a demilitarized zone connected to the PIX. Before doing that I'm going to set up a private network new virtual to end on the router but I also need than VPNS that end on the PIX to be not affected.

If I configure NAT traversal on the PIX, affected my other VPN?

Thanks in advance

DOM

Hi Dom,

Why do you want to configure NAT-Traversal on PIX, if you wish to terminate your VPN router (which is on the DMZ).

Do you do any NAT on PIX thru the router?

If you want to configure NAT-Traversal, it must be configured on the end (on the router in your case) devices.

Example:

When a user with Cisco client or Cisco router behind NAT wants to connect to another device (such as PIX, ASA, or router) NAT - T must be configured on the machine (which will be the PIX or ASA)

Hope that helps.

* Please indicate the post

Order of operations NAT on Site to Site VPN Cisco ASA

Hello

I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:

Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.

But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.

inside_map crypto 50 card value transform-set ESP-3DES-SHA

tunnel-group 100.1.1.1 type ipsec-l2l

tunnel-group 100.1.1.1 General-attributes

Group Policy - by default-PHX_HK

IPSec-attributes tunnel-group 100.1.1.1

pre-shared key *.

internal PHX_HK group policy

PHX_HK group policy attributes

VPN-filter no

Protocol-tunnel-VPN IPSec svc webvpn

card crypto inside_map 50 match address outside_cryptomap_50

peer set card crypto inside_map 50 100.1.1.1

inside_map crypto 50 card value transform-set ESP-3DES-SHA

inside_map crypto 50 card value reverse-road

the PHX_Local object-group network

host of the object-Network 31.10.11.10

host of the object-Network 31.10.11.11

host of the object-Network 31.10.10.10

host of the object-Network 31.10.10.11

host of the object-Network 31.10.10.12

host of the object-Network 31.10.10.13

host of the object-Network 10.17.128.20

host of the object-Network 10.17.128.21

host of the object-Network 10.17.128.22

host of the object-Network 10.17.128.23

the HK_Remote object-group network

host of the object-Network 102.1.1.10

inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local

outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1

public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255

public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255

public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255

public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255

He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:

the PHX_Local1 object-group network

host of the object-Network 31.10.10.10

host of the object-Network 31.10.10.11

host of the object-Network 31.10.10.12

host of the object-Network 31.10.10.13

No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote

inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote

Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.

Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.

Thank you

Kind regards

Thomas

Hello

I think you could have said the original question in a way that could be missleading. In other words, if I understand now.

From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.

Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.

If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.

Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.

You have these guests who were not able to use the VPN L2L

31.10.10.10 10.17.128.20

31.10.10.11 10.17.128.21

31.10.10.12 10.17.128.22

31.10.10.13 10.17.128.23

IF you want them to go to the VPN L2L with their original IP address then you must configure

object-group, LAN

host of the object-Network 10.17.128.20

host of the object-Network 10.17.128.21

host of the object-Network 10.17.128.22

host of the object-Network 10.17.128.23

object-group, REMOTE network

host of the object-Network 102.1.1.10

inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote

outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

IF you want to use the L2L VPN with the public IP address, then you must configure

object-group, LAN

host of the object-Network 31.10.10.10

host of the object-Network 31.10.10.11

host of the object-Network 31.10.10.12

host of the object-Network 31.10.10.13

object-group, REMOTE network

host of the object-Network 102.1.1.10

outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.

Or you can of course use the same "object-group" as currently but change the content in an appropriate manner

Be sure to mark it as answered if it was answered.

Ask more if necessary

-Jouni

Site to site VPN - impossible to reach the other side ASA

Hello

Recently, I replaced a Juniper with a Cisco ASA 5505 firewall in a branch. This branch has a VPN site to another seat. Firewall at Headquarters is a Juniper and managed by third parties. I have configured the ASA and replaced Juniper. Everything at the Branch works, and can reach all subnets and servers. As the user is concerned, there is no problem.

But corporate headquarters, I am unable to reach this ASA on the interface of data or management. See the image, I am unable to ping or join a network 192.168.10.0 and 192.168.200.0 or any other subnet 10.15.8.0 to Headquarters. However, I can ping computers from branch office which is in the same subnet as the data interface.

You guys could help me as I need to reach the ASA headquarters branch. I welcome all networks on both sides inside and the external interface. I also created a NAT as below. Am I wrong configured NAT

NAT (inside, outside) static source DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 HO_Subnets HO_Subnets non-proxy-arp-search of route static destination
!
NAT Dynamics obj_any interface of source to auto after (indoor, outdoor)

DIWA

This information is useful. You try to SSH to the address inside or management? May I suggest that we focus for now on access to inside? After we get this working, we can watch access via the management.

It does not appear in what you posted, but I'm not sure if it might be something that you have removed before posting. Do you have configured access to the administration? If this is not the case, may I suggest that you add access management inside the config.

HTH

Rick

Troubleshooting IPSec Site to Site VPN between ASA and 1841

Hi all

in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

On the ASA:

Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz

#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500

SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

Output of the command: "sh crypto isakmp his."

HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4

IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

On the 1841

1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

1841 crypto ipsec #sh its

Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

It's the running of the 1841 configuration

!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!

!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
end

As I mentioned previously: suspicion is much appreciated!

Best regards

Joerg

Joerg,

ASA receives not all VPN packages because IOS does not send anything.

Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

The problem seems so on the side of the router.

I think that is a routing problem, but you only have one default gateway (no other channels on the router).

The ACL 100 is set to encrypt the traffic between the two subnets.

It seems that the ACL 101 is also bypassing NAT for VPN traffic.

Follow these steps:

Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

Federico.

Site to site vpn problem

Hello world

I have a problem with the vpn site to site between two cisco routers. The configurations are:

Site has

crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
life 86000
ISAKMP crypto secrettestkey key address x.x.x.x
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac S2S
!
S2S 10 ipsec-isakmp crypto map
defined peer x.x.x.x
game of transformation-S2S
match address S2S

interface FastEthernet4
IP address y.y.y.y 255.255.255.252
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
card crypto S2S
!
!
interface Vlan1
no ip address
!
!
interface Vlan12
IP 192.168.100.1 address 255.255.255.0
IP nat inside
IP virtual-reassembly
!
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
overload of IP nat inside source list 100 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 y.y.y.x
IP route 192.168.14.0 255.255.255.0 y.y.y.x
!
S2S extended IP access list
IP 192.168.100.0 allow 0.0.0.255 192.168.14.0 0.0.0.255
!
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 any

Site B

crypto ISAKMP policy 20
BA 3des
preshared authentication
Group 2
life 86000

ISAKMP crypto secrettestkey key address x.x.x.x

Crypto ipsec transform-set esp-3des esp-sha-hmac testS2S

DCMAP 20 ipsec-isakmp crypto map
tunnel test Description
defined peer x.x.x.x
Set transform-set testS2S
match the address testS2S

interface GigabitEthernet0/0
Description. : Outside:.
IP address y.y.y.y 255.255.255.224
IP access-group OUTSIDE2INSIDE in
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
media type rj45
card crypto DCMAP

IP route 192.168.100.0 255.255.255.0 y.y.y.x

testS2S extended IP access list
IP 192.168.14.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

There is also a NAT - T configuration on this site

Tunnel is not coming. The status is MM_NO_STATE

What are the causes of the problem? Please notify.

Hello

Check out the link. Its for remote access IPSec. Try to remove the config and reapply the card encryption.

Second in debugging, see router goes for x-auth.

04:35:44.707 26 Jan: ISAKMP: Config payload REQUEST
26 jan 04:35:44.707: ISAKMP: (2083): no provision of demand
04:35:44.707 26 Jan: ISAKMP: Invalid configuration REQUEST
04:35:44.707 26 Jan: ISAKMP (2083): action of WSF returned the error: 2
04:35:44.707 26 Jan: ISAKMP: (2083): entry = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

You can disable using xauth No. in the end of statement isakmp key.

# isakmp crypto key 0 abc address x.x.x.x No.-xauth

HTH

NAT inside Site to Site VPN

Similar Questions

Maybe you are looking for