NAT NAT_T & identity

Similar Questions

• Validation of the IOS VPN peer identity IP with NAT - T

  I just lost a lot of time to understand this behavior of the IOS. My conclusion reached: If you work with the good old peer identity address validation in profiles ISAKMP and the peer you are talking about is located behind a NAT, you must use the private IP address of the peer in the command "adapter address of the identity". I thought that NAT - T takes care of the translation in all sections of required configuration, but here especially, seems not so much. The interesting thing is that for all other orders, you must use the public IP address.

  See the following example (showing only the relevant articles with statements by peer inside):

  door-key crypto OUR_KEYRING

  key pre-shared key address 1.2.3.4

  Crypto isakmp PROFILE_NAME profile

  VRF TEST

  key ring OUR_KEYRING

  function identity address 192.168.99.5 255.255.255.255

  OUR_MAP 6 ipsec-isakmp crypto map

  defined peer 1.2.3.4

  the value of PROFILE_NAME isakmp-profile

  Does anyone know if this is normal or if it is a bug? It would be useful and consistent if NAT - T changed the identity of the peer address during the phase 1 negotiation, then we would not deal with peer private addressing within site to site VPN configs. I also think of IP scenarios that overlap that may occur when you work with dealing with private peer.

  See the release of relevant debugging in the attachment, after documenting a failed connection attempt (using the public, NATted IP of the peer in the command 'fit the address of identity') and once a following connection attempt (using the IP private, internal counterpart).

  My router is a C2951 with IOS 15.3 (2) T2. The counterpart is an ASA (version & unknown config so far, but I'm sure that the other engineer did not indicate what it is using a private address in its config, despite my session from behind a NAT router, too).

  Thank you & best regards

  Toni

  Toni,

  Problem with identity is that it is an encrypted package (in Exchange MM) so cannot be changed in transit, so that a host may not know reliably it is the external IP address (it can make assumptions, but he doesn't know how long it is valid for).

  Also if you "NAT 'd" identity you can't the difference between two devices behind same NAT/PAT on end of answering machine.

  There are some implmentations IKE allowing IKE to identity type and value to specify manually. IOS not among them.

  Yes decouple us identity and peer of the intellectual property, it adds flexability with a few corner cases which may arrise.

  Yet another reason why NAT is evil?

  M.

• ASA NAT to 8.4

  I'm doing the VPN tunnel between router IOS and ASA 5505. The ASA has a dynamic IP address

  Everything would be ok, but I don't understand NAT in ASA's new orders. Can you tell me how to convert it to version 8.3 - 4?

  access-list no. - NAT allowed extended ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0

  Global 1 interface (outside)

  NAT (inside) - No. - NAT 0 access list

  NAT (inside) 1 0.0.0.0 0.0.0.0

  I use this link

  http://www.Cisco.com/c/en/us/support/docs/security/PIX-500-series-Securi...

  Thanks for any help.

  Take a look at the document, depending on where you can find almost everything on the new model of NAT:

  https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

  Especially "NAT0 / NAT Exemption / identity NAT ' in part"TWICE-NAT-MANUAL-NAT"is relevant for this task.

• Security level limited access to high security

  Dear all,

  I have something that I need your help it clarify for me; for reasons of tests outside NAT in PIX, I placed a host on the external interface of my FW PIX and another on the inside interface. We'll call inside host (Host: 172.16.1.178) and outside (Host B: 192.168.1.96).

  I then applied:

  NAT (inside) 0 0 0 and

  NAT (outside) 0 0 0 outside

  orders to have two subnets appear to others with their original IP addresses. When ping from host B to host, no response is received and a 305005 syslog message (no translation group not found for ICMP src outdoors: 192.168.1.96 dst inside: 172.16.1.178)... However, when ping from host A to host B with the original B IP host, a response is received successfully. After this, lead to confusion if I try again to ping from host B to host, things work this time without errors. (Note: ICMP is applied both way).

  Applying clear XLATE, again! Looks like the PIX doesn't sends the request of host B to host A unless there is a previous, established session from the host through the PIX.

  Does anyone have an explanation for what's going on? Is their someone who have experienced something like this before?

  Know your opinion.

  Thank you

  Haitham

  You are using nat 0 (identity nat) that does not allow two-way communication, UNLESS the host location to the interface high security initiates the connection.

  You can try the following:

  public static 172.16.1.178 (Interior, exterior) 172.16.1.178 netmask 255.255.255.255

  Which allows inside the host to be 'translated' to the outside and allow the host located on the untrsuted start the communication itself (will be seen with the same IP address)

  more information:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/cmdref/s.htm#wp1026694

  Franco Zamora

• Identity NAT - lower growth

  Having looked through the forums, it seems that identity NAT, it is what I'm looking for, but could someone confirm?

  I have a server accessible via a wan connection on a demilitarized zone. I want internal users to access this server via an INTERNAL network address.

  for example static (dmz, upside down) 10.1.1.100 200.1.1.100 netmask 255.255.255.255 0 0 - (assuming 10.1.1.0 is lan and 200.1.1.0 network via wan)

  This will work, and is it all etc. of nat/sheep conditions?

  Thank you

  Hello

  Your original post was on the right track. You need to configure is the d - nat inside so that it translate destination address of the safety interface higher at the bottom of the interface. If your ip address is 20.1.1.1 and you want to reach to the server using 10.1.1.100 which is your internal ip address, then your static should look like this.

  static (dmz, upside down) 10.1.1.100 20.1.1.1 netmask 255.255.255.255

  Thank you

  Renault

• Identity firewall does not work with NAT

  We implement an environment that restrict access to Internet with rules based on users and groups to Active Directory.

  There were many difficulties, but the current state is:

  -The 'Test' of the firewall server-> identity Options results GOOD group

  -The 'Test' of Agent of Active Directory on Windows-> identity Options GOOD results

  -The rules we applied on the inside Firewall identity-based Interface are no "respected".

  The environment:

  -We have two ASA 5520 to failover.

  -There are four contexts in this pair of ASA.

  -Now we are activating the firewall of identity in a context.

  -Of course, the AD are in one of the inside of this context, networks.

  On the Configuration Guide of the identity of Firewall, to

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/asdm64/configuration_guide/access_idfw.html#wp1349541

  We have seen that there are a lot of features that are not supported:

  ...

  The following features of ASA do not support the use of the object based on the identity and the FULL domain name:

  Route-map

  -Crypto card

  -WCCP

  -NAT

  -Group (except filter VPN) policy

  -DAP

  ...

  When using NAT does not, just remove NAT.

  How to configure this feature? Identity with NAT work?

  This is the reason why you have not any user ip in ASA mappings.

  Domain configured in ASA name must be the netbios domain name and it must be matched with one that you see 'adacfg dc list' output, otherwise ASA will drop all user agent AD ip report.

  You can have a try with the following new configs.

  field of the identity of the user TEST4 aaa-Server AD-TEST4

  identity of the user by default-field TEST4

  inside_access_in list extended access deny the user ip TEST4\rodrigo a whole

• identity NAT

  Hello

  I have a question,

  If I want to assign a public ip address @, and do a nat 0,.

  but my question is because the inisde ip address is private and pourles differnet from the public, how can they communicate?

  is this possible?

  thaks a lot.

  Thanks for the clarification, now I think I know what you're trying to ask. NAT 0 is normally used when you do not want the PIX to run NATTING to some or all of the hosts, however, you cannot have two ip subnets that are directly connected to an interface of the PIX. You may be able to have a public address somewhere inside the PIX, condition that there is a way to reach this address through a device of next hop (some gateway) on the same subnet as the PIX inside interface. The host in question will require a gateway to be on the same subnet as the host to be able to communicate to the outside world. Appropriate routes will have on the PIX to direct traffic to the host through the gateway.

  One last thing I want to say, is that when you want to avoid NAT for a device you want also other for access from a less secure PIX interface, you create usually a translation of static ip address of the device rather than a NAT 0. This is because with NAT 0 traffic must always be started indoors as the PIX fills the table of translation in this way.

  I hope I don't end up confusing you.

• Airport Extreme Double NAT / AT & T NVG510

  My Internet connection has worked very well for several years, until recently, when the simple DSL modem (a Motorola 2210-02 - 1ATT) provided by AT & T began to experience intermittent outages. Initially, the DSL modem would lose the line for a minute or two at a time. But within 48 hours, the line started to drop during the hours in a row (synchronization failed line DSL). Whenever the modem has lost the line, my Airport Extreme (the router on my home network), shows a "Double NAT" alert. But whenever the modem 2210-02 DSL connection has been restored, alert the Airport Extreme's "Double NAT" disappeared.

  After a day and a half problems, the line is down for so many hours that I finally called AT & T to check the status of our range. So, AT & T sent a technician who concluded fairly quickly the 2210-02-1ATT was the problem and replaced it with a modem/router combo (manufacturing date 11/2014) NVG510 (with router function disabled in the settings).

  The speed that results and the quality of the connection via the NVG510 were good, so the tech packed 2210-02 in his bag and left. But now I get that alert "Double NAT" once again on my Airport Extreme, even if the home network is apparently working as well as it ever did.

  The only setting I changed was on the NVG510 - as soon as the technology has left, I turned off the WiFi on the NVG510 function because I want the Airport Extreme to my router, same as always.

  So far so good. After 24 hours with the NVG510 in place, the network worked well with no major hiccups, the only exception being the status of "Double NAT" alert displayed in Airport utility. In fact, had I have not bothered to watch Airport utility, I don't know that there was a "Double NAT" alert

  Everything on the side of the NVG510 LAN is identical to what was in place with the 2210-02...

  Airport Extreme 802.11ac works as "router" with the WiFi signal on another floor via an Airport Extreme 802.11n wireless (5th generation).

  The WiFi signal provides web access to some desktop Mac, AppleTV, devices, mobile phones, tablet computers and a laptop (laptop is the only device that uses a VPN).

  The network on the Airport Express 802.11ac, who serves as router, is "DHCP and NAT." and the "5th Gen," which extends the wireless network, set mode "bridge."

  After hours of searching online, I understand that this problem is surely the result of the NVG510, and that this problem exists for at least five years. I've read at least a few tens of different ways to try a fix via adjustments to settings, but none reached the level of a real solution.

  Although my network is no problem at the moment, I'm afraid that "Double NAT" alert is a sword of Damocles that will eventually crash my network, a situation I like to avoid. I dared not yet connect the laptop with a VPN to the router, but out of fear that will bring down the whole network.

  I'd rather solve the "Double NAT" proactively.

  Is there a a way to eliminate the Double "Nat" by adjusting the parameters of the NVG510 and/or the Airport Extreme?  Or, my fears of future problems and a VPN disaster are unfounded?

  Thank you

  According to your comments, the NVG510 has not been reconfigured as a bridge and is providing routing functions (NAT & DHCP).

  To resolve the Double NAT is the new Motorola NVG510 or AirPort Extreme needs to be reconfigured under a bridge. The simplest solution would be to reconfigure the extreme. In this way, the NVG510 can handle NAT & DHCP services required by clients of network connected to the extreme to access the Internet.

  To reconfigure the extreme as a gateway, use the AirPort Utility, as follows:

  • Run the AirPort Utility and then select the extreme.
  • Click on Extreme and then, select Edit.
  • Click the network tab to select it.
  • Change the router Mode to: Off (bridge Mode)
  • Click on update and allow extreme restart.

• Static Nat issue unable to resolve everything tried.

  Hello

  I have a cisco asa 5515 with asa worm 9.4.1 and asdm 7.4

  I have problem with configuring static nat, I have a server inside which ip is 172.16.1.85 and

  my external interface is configured with a static ip address.

  Internet works fine but cannot configure static nat...

  Here's my config running if please check and let me know what Miss me...

  Thank you

  ASA release 9.4 (1)
  !
  ciscoasa hostname

  names of
  !
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  IP 151.253.97.182 255.255.255.248
  !
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  IP 172.16.1.1 255.255.255.0
  !
  interface GigabitEthernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/5
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  boot system Disk0: / asa941-smp - k8.bin
  passive FTP mode
  object remote desktop service
  source eq 3389 destination eq 3389 tcp service
  Description remote desktop
  network of the RDP_SERVER object
  Home 172.16.1.85
  outside_access_in list extended access allow desktop remotely any4 object RDP_SERVER
  pager lines 24
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  management of MTU 1500
  no failover
  no monitor-service-interface module of
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 743.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  !
  network of the RDP_SERVER object
  NAT (inside, outside) interface static service tcp 3389 3389
  !
  NAT source auto after (indoor, outdoor) dynamic one interface
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 151.253.97.177 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  identity of the user by default-domain LOCAL
  Enable http server
  http server idle-timeout 50
  http 192.168.1.0 255.255.255.0 management

  Telnet 192.168.1.0 255.255.255.0 management
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH 192.168.1.0 255.255.255.0 management
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  VPDN username bricks12 password * local store
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  dynamic-access-policy-registration DfltAccessPolicy
  username, password imran guVrfhrJftPA/rQZ encrypted privilege 15
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  anonymous reporting remote call

  ciscoasa #.

  Hello

  Change this ACL: -.

  outside_access_in list extended access allow desktop remotely any4 object RDP_SERVER

  TO

  outside_access_in list extended access allowed object RDP_SERVER eq any4 tcp 3389

  Thank you and best regards,

  Maryse Amrodia

• Win2K NAT would be from 1650 to a PIX 515 - does not

  Hello

  :

  I have a working VPN config on my 515 (6.2.2) and can tunnel from one host with a valid external IP without any problem. But, with a NAT would be customer, nothing seems to work.

  I use RADIUS to authenticate after using a password for the group. Here is the sequence of events.

  (1) client machine as a 10.0.0.1 address, NAT had a public address to come into the port of 'outside '.

  (2) the client connects, the user enters GANYMEDE password and is connected.

  (3) the user tries to browse any service and can not.

  (4) if the user switches DNS to an external server, the portion of the split tunnel internet works fine but inside is still broken.

  (5) clients with static IP addresses that are publicly routable connect and can perform all internal and external activities of split tunnel.

  Excerpts from config. I'm doing something wrong?

  Permitted connection ipsec sysopt

  No sysopt route dnat

  Crypto ipsec transform-set esp - esp-md5-hmac noaset

  Crypto dynnoamap dynamic-map 10 transform-set noaset

  noamap 10 card crypto ipsec-isakmp dynamic dynnoamap

  Harpy of authentication card crypto client noamap

  noamap interface card crypto outside

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup address noapool pool noagroup

  vpngroup dns 66.119.192.1 Server noagroup

  vpngroup noagroup wins server - 66.119.192.4

  vpngroup noagroup by default-field noanet.net

  vpngroup split-tunnel vpn - IP noagroup

  vpngroup idle 3600 noagroup-time

  vpngroup password noagroup *.

  Help and thanks in advance.

  Mike

  You do not have something wrong. The problem is that NAT (NAT actually PAT, port) and IPSec is not working very well, and many features PAT can PAT IPSec traffic to all (PIX included until version 6.3).

  The problem is that PAT depends on using the port number TCP or UDP source as a way to differentiate between sessions, because they are all PAT would be from the same source IP address. However IPSec (ESP at least), tracks right on top of IP, in other words, it is NOT a TCP or UDP protocol, and therefore has no associated port number. It breaks most of the PAT devices.

  The reason for which you can build your tunnel initially, it is that it is all done by ISAKMP, which is a UDP protocol, which can be PAT would be fine. Once the tunnel is built however, all encrypted data are sent by packs of ESP, which as I said, is not a TCP or UDP protocol.

  Trnalsations NAT static work cause they do not rely on the use of the port number, they just change the address of the source that works very well with ESP.

  There is not much you can do about it. If you were closing the VPN into a VPN3000 concentrator, it has a feature called IPSec through NAT, which encapsulates all ESP packets in a UDP packet, which can then be PAT would be properly. The PIX, unfortunately, doesn't have this feature. The only solution is to get a NAT device that manages properly the IPSEc. Surprisingly, some of the less expensive devices on the market handle it, but you should check with each manufacturer to be sure.

• VPN on ASA 5506 without internet access, help with NAT?

  Hello

  I have upgraded to a Cisco ASA 5505 to a 5506 X and as such have climbed to ASA 9.5

  For this reason, I'm a bit stuck on how to implement the VPN. I followed the wizard and I can now establish inbound connections, but when connected (all traffic is tunnel) there is no internet connectivity.

  Our offices internal (inside) network is 192.168.2.0/24

  Our VPN pool is 192.168.4.0/24

  I guess that I'm missing a NAT rule, but in all honesty, I'm a user ASDM and as everything is changed, I am struggling to recreate it?

  Here is my config:

  Result of the command: "sh run"
  
  : Saved
  
  :
  : Serial Number: JAD194306H5
  : Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
  :
  ASA Version 9.5(1)
  !
  hostname ciscoasanew
  domain-name work.internal
  enable password ... encrypted
  names
  ip local pool RemoteVPNPool 192.168.4.1-192.168.4.254 mask 255.255.255.0
  !
  interface GigabitEthernet1/1
   nameif outside
   security-level 0
   ip address 192.168.3.4 255.255.255.0
  !
  interface GigabitEthernet1/2
   nameif inside
   security-level 100
   ip address 192.168.2.197 255.255.255.0
  !
  interface GigabitEthernet1/3
   shutdown
   no nameif
   no security-level
   no ip address
  !
  interface GigabitEthernet1/4
   shutdown
   no nameif
   no security-level
   no ip address
  !
  interface GigabitEthernet1/5
   shutdown
   no nameif
   no security-level
   no ip address
  !
  interface GigabitEthernet1/6
   shutdown
   no nameif
   no security-level
   no ip address
  !
  interface GigabitEthernet1/7
   shutdown
   no nameif
   no security-level
   no ip address
  !
  interface GigabitEthernet1/8
   shutdown
   no nameif
   no security-level
   no ip address
  !
  interface Management1/1
   management-only
   nameif management
   security-level 100
   ip address 192.168.1.1 255.255.255.0
  !
  ftp mode passive
  clock timezone GMT 0
  dns domain-lookup inside
  dns domain-lookup management
  dns server-group DefaultDNS
   name-server 192.168.2.199
   domain-name work.internal
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  object network 173.0.82.0
   host 173.0.82.0
  object network 173.0.82.1
   subnet 66.211.0.0 255.255.255.0
  object network 216.113.0.0
   subnet 216.113.0.0 255.255.255.0
  object network 64.4.0.0
   subnet 64.4.0.0 255.255.255.0
  object network 66.135.0.0
   subnet 66.135.0.0 255.255.255.0
  object network a
   host 192.168.7.7
  object network devweb
   host 192.168.2.205
  object network DevwebSSH
   host 192.168.2.205
  object network DEV-WEB-SSH
   host 192.168.2.205
  object network DEVWEB-SSH
   host 192.168.2.205
  object network vpn-network
   subnet 192.168.4.0 255.255.255.0
  object network NETWORK_OBJ_192.168.4.0_24
   subnet 192.168.4.0 255.255.255.0
  object network NETWORK_OBJ_192.168.2.0_24
   subnet 192.168.2.0 255.255.255.0
  object-group network EC2ExternalIPs
   network-object host 52.18.73.220
   network-object host 54.154.134.173
   network-object host 54.194.224.47
   network-object host 54.194.224.48
   network-object host 54.76.189.66
   network-object host 54.76.5.79
  object-group network PayPal
   network-object object 173.0.82.0
   network-object object 173.0.82.1
   network-object object 216.113.0.0
   network-object object 64.4.0.0
   network-object object 66.135.0.0
  object-group service DM_INLINE_SERVICE_1
   service-object icmp
   service-object icmp6
   service-object icmp alternate-address
   service-object icmp conversion-error
   service-object icmp echo
   service-object icmp information-reply
   service-object icmp information-request
  access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object DEVWEB-SSH eq ssh
  access-list outside_access_in remark AWS Servers
  access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object devweb eq ssh log debugging inactive
  access-list outside_access_in extended permit ip any any inactive
  access-list outside_access_in remark Ping reply
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any interface outside
  access-list outside_access_in remark Alarm
  access-list outside_access_in extended permit tcp any interface outside eq 10001
  access-list outside_access_in remark CCTV
  access-list outside_access_in extended permit tcp any interface outside eq 7443
  access-list outside_access_in extended deny ip any any
  access-list workvpn_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
  access-list workvpn_splitTunnelAcl_1 standard permit 162.13.130.12 255.255.255.252
  access-list workvpn_splitTunnelAcl_1 standard permit 162.13.133.72 255.255.255.252
  access-list workvpn_splitTunnelAcl_1 standard permit 164.177.128.200 255.255.255.252
  access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.16 255.255.255.252
  access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.72 255.255.255.252
  access-list workvpn_splitTunnelAcl_1 standard permit 212.64.147.184 255.255.255.248
  access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.116 255.255.255.254
  access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.118 255.255.255.254
  access-list workvpn_splitTunnelAcl_1 standard permit host 95.138.147.118
  access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.120 255.255.255.254
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list workvpn2_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
  access-list workVPN2016_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffer-size 16000
  logging asdm-buffer-size 512
  logging asdm warnings
  logging flash-bufferwrap
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 7200
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup
  !
  object network obj_any
   nat (any,outside) dynamic interface
  object network DEVWEB-SSH
   nat (inside,outside) static interface service tcp ssh ssh
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.3.3 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  service sw-reset-button
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
   no validation-usage
   crl configure
  crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
   enrollment self
   fqdn none
   subject-name CN=192.168.2.197,CN=ciscoasanew
   keypair ASDM_LAUNCHER
   crl configure
  
  snip
  
  dhcpd auto_config outside
  !
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  !
  no threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
  ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
  group-policy DfltGrpPolicy attributes
   vpn-tunnel-protocol ssl-client
  group-policy workVPN2016 internal
  group-policy workVPN2016 attributes
   dns-server value 192.168.2.199
   vpn-tunnel-protocol ikev1
   split-tunnel-policy tunnelall
   ipv6-split-tunnel-policy tunnelall
   default-domain value work.internal
   split-dns value work.internal
   split-tunnel-all-dns enable
  dynamic-access-policy-record DfltAccessPolicy
  
  !
  class-map inspection_default
   match default-inspection-traffic
  !
  !
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  !
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  hpm topN enable
  Cryptochecksum:
  : end
  

  Hi Ben-

  What you are trying to accomplish is called VPN crossed.  Depending on your initial configuration, you have 2 NAT problems.  The first has to do with the NAT you place your order.  In the code later that we are dealing with two NAT ASA 8.3 times and who are ranked 2 sections going on before and after the device NAT. object

  My general rule for control of NAT is like this:

  1. Twice NAT (front) - use this section for exemptions from NAT or unusual configurations that have to go first
  2. Purpose of NAT - Use this section to the static NAT instructions for servers
  3. Twice NAT (after) - use this section to your global declarations of NAT, basically a catch-all

  Then, never use 'all' as an interface for all training of NAT.  This may seem like a good idea, but it will bite you.  Remember, it is more the notion of control NAT, then 'all' interface is bit VPN configurations and similar DMZ.  Always be specific about your interface for NAT pairs.

  To this end, here is what I suggest that your NAT configuration should resemble:

  nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup!object network DEVWEB-SSH nat (inside,outside) static interface service tcp ssh ssh !nat (inside,outside) after-auto source dynamic any interfacenat (outside,outside) after-auto source dynamic any interface

  The key is that you need a NAT device explicitly reflecting the VPN traffic. PSC

• ASA 5505 as internet gateway (must reverse NAT)

  Hi all the Cisco guru

  I have this diet:

  Office-> Cisco 877-> Internet-> ASA 5505-> remote network

  Office network: 192.168.10.0/24

  Cisco 877 IP internal: 192.168.10.200

  Cisco 877 external IP: a.a.a.a

  ASA 5505 external IP: b.b.b.b

  ASA 5505 internal IP: 192.168.1.3 and 192.168.17.3

  Remote network: 192.168.17.0/24 and 192.168.1.0/24

  VPN tunnel is OK and more. I have the Office Access to the remote network and the remote network access to the bureau by the tunnel.

  But when I try to access the network remotely (there are 2 VLANS: management and OLD-private) to the internet, ASA answer me:

  305013 *. * NAT rules asymetrique.64.9 matched 53 for flows forward and backward; Connection for udp src OLD-Private:192.168.17.138/59949 dst WAN:*.*.64.9/53 refused due to path failure reverse that of NAT

  Ping of OLD-private interface to google result:

  110003 192.168.17.2 0 66.102.7.104 0 routing cannot locate the next hop for icmp NP identity Ifc:192.168.17.2/0 to OLD-Private:66.102.7.104/0

  Result of traceroute

  

  How can I fix reverse NAT and make ASA as internet gateway?

  There is my full config

  !
  ASA Version 8.2 (2)
  !
  hostname ASA2
  domain default.domain.invalid
  activate the encrypted password password
  encrypted passwd password
  names of
  !
  interface Vlan1
  Description INTERNET
  1234.5678.0002 Mac address
  nameif WAN
  security-level 100
  IP address b.b.b.b 255.255.248.0
  OSPF cost 10
  !
  interface Vlan2
  OLD-PRIVATE description
  1234.5678.0202 Mac address
  nameif OLD-private
  security-level 0
  IP 192.168.17.3 255.255.255.0
  OSPF cost 10
  !
  interface Vlan6
  Description MANAGEMENT
  1234.5678.0206 Mac address
  nameif management
  security-level 0
  192.168.1.3 IP address 255.255.255.0
  OSPF cost 10
  !
  interface Ethernet0/0
  !
  interface Ethernet0/1
  Shutdown
  !
  interface Ethernet0/2
  Shutdown
  !
  interface Ethernet0/3
  Shutdown
  !
  interface Ethernet0/4
  Shutdown
  !
  interface Ethernet0/5
  Shutdown
  !
  interface Ethernet0/6
  switchport trunk allowed vlan 2.6
  switchport mode trunk
  !
  interface Ethernet0/7
  Shutdown
  !
  connection of the banner * W A R N I N G *.
  banner connect unauthorized access prohibited. All access is
  connection banner monitored, and intruders will be prosecuted
  connection banner to the extent of the law.
  Banner motd * W A R N I N G *.
  Banner motd unauthorised access prohibited. All access is
  Banner motd monitored and trespassers will be prosecuted
  Banner motd to the extent of the law.
  boot system Disk0: / asa822 - k8.bin
  passive FTP mode
  DNS domain-lookup WAN
  DNS server-group DefaultDNS
  Server name dns.dns.dns.dns
  domain default.domain.invalid
  permit same-security-traffic intra-interface
  object-group Protocol TCPUDP
  object-protocol udp
  object-tcp protocol
  object-group service RDP - tcp
  RDP description
  EQ port 3389 object
  Access extensive list ip 192.168.17.0 LAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
  Standard access list LAN_IP allow 192.168.17.0 255.255.255.0
  WAN_access_in list of allowed ip extended access all any debug log
  WAN_access_in list extended access permitted ip OLD-private interface WAN newspaper inactive debugging interface
  WAN_access_in list extended access permit tcp any object-group RDP any RDP log debugging object-group
  MANAGEMENT_access_in list of allowed ip extended access all any debug log
  access-list extended OLD-PRIVATE_access_in any allowed ip no matter what debug log
  access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 inactive debug log
  OLD-PRIVATE_access_in allowed extended object-group TCPUDP host 192.168.10.7 access-list no matter how inactive debug log
  access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.10.254 interface private OLD newspaper inactive debugging
  access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.17.155 interface private OLD newspaper debugging
  access-list 101 extended allow host tcp 192.168.10.7 any eq 3389 debug log
  Access extensive list ip 192.168.17.0 WAN_1_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0
  WAN_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
  WAN_cryptomap_2 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
  Capin list extended access permit ip host 192.18.17.155 192.168.10.7
  Capin list extended access permit ip host 192.168.10.7 192.168.17.155
  LAN_access_in list of allowed ip extended access all any debug log
  Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
  Access extensive list ip 192.168.17.0 WAN_2_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0

  permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
  pager lines 24
  Enable logging
  recording of debug trap
  logging of debug asdm
  Debugging trace record
  Debug class auth record trap
  MTU 1500 WAN
  MTU 1500 OLD-private
  MTU 1500 management
  mask 192.168.1.150 - 192.168.1.199 255.255.255.0 IP local pool VPN_Admin_IP
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP permitted host a.a.a.a WAN
  ICMP deny any WAN
  ICMP permitted host 192.168.10.7 WAN
  ICMP permitted host b.b.b.b WAN
  ASDM image disk0: / asdm - 631.bin
  don't allow no asdm history
  ARP timeout 14400
  Global (OLD-private) 1 interface
  Global interface (management) 1
  NAT (WAN) 1 0.0.0.0 0.0.0.0

  inside_nat0_outbound (WAN) NAT 0 access list
  WAN_access_in access to the WAN interface group
  Access-group interface private-OLD OLD-PRIVATE_access_in
  Access-group MANAGEMENT_access_in in the management interface
  Route WAN 0.0.0.0 0.0.0.0 b.b.b.185 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  the ssh LOCAL console AAA authentication
  local AAA authentication attempts 10 max in case of failure
  Enable http server
  http 192.168.1.0 255.255.255.0 WAN
  http 0.0.0.0 0.0.0.0 WAN
  http b.b.b.b 255.255.255.255 WAN
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Service resetoutside
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto WAN_map 1 corresponds to the address WAN_1_cryptomap
  card crypto WAN_map 1 set peer a.a.a.a
  WAN_map 1 transform-set ESP-DES-SHA crypto card game
  card crypto WAN_map WAN interface
  ISAKMP crypto enable WAN
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  the Encryption
  sha hash
  Group 1
  life 86400
  Telnet timeout 5
  SSH a.a.a.a 255.255.255.255 WAN
  SSH timeout 30
  SSH version 2
  Console timeout 0
  dhcpd auto_config management
  !

  a basic threat threat detection
  host of statistical threat detection
  Statistics-list of access threat detection
  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
  NTP server 129.6.15.28 source WAN prefer
  WebVPN
  attributes of Group Policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  internal admin group strategy
  group admin policy attributes
  DNS.DNS.DNS.DNS value of DNS server
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list LAN_IP
  privilege of encrypted password password username administrator 15
  type tunnel-group admin remote access
  tunnel-group admin general attributes
  address pool VPN_Admin_IP
  strategy-group-by default admin
  tunnel-group a.a.a.a type ipsec-l2l
  tunnel-group a.a.a.a general-attributes
  strategy-group-by default admin
  a.a.a.a group of tunnel ipsec-attributes
  pre-shared-key *.
  NOCHECK Peer-id-validate
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !

  Thank you for your time and help

  Why you use this NAT type?

  Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 any
  NAT (OLD-private) 0-list of access WAN_nat0_outbound

  You are basically saying the ASA not NAT traffic. This private IP address range is not routed on the Internet. This traffic is destined to be sent over the Internet? If so, that LAC should then not be there.

  If you want NAT traffic to one IP public outside the ASA, you must remove this line and let the NAT and GLOBAL work:

  NAT (OLD-private) 1 0.0.0.0 0.0.0.0

  Global (WAN) 1 interface

• nat ASA 5520 problem

  Hi I have a Cisco Asa 5520 and I want to vpn site-to-site by using another interface with a carrier of lan to lan, the problem is when I try to pass traffic have the syslog error to follow:

  No translation not found for udp src lan2lan:10.5.50.63/44437 dst colo: biggiesmalls groups / 897
   
  LAN to LAN service interface is called: lan2lan
  one of the internal interfaces is called: colo
  
  I think that is problem with Nat on the SAA but I need help with this.
   
  Config:
   
  !
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  eve of fw - ext 255.255.255.0 address IP XXaaaNNaa
  OSPF cost 10
  OSPF network point-to-point non-broadcast
  !
  interface GigabitEthernet0/1
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/1.50
  VLAN 50
  nameif lb
  security-level 20
  IP 10.1.50.11 255.255.255.0
  OSPF cost 10
  !
  interface GigabitEthernet0/1,501
  VLAN 501
  nameif colo
  security-level 90
  eve of fw - int 255.255.255.0 172.16.2.253 IP address
  OSPF cost 10
  !
  !
  interface GigabitEthernet1/1
  Door-Lan2Lan description
  nameif lan2lan
  security-level 0
  IP 10.100.50.1 255.255.255.248
  !
  access extensive list ip 10.1.0.0 lan2lan_cryptomap_51 allow 255.255.0.0 object-group elo
  permit access list extended ip sfnet 255.255.255.0 lan2lan_cryptomap_51 object-group elo
  pager lines 24
  Enable logging
  host colo biggiesmalls record
  No message logging 313001
  External MTU 1500
  MTU 1500 lb
  MTU 1500 Colo
  lan2lan MTU 1500
  ICMP unreachable rate-limit 1 burst-size 1
  ARP timeout 14400
  NAT-control
  Global 1 interface (external)
  interface of global (lb) 1
  Global (colo) 1 interface
  NAT (lb) 1 10.1.50.0 255.255.255.0
  NAT (colo) - access list 0 colo_nat0_outbound
  NAT (colo) 1 10.1.13.0 255.255.255.0
  NAT (colo) 1 10.1.16.0 255.255.255.0
  NAT (colo) 1 0.0.0.0 0.0.0.0
  external_access_in access to the external interface group
  Access-group lb_access_in in lb interface
  Access-group colo_access_in in interface colo
  Access-group management_access_in in management of the interface
  Access-group interface lan2lan lan2lan
  !
  Service resetoutside
  card crypto match 51 lan2lan_map address lan2lan_cryptomap_51
  lan2lan_map 51 crypto map set peer 10.100.50.2
  card crypto lan2lan_map 51 game of transformation-ESP-3DES-SHA
  crypto lan2lan_map 51 set reverse-road map
  lan2lan_map interface lan2lan crypto card
  quit smoking
  ISAKMP crypto identity hostname
  ISAKMP crypto enable lan2lan
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Crypto isakmp nat-traversal 20
  enable client-implementation to date
  IPSec-attributes tunnel-group DefaultL2LGroup
  pre-shared-key xxXnnAA
  tunnel-group 10.100.50.2 type ipsec-l2l
  tunnel-group 10.100.50.2 General-attributes
  Group Policy - by default-site2site
  No vpn-addr-assign aaa
  No dhcp vpn-addr-assign
  Telnet timeout 5
  !
   

  The VPN is OK? ("' isakmp crypto to show his" should show a MM_Active tunnel to the peer address ")

  Normally exempt us VPN site-to-site of NAT traffic. This could be your problem. If you can share your configuration, we can have a look.

  p.s. you should affect the question of the security / VPN forum.

• Cannot ping inside the vpn client hosts. It's a NAT problem

  Hello everyone, I'm running into what seems to be a cause of exclusion with an IOS IPSEC VPN NAT/nat. I can connect to the VPN with cisco IPSEC VPN client, and I am able to authenticate. Once I have authenticate, I'm not able to reach one of the guests inside. Below is my relevant config. Any help would be greatly appreciated.

  AAA new-model

  !

  !

  AAA authentication login default local

  radius of group AAA authentication login userauthen

  AAA authorization exec default local

  AAA authorization groupauthor LAN

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group businessVPN

  key xxxxxx

  DNS 192.168.10.2

  business.local field

  pool vpnpool

  ACL 108

  Crypto isakmp VPNclient profile

  businessVPN group identity match

  client authentication list userauthen

  ISAKMP authorization list groupauthor

  client configuration address respond

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  Define VPNclient isakmp-profile

  market arriere-route

  !

  !

  10 ipsec-isakmp crypto map clientmap Dynamics dynmap

  interface Loopback0

  IP 10.1.10.2 255.255.255.252

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP virtual-reassembly

  !

  Null0 interface

  no ip unreachable

  !

  interface FastEthernet0/0

  IP 111.111.111.138 255.255.255.252

  IP access-group outside_in in

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  NAT outside IP

  inspect the outgoing IP outside

  IP virtual-reassembly

  automatic duplex

  automatic speed

  clientmap card crypto

  !

  the integrated-Service-Engine0/0 interface

  description Locator is initialized with default IMAP group

  IP unnumbered Loopback0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP virtual-reassembly

  ip address of service-module 10.1.10.1 255.255.255.252

  Service-module ip default gateway - 10.1.10.2

  interface BVI1

  IP 192.168.10.1 255.255.255.0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  IP virtual-reassembly

  IP nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25

  IP nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443

  IP nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389

  IP nat inside source map route nat interface FastEthernet0/0 overload

  nat extended IP access list

  deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

  refuse the 10.1.1.0 ip 0.0.0.255 192.168.109.0 0.0.0.255

  ip licensing 10.1.1.0 0.0.0.255 any

  permit ip 192.168.10.0 0.0.0.255 any

  sheep extended IP access list

  permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

  ip permit 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255

  ip licensing 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255

  outside_in extended IP access list

  permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp

  permit any any eq 443 tcp

  permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389

  permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22

  allow any host 111.111.111.138 esp

  allow any host 111.111.111.138 eq isakmp udp

  allow any host 111.111.111.138 eq non500-isakmp udp

  allow any host 111.111.111.138 ahp

  allow accord any host 111.111.111.138

  access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

  access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

  access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255

  !

  !

  !

  !

  route nat allowed 10 map

  match ip address nat

  1 channel ip bridge

  In my view, the acl applied to customer is back. It must allow traffic from the internal network to the pool of customers.

  To confirm, you can open the Cisco VPN client statistics (after login) then go in the route Details tab. We should see the networks you should be able to reach the customer. Make sure that the good ones are here.

  Kind regards

• Static nat and NAT ACL 0

  All,

  I have nat 0 ACL indicating that an ip address should not be natted, while a static nat statement saying we need natted. I just want to know that we will have precedence.

  Thank you

  It is of the order of operations PIX nat / ASA.

  the NAT 0 acl_name (nameif) has priority.

  1 nat 0-list of access (free from nat)

  2. match the existing xlates

  3. match the static controls

  a. static NAT with no access list

  b. static PAT with no access list

  4. match orders nat

  a. nat [id] access-list (first match)

  b. nat [id] [address] [mask] (best match)

  i. If the ID is 0, create an xlate identity

  II. use global pool for dynamic NAT

  III. use global dynamic pool for PAT