NAT on 8.3 and VPN tunnel with overlapping addresses
Hi all
I was looking at this document from Cisco and I think I understand how to convert the nat policy than the version 8.3 and later, but I was wondering what is happening to the acl crypto, you are always using the same as the older versions? As you know the 8.3 then NAT requires to use the original instead of the address translated to the ACL, but I don't know if this applies to crypto ACL as well. Pointers?
Example from the link:
access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 !--- This access list (new) is used with the crypto map (outside_map) !--- in order to determine which traffic should be encrypted !--- and sent across the tunnel. access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 !--- The policy-nat ACL is used with the static !--- command in order to match the VPN traffic for translation.
static (inside,outside) 192.168.2.0 access-list policy-nat !--- It is a Policy NAT statement. !--- The static command with the access list (policy-nat), !--- which matches the VPN traffic and translates the source (192.168.1.0) to !--- 192.168.2.0 for outbound VPN traffic.
crypto map outside_map 20 match address new !--- Define which traffic should be sent to the IPsec peer with the !--- access list (new).
Thank you
V
Hi rc001g0241,
I posted your question for clarity sake along.
"what happens to the crypto acl, always use you even as older versions?"
As you can see, Cisco doc you posted shows that you need to target for crypto engine is what happens after the nat policy has succeeded, illustrated here: "address match map crypto outside_map 20 new".
"As you know the 8.3 then NAT requires to use the original instead of the address translated to the ACL, but I don't know if this applies to crypto ACL as well. Pointers?
There is no such requirement and ACL target you in the engine crytop for the tunnel bound traffic can be a natted post address, that's what shows Cisco Doc and it is correct.
Hope that answers your questions.
Thank you
Rizwan James
Tags: Cisco Security
Similar Questions
-
NAT before going on a VPN Tunnel Cisco ASA or SA520
I have a friend who asked me to try to help. We are established VPN site to site with a customer. Our camp is a Cisco sa520 and side there is a control point. The tunnel is up, we checked the phase 1 and 2 are good. The question is through the tunnel to traffic, our LAN ip address are private addresses 10.10.1.0/24 but the client says must have a public IP address for our local network in order to access that server on local network there. So, in all forums, I see that you cannot NAT before crossing the VPN tunnel, but our problem is that our site has only 6 assigned IP addresses and the comcast router, on the side of the firewall SA520 WAN. So we were wondering was there a way we can use the WAN on the SA520 interface or use another available 6 who were assigned to the NAT traffic and passes through the tunnel. That sounds confusing to you? Sorry, but it's rarely have I a customer say that I must have a public IP address on my side of the LAN. Now, I say this is a SA520 firewall, but if it is not possible to do with who he is a way were able with an ASA5505?
Help or direction would be very useful.
Hello
I guess I could quickly write a basic configuration. Can't be sure I remember all correctly. But should be the biggest part of it.
Some of the course settings may be different depending on the type of VPN L2L connection settings, you have chosen.
Naturally, there are also a lot of the basic configuration which is not mentioned below.
For example
- Configurations management and AAA
- DHCP for LAN
- Logging
- Interface "nonstop."
- etc.
Information for parameters below
- x.x.x.x = ASA 'outside' of the public IP interface
- y.y.y.y = ASA "outside" network mask
- z.z.z.z = ASA "outside" IP address of the default gateway
- a.a.a.a = the address of the remote site VPN L2L network
- b.b.b.b = mask of network to the remote site VPN L2L
- c.c.c.c = IP address of the public peer device VPN VPN L2L remote site
- PSK = The Pre Shared Key to connect VPN L2L
Interfaces - Default - Access-list Route
interface Vlan2
WAN description
nameif outside
security-level 0
Add IP x.x.x.x y.y.y.y
Route outside 0.0.0.0 0.0.0.0 z.z.z.z
interface Ethernet0
Description WAN access
switchport access vlan 2
- All interfaces are on default Vlan1 so their ' switchport access vlan x "will not need to be configured
interface Vlan1
LAN description
nameif inside
security-level 100
10.10.1.0 add IP 255.255.255.0
Note to access the INSIDE-IN list allow all local network traffic
access to the INTERIOR-IN ip 10.10.1.0 list allow 255.255.255.0 any
group-access INTERIOR-IN in the interface inside
Configuring NAT and VPN L2L - ASA 8.2 software and versions prior
Global 1 interface (outside)
NAT (inside) 1 10.10.1.0 255.255.255.0
Crypto ipsec transform-set AES-256 aes-256-esp esp-sha-hmac
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host
card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address
card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c
card crypto WAN-CRYPTOMAP 10 the value transform-set AES-256
card crypto WAN-CRYPTOMAP 10 set security-association second life 3600
CRYPTOMAP WAN interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
tunnel-group c.c.c.c type ipsec-l2l
tunnel-group c.c.c.c ipsec-attributes
pre-shared key, PSK
NAT and VPN L2L - ASA 8.3 software configuration and after
NAT source auto after (indoor, outdoor) dynamic one interface
Crypto ipsec transform-set ikev1 AES-256 aes-256-esp esp-sha-hmac
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host
card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address
card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c
card crypto WAN-CRYPTOMAP 10 set transform-set AES-256 ikev1
card crypto WAN-CRYPTOMAP 10 set security-association second life 3600
CRYPTOMAP WAN interface card crypto outside
crypto isakmp identity address
Crypto ikev1 allow outside
tunnel-group c.c.c.c type ipsec-l2l
tunnel-group c.c.c.c ipsec-attributes
IKEv1 pre-shared key, PSK
I hope that the above information was useful please note if you found it useful
If it boils down to the configuration of the connection with the ASA5505 and does not cut the above configuration, feel free to ask for more
-Jouni
-
RV042 VPN tunnel with Samsung Ubigate ibg2600 need help
Hi all, ok before I completely remove all of my hair, I thought stop by here and ask the volume for you all with the hope that someone can track down the problem.
In short I am configuring a 'Gateway to gateway' vpn tunnel between two sites, I don't have access to the config of the router from Samsung, but the ISPS making sure that they followed my setup - watching newspapers RV042, I don't however see the reason for the failure - im no expert vpn...
Sorry if the log file turns on a bit, I didn't know where the beginning and the end was stupid I know... any advice would be greatly welcomed lol.
System log
Current time: Fri Sep 2 03:37:52 2009 all THE Log Log Log Log VPN Firewall Access system
Time
Type of event Message
2 sep 03:36:01 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba08
2 sep 03:36:01 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = c664c1ca
2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
2 sep 03:36:02 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
2 sep 03:36:02 2009 VPN received log delete SA payload: ISAKMP State #627 removal
2 sep 03:36:02 2009 VPN Log Main Mode initiator
2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > Send main initiator Mode 1 package
2 sep 03:36:02 2009 charge of VPN journal received Vendor ID Type = [Dead Peer Detection]
2 sep 03:36:02 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 2nd="" packet="">
2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send Mode main 3rd package
2 sep 03:36:03 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 4th="" packet="">
2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > main initiator Mode to send 5 packs
2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator receive hand Mode 6 Pack
2 sep 03:36:03 2009 log VPN main mode peer ID is ID_IPV4_ADDR: '87.85.xxx.xxx '.
2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN Mode main Phase 1 SA established
2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] initiator Cookies = c527 d584 595 c 2c3b
2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] responder Cookies = b62c ca31 1a5f 673f
2 sep 03:36:03 2009 log quick launch Mode PSK VPN + TUNNEL + PFS
2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator send fast Mode 1 package
2 sep 03:36:04 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" quick="" mode="" 2nd="" packet="">
2 sep 03:36:04 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba09
2 sep 03:36:04 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = e3da1469
2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
2 sep 03:36:04 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
2 sep 03:36:05 2009 VPN received log delete SA payload: ISAKMP State #629 removalPFS - off on tada and linksys router does not support the samsung lol! connected!
-
Between Cisco ASA VPN tunnels with VLAN + hairpin.
I have two Cisco ASA (5520 and 5505) both with version 9.1 (7) with Over VPN and Security Plus licenses. I try to understand all the internet a traffic tunnel strategy VLAN especially on the 5520 above the 5505 for further routing to the internet (such as a hair/u-turn hairpin). A few warnings:
- The 5505 has a dynamically assigned internet address.
- The 5505 has sometimes no device turned on behind her, bringing interfaces down to the inside (which can cause problems from site to site).
- The 5520 cannot be a client of ezvpn due to its current role as a server of webvpn (anyconnect).
Let me know if I need to post my current config. Basically, I'm starting from scratch after several attempts.
Thank you!
- The 5505 has a dynamically assigned internet address.
You can use the following doc to set up the VPN and then this document to configure Hairping/U tuning
2. the 5505 has sometimes no device turned on behind her, bringing interfaces down to the inside (which can cause problems from site to site).
Make sure that the interface is connected to a switch so that it remains all the TIME.
3. 5520 the may not be a ezvpn customer due to she has current as one role anyconnect webvpn ()) server.
You can use dynamic VPN with normal static rather EZVPN tunnel.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Hello
I am trying to understand the functioning of DNS with u-turn. I'm looking for in the configuration of VPN tunnel between ASA 5510 (main office) and PIX 506 (remote).
Currently all the jobs in the remote offices are connected through VPN tunnel between PIX506 and VPN 3000 to a hub, so that they use the internal DNS server at the main office. I need to use u-Turn on ASA to allow remote surfing the net users. With u-Turn config, remote workstation still will use DNS server in the main office to resolve the IP addresses?
Thank you
LF
Hey Forman.
SplitDNS and Splittunneling are both used with remote access clients. In your case, that you try to configure a site to site VPN tunnel, so to 'divide' traffic you will use the crypto acl to set valuable traffic to the VPN. However, this ACL uses IP addresses in order to determine whether the traffic must be encrypted or not, this is why your DNS lookup would have to occur before the traffic is encrypted. Then, you can set the DNS server for the remote network to be the DNS through the VPN tunnel and ensure that the DNS server's IP address is part of the interesting traffic or you must ensure that the local DNS server is able to resolve names.
In the previous case where you use u-turn, all gets automatically tunnele so you don't have to worry about your DNS queries in the tunnel.
I hope that this explains the behavior.
Kind regards
ATRI.
-
VPN tunnel with only one authorized service
Hello
has got a pix 520 with V 6.22. Now, I created a VPN Tunnel from our server to a
annother company server and I only want to have ssh connection. If it works
pretty good - but the other host, it is possible to connect on our host by
ICMP, ftp, telnet... How can I manage configured my pix to refuse all this
services?
Here is my configuration:
name 10.x.x.x ffmz1_is
name 212.x.x.x conliner_os
conliner_ssh name 192.168.0.250
object-group network conliner
object-network 192.168.0.0 255.255.255.0
access list on the inside to allow icmp host ffmz1_is a
access-list inside permit TCP host ffmz1_is any ftp eq
access-list inside allow host ffmz1_is udp any eq smtp
access-list inside allow host ffmz1_is host conliner_ssh eq ssh tcp
no_nat list of allowed access host ip conliner object-group ffmz1_is
access-list allowed conliner host ip conliner object-group ffmz1_is
...
crypto VPN 30 card matches the address conliner
card crypto VPN 30 set peer conliner_os
...
Thank you very much
The sole purpose of "ipsec sysopt connection permit" is to allow traffic through a tunnel to bypass access-groups. It is not necessary to use it, but then you must explicitly allow traffic you want through your access list.
The command is very useful when you need to establish a vpn using the cisco customer remotely. Because you must use dynamic crypto maps and you don't know the IP address of the peer, if you didn't have the sysopt command, you will need to allow traffic from an source.
And you don't have to open all ports for the PIX to be able to establish the tunnel with its ipsec peer.
You need to allow udp 500 and protocol 50-51 when ipsec traffic through your firewall. Let's say you have another PIX inside who wants to establish a vpn on your main PIX with a third PIX on the outside, you must open the ports in your main PIX.
-
Question:
Is it possible to install a GRE tunnel between two routers, one that has a dynamic IP, the other has a static IP address. If this isn't the case, GRE, is there another tunneling protocol we could use?
In the search for setting up a VPN, I found that the way suggested to do is a GRE tunnel, so that dynamic routing work via VPN. We do not use dynamic routing, but I want the flexible design for future changes that will occur.
Our facility is:
2651XM (hub) to the corporate office (static IP). DS-1
827H (spokes) to each branch (dynamic IP via DHCP). ADSL.
IOS version 12.2 (13) T supports Multipoint GRE function which will allow your GRE tunnel on the side of ADSL to use a dynamic IP address. Locate the CCO love and documentation DMVPN (dynamic multipoint VPN).
-
VPN client with overlapping of private networks?
I have a new client who needs to send us data occasionally, we normally install the Cisco VPN Client on their PC, but this client has the same private network, we.
I know, but it could be done with policy NAT on my 5510 ASA with a VPN site-to site, the customer does not want to change the address or network hardware. They have router cable with no VPN option, and they are unwilling to spend more money on this project.
Can this work if there is no overlapping of IP addresses?
Your ACL SHEEP overlaps the static NAT and SHEEP has priority over the static NAT strategy strategy, why it does not work.
Please kindly remove the following:
access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0
-
GRE tunnel with DHCP address on 871W
I'm putting in place a tunnel WILL I can send updates of routing and QOS between the sites. Now, we have a 2611XM and a 871W. How can I set this if the 871W router uses DHCP to the Wan (2611XM is a static address)? I'm suck trying to figure out what to do for the "tunnel" on the 2611XM destination.
PNDH allows peers to have dynamic addresses (ie: Dial and DSL) with GRE / IPsec tunnels.
What you do on the 2611 is to configure the tunnel love mode, and on both sides, you configure PNDH so that the 871 record with the 2611.
When you use this with ipsec, you can for example configure QoS groups in ISKAMP profiles.
http://www.Cisco.com/univercd/CC/TD/doc/product/software/ios124/124cg/hiad_c/hadnhrp.htm
-
Help with a VPN tunnel between ASA 5510 and Juniper SSG20
Hello
We have a customer wanting to configure a VPN Site to Site tunnel between a new purchased 5510 of ASA located in his direction with its Juniper SSG20 Office, located in the main office. We contacted HP and they send us a Cisco professional to do the job.
After 2 days from 16:00 to 22:00 and error and countless hours of research online and nunerous calls, we are still unable to get traffic from the network of agencies to enter the tunnel.
Main branch
1.1.1.2 1.1.1.1
----- -----------
192.168.8.0/24 | ASA|-----------------------------------| Juniper | 192.168.1.0/24
----- -----------
192.168.8.254 192.168.1.254According to Cisco professionals, the tunnel is now in place but no traffic through. We are unable to ping anything on the network on the other side (192.168.1.0/24). We receive timeout ping all the time. The Cisco professional told us it's a routing or NAT problem and he's working on a solution!
Through research, I came across a post on Experts-Exchange (here) [the 1st comment on the original post] which States "...". that both sides of the VPN must have a different class of LAN for the VPN to work... " Would that be our problem?
It has become a critical issue to the point that he had to replace the Cisco ASA with a temporary Juniper SSG5 on another subnet (192.168.7.0/24) to get the tunnel upward and through traffic until the ASA VPN issue is resolved and I didn't need to say that the client is killing us!
Help is very appreciated.
Thank you
1. Yes, ping package from the interface of the ASA is considered valuable traffic to the LAN of Juniper.
SAA, need you traffic from the interface source ASA's private, because interesting to determine by crypto ACL MYLIST traffic between 192.168.8.0/24 and 192.168.1.0/24.
You will also need to add the following configuration to be able to get the ping of the interface of the ASA:
management-private access
To initiate the ping of the private interface ASA:
ping 192.168.1.254 private
2. the default time before the next generation of new key is normally 28800 seconds, and if there is no interesting traffic flowing between 2 subnets, he'll tear the VPN tunnel down. As soon as there is interesting traffic, the VPN tunnel will be built automatically into the next generation of new key. However, if there is traffic before generating a new key, the new tunnel will be established, and VPN tunnel will remain standing and continue encrypt and decrypt traffic.
Currently, your configuration has been defined with ITS lifetime of 3600 seconds GOLD / 4608000 kilobytes of traffic before the next generate a new key (it will be either 3600 seconds, or 4608000 kilobytes period expires first). You can certainly change it by default to 28800 seconds without configuring kilobytes. SA life is negotiated between the ASA and Juniper, and whatever is the lowest value will be used.
Hope that helps.
-
Conflict of IPSec between IPSec and business VPN tunnels
I crushed a 2821 current c2800nm-adventerprisek9 - mz.124 - 22.YB8 at home with 2 gre IPSec tunnels for personal use, and my office will be held that a customer based IPSec VPN to connect to the corporate VPN. My problem is that when I want to connect to the corporate VPN, I see packages being encrypted and sent, but I would have never received the return packets. It seems that the IPSec VPN tunnels with IPSec from my office and router packages conflict trying to decrypt and gives this error. (I removed the public addresses for anonymity)
CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec would be package IPSEC a bad spi to destaddr = "myaddress", prot = 50, spi = 0xDB32344E (3677500494), port = "corpvpn".
When I remove the card encryption off-side WAN router, my Office VPN works immediately. I can change the configuration, either on the side of the IPSec GRE tunnels, but has no way for me to change any configuration on the corporate VPN. Does anyone know of a workaround on the cisco router? I can provide the running configs or view orders.
The 2821 also performs NAT overload for internet access.
Hello, Reed.
1. try to remove the interface crypto map and add "protection... profile ipsec tunnel." "to your VTI:
Crypto ipsec IPSEC profile
solid Set trans
int g0/0
No crypto map card
int tu1
Ipsec IPSEC protection tunnel profile
int tu2
Ipsec IPSEC protection tunnel profile
2. try to force your corpVPN to use encapsulation UDP instead of ESP.
-
Inside Source NAT from the remote host and VPN from Site to Site
Hi all
I was in charge of the construction of a vpn tunnel with a firewall PIX of our business partner company and ASA of the other company of the firewall. Traffic will be A partner business users will access my company Citrix server. I want to source-pat the user traffic partner company to PIX of my business within the interface to its entry in my LAN to access my company Citrix server. The partner company will be PAT'ing their traffic from users to a single ip address - Let's say for discussion end is 65.99.100.101. There is the site to site vpn configuration, and configure nat be performed to allow this traffic in accordance with the above provisions.
I'm more concerned about the accuracy of the configuration of the domain encryption because NAT is involved in this whole upward. My goal is to NAT (of the other company company a) ip address to a routable ip address in my company network.
The fundamental question here is should I include the ip address of real source (65.99.100.101) of the company the user or IP natted (10.200.11.9) in the field of encryption.
In other words should the encryption field looks like this
OPTION A.
permit ip host 10.200.11.103 65.99.100.101
OR
OPTION B
permit ip host 10.200.11.103 10.200.11.9
I'm inclined to think it should look like OPTION A. Here's the part of MY complete SOCIETY of the VPN configuration. I've also attached a diagram illustrating this topology.
Thanks in advance,
Adil
CONFIG BELOW
------------------------------------------------
#################################################
Object-group Config:
#################################################
the COMPANY_A_NETWORK object-group network
Description company network access my company A firm Citrix
host of the object-Network 65.99.100.101
the MYCOMPANY_CITRIX_FARM object-group network
Description farm Citrix accessible Takata by Genpact
host of the object-Network 10.200.11.103
################################################
Config of encryption:
################################################
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
********************************
CRYPTO MAP
********************************
crypto Outside_map 561 card matches the address Outside_561_cryptomap
card crypto Outside_map 561 set peer 55.5.245.21
Outside_map 561 transform-set ESP-3DES-SHA crypto card game
********************************
TUNNEL GROUP
********************************
tunnel-group 55.5.245.21 type ipsec-l2l
IPSec-attributes tunnel-group 55.5.245.21
pre-shared-key * 55.5.245.21
*******************************
FIELD OF CRYPTO
*******************************
Outside_561_cryptomap list extended access permitted ip object-group MYCOMPANY_CITRIX_FARM-group of objects COMPANY_A_NETWORK
###########################################
NAT'ing
###########################################
Global (inside) 9 10.200.11.9
NAT (9 genpact_source_nat list of outdoor outdoor access)
genpact_source_nat list extended access permit ip host 65.99.100.101 all
genpact_source_nat list extended access permit ip host 65.99.100.102 all
! For not natting ip address of the Citrix server
Inside_nat0 list extended access permitted ip object-group MYCOMPANY_CITRIX_FARM-group of objects COMPANY_A_NETWORK
You must include pre - nat ip 65.99.x.x in your crypto-card, like you did.
For me, config you provided here looks good and meets your needs.
One thing, I do not see here the nat rule real 0, but there is the ACL that NAT. probably, you just forgot this rule.
65.99.100.101 #sthash.mQm0FIOM.dpuf
-
2 separated on same ASA VPN tunnels can communicate with each other
Here's the scenario that I have a VPN tunnel with one of my remote locations. I also have a VPN Tunnel with a provider that supports the equipment for my organization. I need to have my supplier able to communicate with equipment that live in my other VPN tunnel. The two Tunnels are on the same ASA5540.
1 is it Possible?
2 How set it up?
Thank you
Follow this link for example. Enhanced spoke-to-spoke VPN, allows the two tunnels ending to your asa5540 to connect, using parameter permit intra-interface with configuration accless-list permits traffic of each endpoint of the tunnel.
-
Several Tunnels with the same distance network &; destination in cryptographic maps
This maybe a newbie question, but I don't have production systems and don't really have a way to test our properly. We have an ASA 5520 with several tunnels from site to site. We already have a tunnel with one of the remote networks in 10.100.90.14. We have this IP on a subnet configured as remote network and the destination address in the card encryption. We also exempt rules NAT in place for our local network with the 10.100.90.14 address as the destination.
We have another tunnel that must be built and who will have a different address peer, but that requires a large number of subnets and at least we'll have the same remote network/destination address in the map encryption and VPN tunnel that we already have in place.
Is this possible to do with a tunnel of site to another without a static or dynamic NAT to a different IP address?
I know, with physical networks, that it is impossible because of the static routes that are in place, but with the ipsec tunnels I'm not sure how it works, and as mentioned, I'm not able to test it.
Any guidance would be appreciated.
Bill
The acl crypto map defines interesting traffic. If you have the same destination IP address, IE. 10.100.90.14 then if the source IE. the IP address of the client on your network is identical for the two tunnels, then no, it won't work and you will need to make some sort of NAT for one of the tunnels.
Jon
-
ASA L2L VPN UP with incoming traffic
Hello
I need help with this one, I have two identical VPN tunnel with two different customers who need access to one of our internal server, one of them (customer) works well, but the other (CustomerB) I can only see traffic from the remote peer (ok, RX but no TX). I put a sniffer on ports where the ASA and the server are connected and saw that traffic is to reach the server and traffic to reach the ASA of the server then nothing...
See the result of sh crypto ipsec his below and part of the config for both clients
------------------
address:
local peer 100.100.100.178
local network 10.10.10.0 / 24
local server they need access to the 10.10.10.10
Customer counterpart remote 200.200.200.200
Customer remote network 172.16.200.0 / 20
CustomerB peer remote 160.160.143.4
CustomerB remote network 10.15.160.0 / 21
---------------------------
Output of the command: "SH crypto ipsec its peer 160.160.143.4 det".
address of the peers: 160.160.143.4
Tag crypto map: outside_map, seq num: 3, local addr: 100.100.100.178outside_cryptomap list of allowed access host ip 10.10.10.10 10.15.160.0 255.255.248.0
local ident (addr, mask, prot, port): (10.10.10.10/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (10.15.160.0/255.255.248.0/0/0)
current_peer: 160.160.143.4#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 827, #pkts decrypt: 827, #pkts check: 827
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#pkts not his (send): 0, invalid #pkts his (RRs): 0
#pkts program failed (send): 0, #pkts decaps failed (RRs): 0
#pkts invalid prot (RRs): 0, #pkts check failed: 0
invalid identity #pkts (RRs): 0, #pkts invalid len (RRs): 0
#pkts incorrect key (RRs): 0,
#pkts invalid ip version (RRs): 0,
replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0
#pkts replay failed (RRs): 0
#pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0
#pkts internal err (send): 0, #pkts internal err (RRs): 0local crypto endpt. : 100.100.100.178, remote Start crypto. : 160.160.143.4
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C2AC8AAESAS of the esp on arrival:
SPI: 0xD88DC8A9 (3633170601)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4373959/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xC2AC8AAE (3266087598)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001-The configuration framework
ASA Version 8.2 (1)
!
172.16.200.0 customer name
name 10.15.160.0 CustomerB
!
interface Ethernet0/0
nameif outside
security-level 0
IP 100.100.100.178 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
10.10.10.0 IP address 255.255.255.0
!
outside_1_cryptomap list extended access allowed host ip 10.10.10.10 customer 255.255.240.0
inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 customer 255.255.240.0
inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0
outside_cryptomap list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0
NAT-control
Overall 101 (external) interface
NAT (inside) 0-list of access inside_nat0_outbound_1
NAT (inside) 101 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 100.100.100.177
Route inside 10.10.10.0 255.255.255.0 10.10.10.254 1
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 200.200.200.200
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
card crypto outside_map 3 match address outside_cryptomap
peer set card crypto outside_map 3 160.160.143.4
card crypto outside_map 3 game of transformation-ESP-3DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec svc
internal customer group strategy
Customer group policy attributes
Protocol-tunnel-VPN IPSec svc
internal CustomerB group strategy
attributes of Group Policy CustomerB
Protocol-tunnel-VPN IPSec
tunnel-group 160.160.143.4 type ipsec-l2l
tunnel-group 160.160.143.4 General-attributes
Group Policy - by default-CustomerB
IPSec-attributes tunnel-group 160.160.143.4
pre-shared key xxx
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 General attributes
Customer by default-group-policy
IPSec-attributes tunnel-group 200.200.200.200
pre-shared key yyy
Thank you
A.
Hello
It seems that the ASA is not Encrypting traffic to the second peer (However there is no problem of routing).
I saw this 7.x code behaviors not on code 8.x
However you can do a test?
You can change the order of cryptographic cards?
card crypto outside_map 1 match address outside_cryptomap
peer set card crypto outside_map 1 160.160.143.4
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 3 match address outside_1_cryptomap
card crypto outside_map 3 set pfs
peer set card crypto outside_map 3 200.200.200.200
card crypto outside_map 3 game of transformation-ESP-3DES-SHA
I just want to see if by setting the peer nonworking time to be the first, it works...
I know it should work the way you have it, I just want to see if this is the same behavior I've seen.
Thank you.
Federico.
Maybe you are looking for
-
How can I change the channel of update?
I want to return to the channel updates; currently on beta channel. I'm unable to implement your instructions online (apparently stale): https://support.mozilla.com/en-US/kb/how-do-i-switch-update-channels Please notify. Thank you, Allan Leonard
-
Product key of Windows 8 for Pavilion G6
My son has a Pavilion laptop, G6, on which the warranty has expired. The hard drive is damaged and he bought a replacement. He now needs to reinstall Windows 8, but we are unable to find the product key. We do not find a tag anywhere on the comput
-
I recently installed a network storage drive to my network environments with desktop computer running windows 7, windows xp professional and windows xp home. Have this problems that even when the drive has been mapped with identification information
-
I have a stubborn reality and impossible to get rid of the virus on my main hard drive and I think to format and to nine. I want to know if there is a way to get a new installation of Vista for a clean install disc and a disk for the drivers of my l
-
Cannot start Windows: error 0xc000000f
That's what my laptop Toshiba says when I try to start it. Also: File: \Boot\BCD Status: 0xc000000f Info: An error occurred trying to read the boot configuration data. I can't find my installation disk, which is the first thing that he told me to tr